;------------------------------------------------------------------------------ ; ; Disassembly listing generated by PE Explorer version 1.97 ; Heaventools Software (http://www.heaventools.com) ; ;------------------------------------------------------------------------------ ; ; Name: .text (Code Section) ; Virtual Address: 00010380h Virtual Size: 00010DFEh ; Pointer To RawData: 00000380h Size Of RawData: 00010E00h ; SUB_L00010380: mov eax,[esp+04h] and dword ptr [eax+30h],00000000h retn 0004h ;------------------------------------------------------------------------------ Align 4 SUB_L0001038C: mov eax,[esp+04h] mov eax,[eax+30h] retn 0004h ;------------------------------------------------------------------------------ SUB_L00010396: push ebx push esi mov esi,[esp+10h] mov bl,[esi+25h] push edi push 00000002h call [ntoskrnl.exe!IoReleaseCancelSpinLock] mov edi,[esp+10h] add edi,00000008h mov ecx,edi call [ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] mov ecx,[esi+5Ch] mov eax,[esi+58h] mov [ecx],eax mov [eax+04h],ecx mov dl,bl mov ecx,edi call [HAL.dll!KfReleaseSpinLock] xor dl,dl mov ecx,esi mov dword ptr [esi+18h],C0000120h call [ntoskrnl.exe!IofCompleteRequest] pop edi pop esi pop ebx retn 0008h ;------------------------------------------------------------------------------ Align 4 SUB_L000103E4: push ebx push esi mov esi,[esp+0Ch] push edi lea edi,[esi+08h] mov ecx,edi call [HAL.dll!KfAcquireSpinLock] cmp dword ptr [esi+14h],00000000h setnz bl test bl,bl jnz L0001040B xor ecx,ecx add esi,00000010h inc ecx lock xadd [esi],ecx L0001040B: mov dl,al mov ecx,edi call [HAL.dll!KfReleaseSpinLock] pop edi pop esi mov al,bl pop ebx retn 0004h ;------------------------------------------------------------------------------ Align 2 SUB_L0001041E: push ebp mov ebp,esp sub esp,0000000Ch push ebx mov ebx,[ebp+08h] lea eax,[ebp-0Ch] mov [ebp-08h],eax lea eax,[ebp-0Ch] lea ecx,[ebx+08h] push esi mov [ebp-0Ch],eax mov [ebp-04h],ecx call [HAL.dll!KfAcquireSpinLock] mov esi,[ebx] cmp esi,ebx mov [ebp+0Bh],al jz L0001048B mov edx,[ebp+0Ch] push edi L0001044E: test edx,edx lea eax,[esi-58h] mov ecx,esi mov esi,[esi] jz L00010461 mov edi,[eax+60h] cmp [edi+18h],edx jnz L00010486 L00010461: xor edi,edi add eax,00000038h xchg edi,[eax] test edi,edi jz L00010486 mov edi,[ecx] mov eax,[ecx+04h] mov [eax],edi mov [edi+04h],eax mov eax,[ebp-08h] lea edi,[ebp-0Ch] mov [ecx],edi mov [ecx+04h],eax mov [eax],ecx mov [ebp-08h],ecx L00010486: cmp esi,ebx jnz L0001044E pop edi L0001048B: mov dl,[ebp+0Bh] mov ecx,[ebp-04h] call [HAL.dll!KfReleaseSpinLock] pop esi pop ebx jmp L000104B7 L0001049B: mov eax,[ecx] mov [ebp-0Ch],eax lea edx,[ebp-0Ch] mov [eax+04h],edx mov eax,[ebp+10h] add ecx,FFFFFFA8h xor dl,dl mov [ecx+18h],eax call [ntoskrnl.exe!IofCompleteRequest] L000104B7: mov ecx,[ebp-0Ch] lea eax,[ebp-0Ch] cmp ecx,eax jnz L0001049B leave retn 000Ch ;------------------------------------------------------------------------------ Align 2 SUB_L000104C6: mov eax,[esp+04h] mov eax,[eax+14h] retn 0004h ;------------------------------------------------------------------------------ SUB_L000104D0: push esi mov esi,[esp+08h] push edi lea eax,[esi+08h] push eax mov [esi+04h],esi mov [esi],esi call [ntoskrnl.exe!KeInitializeSpinLock] mov eax,[esp+10h] xor edi,edi push edi mov [esi+0Ch],eax push edi lea eax,[esi+18h] push eax mov dword ptr [esi+10h],00000001h mov [esi+14h],edi call [ntoskrnl.exe!KeInitializeEvent] mov [esi+30h],edi mov [esi+28h],edi mov [esi+2Ch],edi pop edi pop esi retn 0008h ;------------------------------------------------------------------------------ SUB_L00010512: push ebp mov ebp,esp push ebx push esi mov esi,[ebp+08h] lea ebx,[esi+08h] mov ecx,ebx call [HAL.dll!KfAcquireSpinLock] mov [ebp+0Bh],al lea edx,[esi+10h] or ecx,FFFFFFFFh lock xadd [edx],ecx dec ecx test ecx,ecx jle L00010543 mov dl,al mov ecx,ebx call [HAL.dll!KfReleaseSpinLock] jmp L00010586 L00010543: push edi jmp L00010575 L00010546: cmp dword ptr [esi+14h],00000000h jnz L0001057A cmp dword ptr [esi+30h],00000000h jnz L0001057A mov ecx,[esi] cmp ecx,esi jz L0001057A mov eax,[ecx] mov [esi],eax lea edi,[ecx-58h] mov [eax+04h],esi xor eax,eax lea ecx,[edi+38h] xchg eax,[ecx] test eax,eax jnz L0001058C lea eax,[edi+58h] mov [eax+04h],eax mov [eax],eax L00010575: cmp dword ptr [edx],00000000h jz L00010546 L0001057A: mov dl,[ebp+0Bh] mov ecx,ebx call [HAL.dll!KfReleaseSpinLock] L00010585: pop edi L00010586: pop esi pop ebx pop ebp retn 0008h ;------------------------------------------------------------------------------ L0001058C: mov ecx,ebx mov [esi+14h],edi call [ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] push edi push [ebp+0Ch] call [esi+0Ch] mov cl,[ebp+0Bh] call [HAL.dll!KfLowerIrql] jmp L00010585 Align 2 SUB_L000105AA: mov eax,[esp+04h] xor ecx,ecx add eax,00000010h inc ecx lock xadd [eax],ecx retn 0004h ;------------------------------------------------------------------------------ Align 4 SUB_L000105BC: push ebp mov ebp,esp sub esp,00000010h push ebx push esi mov esi,[ebp+08h] lea ecx,[esi+08h] push edi mov [ebp-04h],ecx call [HAL.dll!KfAcquireSpinLock] mov [ebp+0Bh],al lea ebx,[esi+14h] xor eax,eax xchg eax,[ebx] xor edi,edi cmp eax,edi mov [ebp-0Ch],eax jz L000105F3 push edi push edi lea eax,[esi+18h] push eax call [ntoskrnl.exe!KeSetEvent] L000105F3: cmp [esi+10h],edi mov eax,[esi+28h] mov [ebp-08h],eax mov eax,[esi+2Ch] mov [ebp-10h],eax mov [esi+28h],edi jnz L00010636 L00010607: cmp dword ptr [esi+30h],00000000h jnz L00010636 mov edi,[esi] cmp edi,esi jz L00010636 mov eax,[edi] mov [esi],eax add edi,FFFFFFA8h mov [eax+04h],esi xor eax,eax lea ecx,[edi+38h] xchg eax,[ecx] test eax,eax jnz L00010658 lea eax,[edi+58h] mov [eax+04h],eax mov [eax],eax cmp dword ptr [esi+10h],00000000h jz L00010607 L00010636: mov dl,[ebp+0Bh] mov ecx,[ebp-04h] call [HAL.dll!KfReleaseSpinLock] cmp dword ptr [ebp-08h],00000000h jz L0001064E push [ebp-10h] call [ebp-08h] L0001064E: mov eax,[ebp-0Ch] pop edi pop esi pop ebx leave retn 0008h ;------------------------------------------------------------------------------ L00010658: mov ecx,[ebp-04h] mov [ebx],edi call [ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] push edi push [ebp+0Ch] call [esi+0Ch] mov cl,[ebp+0Bh] call [HAL.dll!KfLowerIrql] jmp L0001064E Align 2 SUB_L00010676: push ebp mov ebp,esp push ebx push esi mov esi,[ebp+08h] lea ebx,[esi+08h] push edi mov ecx,ebx call [HAL.dll!KfAcquireSpinLock] mov edi,[esi+30h] test edi,edi mov dl,al mov [ebp+0Bh],dl jz L000106AE mov ecx,ebx call [HAL.dll!KfReleaseSpinLock] mov ecx,[ebp+10h] mov [ecx+18h],edi L000106A4: xor dl,dl call [ntoskrnl.exe!IofCompleteRequest] jmp L00010720 L000106AE: cmp dword ptr [esi+14h],00000000h jnz L000106DC cmp dword ptr [esi+10h],00000000h jnz L000106DC mov edi,[ebp+10h] mov dl,02h mov ecx,ebx mov [esi+14h],edi call [HAL.dll!KfReleaseSpinLock] push edi push [ebp+0Ch] call [esi+0Ch] mov cl,[ebp+0Bh] call [HAL.dll!KfLowerIrql] jmp L00010720 L000106DC: mov edi,[ebp+10h] mov ecx,[ebp+14h] lea eax,[edi+38h] xchg ecx,[eax] cmp byte ptr [edi+24h],00h jz L00010708 xor ecx,ecx xchg ecx,[eax] test ecx,ecx jz L00010708 mov ecx,ebx call [HAL.dll!KfReleaseSpinLock] mov dword ptr [edi+18h],C0000120h mov ecx,edi jmp L000106A4 L00010708: mov ecx,[esi+04h] lea eax,[edi+58h] mov [eax+04h],ecx mov [eax],esi mov [ecx],eax mov ecx,ebx mov [esi+04h],eax call [HAL.dll!KfReleaseSpinLock] L00010720: pop edi pop esi pop ebx pop ebp retn 0010h ;------------------------------------------------------------------------------ Align 4 SUB_L00010728: mov eax,[esp+08h] mov ecx,[esp+04h] push eax push 00000000h push ecx mov [ecx+30h],eax call SUB_L0001041E retn 0008h ;------------------------------------------------------------------------------ Align 4 SUB_L00010740: mov eax,[esp+04h] xor ecx,ecx inc ecx lock xadd [eax],ecx xor ecx,ecx cmp [eax+04h],cl jz L0001076E or edx,FFFFFFFFh lock xadd [eax],edx jnz L00010767 push ecx push ecx add eax,00000008h push eax call [ntoskrnl.exe!KeSetEvent] L00010767: mov eax,C0000056h jmp L00010770 L0001076E: xor eax,eax L00010770: retn 0008h ;------------------------------------------------------------------------------ Align 4 SUB_L00010774: mov eax,[esp+04h] or ecx,FFFFFFFFh lock xadd [eax],ecx jnz L0001078F push 00000000h push 00000000h add eax,00000008h push eax call [ntoskrnl.exe!KeSetEvent] L0001078F: retn 0008h ;------------------------------------------------------------------------------ SSZ00010792_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001079A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000107A2_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000107AA_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000107B2_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000107BA_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000107C2_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000107CA_TI_Msg_: db 'TI Msg',0Ah,0 L000107D2: push ebp mov ebp,esp mov eax,[ebp+08h] push ebx push esi mov esi,[ebp+0Ch] mov ebx,[esi+60h] push edi mov edi,[eax+28h] push SSZ00010792_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ0001079A_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ000107A2_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint cmp byte ptr [ebx],16h mov eax,[esi+18h] pop ecx mov [ebp+0Ch],eax jnz L0001086C cmp byte ptr [edi+0Ch],00h jz L00010858 push esi lea ebx,[edi+24h] push ebx call SUB_L00010740 test eax,eax mov [ebp+0Ch],eax jl L00010883 push SSZ000107AA_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push esi call [ntoskrnl.exe!PoStartNextPowerIrp] inc [esi+23h] add dword ptr [esi+60h],00000024h push esi push [edi+08h] call [ntoskrnl.exe!PoCallDriver] L0001084C: push esi push ebx mov [ebp+0Ch],eax call SUB_L00010774 jmp L000108C2 L00010858: push SSZ000107B2_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push esi call [ntoskrnl.exe!PoStartNextPowerIrp] jmp L000108B8 L0001086C: cmp byte ptr [edi+0Ch],00h jz L000108AD push esi lea ebx,[edi+24h] push ebx call SUB_L00010740 test eax,eax mov [ebp+0Ch],eax jge L0001088E L00010883: push 00000000h push eax push esi call SUB_L000171FE jmp L000108CD L0001088E: push SSZ000107BA_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint inc [esi+23h] add dword ptr [esi+60h],00000024h pop ecx mov ecx,[edi+08h] mov edx,esi call [ntoskrnl.exe!IofCallDriver] jmp L0001084C L000108AD: push SSZ000107C2_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx L000108B8: mov ecx,esi xor dl,dl call [ntoskrnl.exe!IofCompleteRequest] L000108C2: push SSZ000107CA_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx L000108CD: mov eax,[ebp+0Ch] pop edi pop esi pop ebx pop ebp retn 0008h ;------------------------------------------------------------------------------ Align 4 L000108D8: push esp dec ecx and [ebp+73h],cl or al,[eax] SUB_L000108E0: mov eax,[esp+04h] push esi mov esi,[eax+28h] push L000108D8 call jmp_ntoskrnl.exe!DbgPrint mov edx,[esp+10h] inc [edx+23h] add dword ptr [edx+60h],00000024h pop ecx mov ecx,[esi+08h] call [ntoskrnl.exe!IofCallDriver] pop esi retn 0008h ;------------------------------------------------------------------------------ Align 4 L0001090C: push esi mov esi,[esp+0Ch] mov ecx,[esi+000001B8h] call SUB_L000173B0 test al,al jz L00010931 mov eax,[esi] push esi push 00000000h add eax,00000074h push eax call [ntoskrnl.exe!KeInsertQueueDpc] mov al,01h L00010931: pop esi retn 0008h ;------------------------------------------------------------------------------ Align 2 SSZ00010936_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001093E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00010946_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001094E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00010956_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001095E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00010966_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001096E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00010976_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001097E_TI_Msg_: db 'TI Msg',0Ah,0 L00010986: push ecx push ebx push ebp push esi mov esi,[esp+20h] lea ecx,[esi+0000013Ch] push edi mov [esp+10h],ecx call [ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] mov ecx,[esi+000001B8h] call SUB_L00017F18 mov ebp,[ntoskrnl.exe!IoInvalidateDeviceRelations] xor ebx,ebx test al,01h mov [esp+24h],eax jz L00010A16 mov ecx,[esi+000001B8h] push ebx call SUB_L00017952 cmp al,A1h jnz L000109EB or dword ptr [esi+00000144h],FFFFFFFFh mov [esi+00000140h],bl mov [esi+00000141h],bl mov byte ptr [esi+0000014Ch],07h push SSZ00010936_TI_Msg_ jmp L00010A03 L000109EB: mov [esi+00000144h],ebx mov byte ptr [esi+00000140h],01h mov [esi+0000014Ch],al push SSZ0001093E_TI_Msg_ L00010A03: call jmp_ntoskrnl.exe!DbgPrint pop ecx push ebx push [esi+3Ch] mov byte ptr [esi+000001B0h],01h call ebp L00010A16: test byte ptr [esp+24h],02h jz L00010A87 mov ecx,[esi+000001B8h] xor edi,edi inc edi push edi call SUB_L00017952 cmp al,A1h jnz L00010A51 or dword ptr [esi+00000158h],FFFFFFFFh mov [esi+00000154h],bl mov [esi+00000155h],bl mov byte ptr [esi+00000160h],07h push SSZ00010946_TI_Msg_ jmp L00010A69 L00010A51: mov [esi+00000158h],edi mov byte ptr [esi+00000154h],01h mov [esi+00000160h],al push SSZ0001094E_TI_Msg_ L00010A69: call jmp_ntoskrnl.exe!DbgPrint pop ecx push SSZ00010956_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push ebx push [esi+3Ch] mov byte ptr [esi+000001B0h],01h call ebp L00010A87: test byte ptr [esp+24h],04h jz L00010AED mov ecx,[esi+000001B8h] push 00000002h pop edi push edi call SUB_L00017952 cmp al,A1h jnz L00010AC2 or dword ptr [esi+0000016Ch],FFFFFFFFh mov [esi+00000168h],bl mov [esi+00000169h],bl mov byte ptr [esi+00000174h],07h push SSZ0001095E_TI_Msg_ jmp L00010ADA L00010AC2: mov [esi+0000016Ch],edi mov byte ptr [esi+00000168h],01h mov [esi+00000174h],al push SSZ00010966_TI_Msg_ L00010ADA: call jmp_ntoskrnl.exe!DbgPrint pop ecx push ebx push [esi+3Ch] mov byte ptr [esi+000001B0h],01h call ebp L00010AED: test byte ptr [esp+24h],08h jz L00010B5E mov ecx,[esi+000001B8h] push 00000003h pop edi push edi call SUB_L00017952 cmp al,A1h jnz L00010B28 or dword ptr [esi+00000180h],FFFFFFFFh mov [esi+0000017Ch],bl mov [esi+0000017Dh],bl mov byte ptr [esi+00000188h],07h push SSZ0001096E_TI_Msg_ jmp L00010B40 L00010B28: mov [esi+00000180h],edi mov byte ptr [esi+0000017Ch],01h mov [esi+00000188h],al push SSZ00010976_TI_Msg_ L00010B40: call jmp_ntoskrnl.exe!DbgPrint pop ecx push SSZ0001097E_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push ebx push [esi+3Ch] mov byte ptr [esi+000001B0h],01h call ebp L00010B5E: mov ecx,[esp+10h] call [ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] pop edi pop esi pop ebp pop ebx pop ecx retn 0010h ;------------------------------------------------------------------------------ SUB_L00010B70: push ebp mov ebp,esp push ebx push esi push 0000004Ch call SUB_L00014304 mov esi,[ebp+08h] xor ebx,ebx cmp eax,ebx pop ecx jz L00010B95 push [esi+0000009Ch] mov ecx,eax call SUB_L000172C4 jmp L00010B97 L00010B95: xor eax,eax L00010B97: cmp eax,ebx mov [esi+000001B8h],eax jz L00010C6A push [esi+58h] mov ecx,eax call SUB_L00017EC2 push [esi+000000F4h] mov ecx,[esi+000001B8h] call SUB_L00017EDE push [esi+000000F8h] mov ecx,[esi+000001B8h] call SUB_L00017EEA push [esi+000001B4h] mov ecx,[esi+000001B8h] call SUB_L0001735C push [esi+000000FCh] mov ecx,[esi+000001B8h] call SUB_L00017EF6 mov ecx,[esi+000001B8h] call SUB_L00017382 lea eax,[esi+000001B1h] cmp [eax],bl jz L00010C6A cmp [esi+000001B4h],ebx mov [eax],bl mov [ebp+08h],bl jbe L00010C6A xor eax,eax push edi L00010C18: lea eax,[eax+eax*4] lea edi,[esi+eax*4] cmp [edi+00000141h],bl jz L00010C5A push [ebp+08h] mov ecx,[esi+000001B8h] call SUB_L00017550 push [ebp+08h] mov ecx,[esi+000001B8h] call SUB_L000177C2 test al,al jnz L00010C5A push [ebp+08h] mov ecx,[esi+000001B8h] call SUB_L00017952 mov [edi+0000014Ch],al L00010C5A: inc [ebp+08h] movzx eax,[ebp+08h] cmp eax,[esi+000001B4h] jc L00010C18 pop edi L00010C6A: pop esi pop ebx pop ebp retn 0004h ;------------------------------------------------------------------------------ SUB_L00010C70: push ebx push esi mov esi,[esp+0Ch] xor ebx,ebx cmp byte ptr [esi+48h],12h push edi mov edi,[ntoskrnl.exe!KeWaitForSingleObject] jnz L00010C92 push ebx push ebx push ebx push ebx lea eax,[esi+00000164h] push eax call edi L00010C92: cmp byte ptr [esi+48h],22h jnz L00010CA5 push ebx push ebx push ebx push ebx lea eax,[esi+00000184h] push eax call edi L00010CA5: cmp byte ptr [esi+48h],23h jnz L00010CB8 push ebx push ebx push ebx push ebx lea eax,[esi+000001A4h] push eax call edi L00010CB8: cmp byte ptr [esi+48h],13h jnz L00010CCB push ebx push ebx push ebx push ebx lea eax,[esi+000001C4h] push eax call edi L00010CCB: cmp byte ptr [esi+48h],01h jnz L00010CDE push ebx push ebx push ebx push ebx lea eax,[esi+000001E4h] push eax call edi L00010CDE: cmp byte ptr [esi+48h],04h jnz L00010CF1 push ebx push ebx push ebx push ebx add esi,00000204h push esi call edi L00010CF1: pop edi pop esi pop ebx retn 0004h ;------------------------------------------------------------------------------ Align 4 SUB_L00010CF8: push ebx push esi mov esi,[esp+0Ch] xor ebx,ebx cmp byte ptr [esi+48h],12h push edi mov edi,[ntoskrnl.exe!KeReleaseMutex] jnz L00010D17 push ebx lea eax,[esi+00000164h] push eax call edi L00010D17: cmp byte ptr [esi+48h],22h jnz L00010D27 push ebx lea eax,[esi+00000184h] push eax call edi L00010D27: cmp byte ptr [esi+48h],23h jnz L00010D37 push ebx lea eax,[esi+000001A4h] push eax call edi L00010D37: cmp byte ptr [esi+48h],13h jnz L00010D47 push ebx lea eax,[esi+000001C4h] push eax call edi L00010D47: cmp byte ptr [esi+48h],01h jnz L00010D57 push ebx lea eax,[esi+000001E4h] push eax call edi L00010D57: cmp byte ptr [esi+48h],04h jnz L00010D67 push ebx add esi,00000204h push esi call edi L00010D67: pop edi pop esi pop ebx retn 0004h ;------------------------------------------------------------------------------ Align 2 SSZ00010D6E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00010D76_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00010D7E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00010D86_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00010D8E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00010D96_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00010D9E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00010DA6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00010DAE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00010DB6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00010DBE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00010DC6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00010DCE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00010DD6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00010DDE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00010DE6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00010DEE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00010DF6_TI_Msg_: db 'TI Msg',0Ah,0 L00010DFE: push ebp mov ebp,esp sub esp,00000028h push ebx push esi push edi mov edi,[ebp+0Ch] mov esi,[edi+14h] mov eax,[esi+40h] push esi mov [ebp-08h],eax call SUB_L00010C70 mov al,[edi+18h] mov ebx,[edi+10h] mov [ebp-02h],al mov eax,[edi+08h] mov [ebp-20h],eax mov eax,[edi+0Ch] mov [ebp-1Ch],eax mov eax,[edi+1Ch] mov [ebp-10h],eax mov eax,[esi+000000A0h] shr eax,09h mov [ebp-14h],eax mov [ebp-24h],eax mov dword ptr [ebp-18h],00000001h L00010E4A: cmp byte ptr [ebp-02h],00h jz L00010EE3 push SSZ00010D6E_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint cmp dword ptr [esi+00000240h],00000000h pop ecx jnz L00010E78 mov ecx,[ebx+000001B8h] push 00000001h push [ebp-08h] call SUB_L00017E1E L00010E78: cmp byte ptr [esi+000000B8h],00h mov ecx,[ebx+000001B8h] lea eax,[ebp-14h] push eax push [ebp-20h] jnz L00010EA8 xor eax,eax mov ax,[esi+000000C0h] push eax push [esi+000000BCh] push [ebp-08h] call SUB_L000179FA jmp L00010EB0 L00010EA8: push [ebp-08h] call SUB_L00017A88 L00010EB0: mov ecx,[ebx+000001B8h] push 00000000h push [ebp-08h] mov [ebp-01h],al call SUB_L00017E1E inc [esi+00000240h] cmp dword ptr [esi+00000240h],00000010h jc L00010ED9 and dword ptr [esi+00000240h],00000000h L00010ED9: push SSZ00010D76_TI_Msg_ jmp L00010F6D L00010EE3: push SSZ00010D7E_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint cmp dword ptr [esi+00000244h],00000000h pop ecx jnz L00010F07 mov ecx,[ebx+000001B8h] push 00000001h push [ebp-08h] call SUB_L00017E1E L00010F07: cmp byte ptr [esi+000000B8h],00h mov ecx,[ebx+000001B8h] lea eax,[ebp-14h] push eax push [ebp-20h] jnz L00010F37 xor eax,eax mov ax,[esi+000000C0h] push eax push [esi+000000BCh] push [ebp-08h] call SUB_L00017B10 jmp L00010F3F L00010F37: push [ebp-08h] call SUB_L00017B9E L00010F3F: mov ecx,[ebx+000001B8h] push 00000000h push [ebp-08h] mov [ebp-01h],al call SUB_L00017E1E inc [esi+00000244h] cmp dword ptr [esi+00000244h],00000010h jc L00010F68 and dword ptr [esi+00000244h],00000000h L00010F68: push SSZ00010D86_TI_Msg_ L00010F6D: call jmp_ntoskrnl.exe!DbgPrint cmp byte ptr [ebp-01h],00h pop ecx jz L00010FE8 cmp byte ptr [ebp-01h],C3h jnz L00010F8F push SSZ00010D8E_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx jmp L00010E4A L00010F8F: cmp byte ptr [ebp-01h],84h jnz L00010FA4 push SSZ00010D96_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov byte ptr [ebp-01h],C1h L00010FA4: cmp dword ptr [ebp-18h],00000000h jle L00010FE8 cmp byte ptr [ebp-01h],87h jz L00010FBC cmp byte ptr [ebp-01h],68h jz L00010FBC cmp byte ptr [ebp-01h],6Dh jnz L00010FE8 L00010FBC: mov eax,[ebp-24h] push [ebp-08h] dec [ebp-18h] mov [ebp-14h],eax mov ecx,[ebx+000001B8h] call SUB_L00017E86 push SSZ00010D9E_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint cmp byte ptr [ebp-01h],6Dh pop ecx jnz L00010E4A L00010FE8: cmp byte ptr [ebp-02h],00h mov eax,[ebp-10h] mov ecx,[eax+04h] mov eax,[eax+60h] mov eax,[eax+04h] setz [ebp-1Ch] push [ebp-1Ch] mov [ebp-0Ch],eax push [esi+000000A0h] mov eax,[ebp-08h] push [esi+000000B0h] lea eax,[ebx+eax*4+00000190h] push [esi+000000B4h] mov [ebp-24h],ecx push [ebp-24h] mov [ebp-18h],eax mov eax,[eax] mov ecx,[eax+04h] push eax call [ecx+14h] cmp byte ptr [ebp-01h],00h jz L0001116B push esi call SUB_L00010CF8 mov ebx,[ebp-0Ch] push SSZ00010DA6_TI_Msg_ mov byte ptr [ebx+03h],80h call jmp_ntoskrnl.exe!DbgPrint mov ebx,[ebx+1Ch] test ebx,ebx pop ecx jz L000110C9 mov eax,[ebp-0Ch] cmp byte ptr [eax+0Bh],00h jz L000110C9 xor ecx,ecx cmp [ebp-08h],ecx jz L00011075 cmp dword ptr [ebp-08h],00000001h jz L00011075 cmp dword ptr [ebp-08h],00000002h jnz L000110A7 L00011075: cmp byte ptr [ebp-02h],00h jnz L000110A7 mov al,[esi+48h] cmp al,12h jz L00011096 cmp al,22h jz L00011096 cmp al,01h jz L0001108E cmp al,04h jnz L000110A7 L0001108E: lea eax,[esi+00000114h] jmp L0001109C L00011096: lea eax,[esi+000000C4h] L0001109C: cmp [eax],ecx jle L000110A7 or ecx,FFFFFFFFh lock xadd [eax],ecx L000110A7: cmp byte ptr [ebp-01h],C1h mov al,[ebx+02h] jnz L000110B6 and al,F7h or al,07h jmp L000110C6 L000110B6: cmp byte ptr [ebp-01h],82h jnz L000110C2 and al,F5h or al,05h jmp L000110C6 L000110C2: and al,F4h or al,04h L000110C6: mov [ebx+02h],al L000110C9: mov eax,[ebp-0Ch] and dword ptr [eax+10h],00000000h and byte ptr [esi+000000B8h],00h push SSZ00010DAE_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push 00000000h push C0000001h push [ebp-10h] call SUB_L000171FE mov al,[ebx+02h] and al,0Fh cmp al,07h jz L0001111B cmp byte ptr [ebp-01h],82h jz L0001111B push SSZ00010DB6_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push C0000056h lea eax,[esi+6Ch] push eax call SUB_L00010728 jmp L00011127 L0001111B: push [esi+04h] lea eax,[esi+6Ch] push eax call SUB_L000105BC L00011127: mov cl,02h call [HAL.dll!KfRaiseIrql] push [esi+000000ACh] mov bl,al mov eax,[ebp-18h] mov eax,[eax] push [esi+000000B4h] mov ecx,[eax+04h] push eax call [ecx+1Ch] mov cl,bl call [HAL.dll!KfLowerIrql] push [edi] call jmp_ntoskrnl.exe!IoFreeWorkItem push 00000000h push edi call [ntoskrnl.exe!ExFreePoolWithTag] push SSZ00010DBE_TI_Msg_ jmp L000113D4 L0001116B: mov eax,[esi+000000A0h] sub [esi+000000A8h],eax add [esi+000000A4h],eax push SSZ00010DC6_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx lea eax,[esi+6Ch] push eax call SUB_L0001038C mov ecx,[esi+000000A8h] test ecx,ecx jz L000113DF test eax,eax jl L000113DF mov eax,[esi+000000A0h] add [esi+000000B0h],eax mov eax,00006000h cmp ecx,eax jbe L000111C9 mov [esi+000000A0h],eax push SSZ00010DCE_TI_Msg_ jmp L000111D4 L000111C9: mov [esi+000000A0h],ecx push SSZ00010DD6_TI_Msg_ L000111D4: call jmp_ntoskrnl.exe!DbgPrint mov eax,[ebp-18h] pop ecx push [ebp-1Ch] lea ecx,[esi+000000A0h] push ecx push [esi+000000B0h] mov byte ptr [esi+000000B8h],01h push [esi+000000B4h] mov eax,[eax] push [ebp-24h] mov edx,[eax+04h] push eax call [edx+20h] push 00000020h mov [ebp-28h],eax mov [ebp-24h],edx call SUB_L000142D0 mov edi,eax test edi,edi jz L00011330 push [ebx] call jmp_ntoskrnl.exe!IoAllocateWorkItem test eax,eax mov [edi],eax jz L0001127F mov ecx,[ebp-28h] mov [edi+08h],ecx mov ecx,[ebp-24h] push edi mov [edi+0Ch],ecx mov cl,[ebp-02h] push 00000000h mov [edi+18h],cl mov ecx,[ebp-10h] push L00010DFE push eax mov [edi+10h],ebx mov [edi+14h],esi mov [edi+1Ch],ecx call jmp_ntoskrnl.exe!IoQueueWorkItem mov edi,[ebp+0Ch] push [edi] call jmp_ntoskrnl.exe!IoFreeWorkItem push 00000000h push edi call [ntoskrnl.exe!ExFreePoolWithTag] push SSZ00010DDE_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push esi call SUB_L00010CF8 jmp L000114F4 L0001127F: xor ebx,ebx cmp [ebp-08h],ebx jz L00011292 cmp dword ptr [ebp-08h],00000001h jz L00011292 cmp dword ptr [ebp-08h],00000002h jnz L000112C4 L00011292: cmp byte ptr [ebp-02h],00h jnz L000112C4 mov al,[esi+48h] cmp al,12h jz L000112B3 cmp al,22h jz L000112B3 cmp al,01h jz L000112AB cmp al,04h jnz L000112C4 L000112AB: lea eax,[esi+00000114h] jmp L000112B9 L000112B3: lea eax,[esi+000000C4h] L000112B9: cmp [eax],ebx jle L000112C4 or ecx,FFFFFFFFh lock xadd [eax],ecx L000112C4: push esi call SUB_L00010CF8 mov cl,02h call [HAL.dll!KfRaiseIrql] push [esi+000000ACh] mov [ebp-02h],al mov eax,[ebp-18h] mov eax,[eax] push [esi+000000B4h] mov ecx,[eax+04h] push eax call [ecx+1Ch] mov cl,[ebp-02h] call [HAL.dll!KfLowerIrql] mov eax,[ebp-0Ch] mov esi,[ntoskrnl.exe!ExFreePoolWithTag] push ebx push edi mov byte ptr [eax+03h],06h mov [eax+10h],ebx call esi push ebx push C0000001h push [ebp-10h] call SUB_L000171FE mov edi,[ebp+0Ch] push [edi] call jmp_ntoskrnl.exe!IoFreeWorkItem push ebx push edi call esi push SSZ00010DE6_TI_Msg_ jmp L000113D4 L00011330: xor edi,edi cmp [ebp-08h],edi jz L00011343 cmp dword ptr [ebp-08h],00000001h jz L00011343 cmp dword ptr [ebp-08h],00000002h jnz L00011375 L00011343: cmp byte ptr [ebp-02h],00h jnz L00011375 mov al,[esi+48h] cmp al,12h jz L00011364 cmp al,22h jz L00011364 cmp al,01h jz L0001135C cmp al,04h jnz L00011375 L0001135C: lea eax,[esi+00000114h] jmp L0001136A L00011364: lea eax,[esi+000000C4h] L0001136A: cmp [eax],edi jle L00011375 or ecx,FFFFFFFFh lock xadd [eax],ecx L00011375: push esi call SUB_L00010CF8 mov eax,[ebp-0Ch] mov cl,02h mov byte ptr [eax+03h],06h mov [eax+10h],edi call [HAL.dll!KfRaiseIrql] push [esi+000000ACh] mov bl,al mov eax,[ebp-18h] mov eax,[eax] push [esi+000000B4h] mov ecx,[eax+04h] push eax call [ecx+1Ch] mov cl,bl call [HAL.dll!KfLowerIrql] push edi push C0000001h push [ebp-10h] call SUB_L000171FE mov esi,[ebp+0Ch] push [esi] call jmp_ntoskrnl.exe!IoFreeWorkItem push edi push esi call [ntoskrnl.exe!ExFreePoolWithTag] push SSZ00010DEE_TI_Msg_ L000113D4: call jmp_ntoskrnl.exe!DbgPrint pop ecx jmp L000114F4 L000113DF: cmp dword ptr [ebp-08h],00000000h mov eax,[esi+000000A4h] mov [ebp+0Ch],eax jz L000113FE cmp dword ptr [ebp-08h],00000001h jz L000113FE cmp dword ptr [ebp-08h],00000002h jnz L0001147E L000113FE: cmp byte ptr [ebp-02h],00h jnz L0001147E mov al,[esi+48h] cmp al,12h jz L00011448 cmp al,22h jz L00011448 cmp al,01h jz L00011417 cmp al,04h jnz L0001147E L00011417: lea eax,[esi+00000114h] or ecx,FFFFFFFFh cmp dword ptr [eax],00000000h jle L0001142B mov edx,ecx lock xadd [eax],edx L0001142B: and byte ptr [esi+00000140h],00h lea edx,[esi+00000144h] push edx mov eax,FF676980h push ecx push eax lea eax,[esi+00000118h] jmp L00011477 L00011448: lea eax,[esi+000000C4h] or ecx,FFFFFFFFh cmp dword ptr [eax],00000000h jle L0001145C mov edx,ecx lock xadd [eax],edx L0001145C: and byte ptr [esi+000000F0h],00h lea edx,[esi+000000F4h] push edx mov eax,FF676980h push ecx push eax lea eax,[esi+000000C8h] L00011477: push eax call [ntoskrnl.exe!KeSetTimer] L0001147E: mov cl,02h call [HAL.dll!KfRaiseIrql] push [esi+000000ACh] mov bl,al mov eax,[ebp-18h] mov eax,[eax] push [esi+000000B4h] mov ecx,[eax+04h] push eax call [ecx+1Ch] mov cl,bl call [HAL.dll!KfLowerIrql] and byte ptr [esi+000000B8h],00h mov ebx,[ebp-0Ch] mov byte ptr [ebx+03h],01h push [edi] call jmp_ntoskrnl.exe!IoFreeWorkItem push 00000000h push edi call [ntoskrnl.exe!ExFreePoolWithTag] push SSZ00010DF6_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push [esi+04h] lea eax,[esi+6Ch] push eax call SUB_L000105BC mov edi,[ebp+0Ch] push esi mov [ebx+10h],edi call SUB_L00010CF8 push edi push 00000000h push [ebp-10h] call SUB_L000171FE L000114F4: pop edi pop esi pop ebx leave retn 0008h ;------------------------------------------------------------------------------ Align 4 SSZ000114FC_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011504_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001150C_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011514_TI_Msg_: db 'TI Msg',0Ah,0 L0001151C: push ebp mov ebp,esp sub esp,00000010h mov eax,[ebp+08h] push ebx mov ebx,[eax+28h] push esi lea ecx,[ebx+00000138h] push edi mov [ebp-08h],ecx call [ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] mov esi,[ebp+14h] lea eax,[esi+6Ch] push eax call SUB_L000104C6 mov edi,[eax+04h] mov [ebp-04h],eax mov eax,[eax+60h] mov eax,[eax+04h] cmp byte ptr [eax+30h],28h mov ecx,[esi+40h] mov eax,[ebp+10h] setz [ebp+17h] cmp byte ptr [ebp+17h],00h mov [esi+000000B4h],eax mov eax,[ebx+ecx*4+00000190h] mov ecx,[eax+04h] setz dl push edx lea edx,[esi+000000A0h] push edx push [esi+000000B0h] push [ebp+10h] push edi push eax call [ecx+20h] push SSZ000114FC_TI_Msg_ mov [ebp-10h],eax mov [ebp-0Ch],edx call jmp_ntoskrnl.exe!DbgPrint pop ecx push 00000020h call SUB_L000142D0 mov edi,eax test edi,edi jz L000115F7 push [ebp+08h] call jmp_ntoskrnl.exe!IoAllocateWorkItem test eax,eax mov [edi],eax jz L000115E7 mov ecx,[ebp-10h] mov [edi+08h],ecx mov ecx,[ebp-0Ch] push edi mov [edi+0Ch],ecx mov cl,[ebp+17h] push 00000000h mov [edi+18h],cl mov ecx,[ebp-04h] push L00010DFE push eax mov [edi+10h],ebx mov [edi+14h],esi mov [edi+1Ch],ecx call jmp_ntoskrnl.exe!IoQueueWorkItem jmp L00011602 L000115E7: push 00000000h push edi call [ntoskrnl.exe!ExFreePoolWithTag] push SSZ00011504_TI_Msg_ jmp L000115FC L000115F7: push SSZ0001150C_TI_Msg_ L000115FC: call jmp_ntoskrnl.exe!DbgPrint pop ecx L00011602: push SSZ00011514_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov ecx,[ebp-08h] call [ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] push 00000003h pop eax pop edi pop esi pop ebx leave retn 0010h ;------------------------------------------------------------------------------ SSZ00011620_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011628_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011630_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011638_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011640_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011648_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L00011650: push ebp mov ebp,esp mov eax,[ebp+08h] mov eax,[eax+28h] mov [ebp+08h],eax mov eax,[ebp+0Ch] mov eax,[eax+60h] push ebx push edi mov edi,[eax+04h] push SSZ00011620_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ00011628_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov al,[edi+32h] and al,3Fh pop ecx jz L000116F2 cmp al,08h jz L0001169F cmp al,3Fh jz L0001169F push SSZ00011630_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov eax,C0000001h jmp L00011716 L0001169F: mov al,[edi+10h] push esi mov esi,[edi+18h] push SSZ00011638_TI_Msg_ mov [esi],al call jmp_ntoskrnl.exe!DbgPrint mov eax,[ebp+08h] xor bl,bl mov [esi+01h],bl cmp [eax+6Ah],bl pop ecx jz L000116D1 push SSZ00011640_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov byte ptr [esi+02h],80h jmp L000116D4 L000116D1: mov [esi+02h],bl L000116D4: mov [esi+03h],bl mov al,[esi+04h] and al,40h or al,08h mov [esi+04h],al mov al,[esi+06h] and al,FCh or al,04h mov byte ptr [esi+05h],0Ah mov [esi+06h],al pop esi jmp L00011714 L000116F2: push SSZ00011648_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[edi+18h] xor bl,bl mov [eax],bl mov [eax+01h],bl mov [eax+02h],bl mov [eax+03h],bl pop ecx mov dword ptr [edi+10h],00000004h L00011714: xor eax,eax L00011716: pop edi pop ebx pop ebp retn 0008h ;------------------------------------------------------------------------------ SSZ0001171C_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011724_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001172C_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011734_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001173C_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011744_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001174C_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011754_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001175C_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011764_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001176C_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011774_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001177C_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011784_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001178C_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011794_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001179C_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000117A4_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000117AC_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000117B4_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000117BC_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000117C4_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000117CC_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000117D4_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000117DC_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000117E4_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000117EC_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000117F4_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000117FC_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011804_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001180C_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011814_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001181C_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011824_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001182C_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011834_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001183C_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L00011844: push ebp mov ebp,esp sub esp,00000048h mov eax,[ebp+08h] and dword ptr [ebp-04h],00000000h and dword ptr [ebp+08h],00000000h push ebx mov ebx,[ebp+0Ch] push esi mov esi,[ebx+60h] push edi mov edi,[eax+28h] mov eax,[edi] mov eax,[eax+28h] push SSZ0001171C_TI_Msg_ mov [ebp-0Ch],eax call jmp_ntoskrnl.exe!DbgPrint pop ecx call [HAL.dll!KeGetCurrentIrql] mov eax,[esi+04h] mov esi,[esi+0Ch] mov ebx,[ebx+0Ch] mov [ebp-08h],eax mov eax,002D0C10h cmp esi,eax ja L00011A7E jz L00011A2B sub esi,0004100Ch jz L000119F2 sub esi,00000004h jz L000119BB sub esi,00000008h jz L000119A5 sub esi,0000BFECh jz L0001198A sub esi,00000010h jz L00011978 sub esi,L00022FEC jz L000118F6 sub esi,00000C00h jnz L00011AB0 push SSZ00011724_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ0001172C_TI_Msg_ jmp L00011AB5 L000118F6: push SSZ00011734_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint xor eax,eax mov al,[edi+40h] pop ecx push eax lea eax,[ebp-48h] push eax mov eax,[ebp-0Ch] mov ecx,[eax+000001B8h] call SUB_L0001798A mov esi,eax lea edi,[ebp-20h] movsd movsd movsd movsd mov eax,[ebp-1Ch] mov edi,[ebp-20h] mov esi,[ebp-14h] and dword ptr [ebx+04h],00000000h mov [ebx+0Ch],eax mov eax,[ebp-18h] push SSZ0001173C_TI_Msg_ mov [ebx],edi mov dword ptr [ebx+08h],0000000Bh mov [ebx+10h],eax mov [ebx+14h],esi call jmp_ntoskrnl.exe!DbgPrint imul esi,[ebp-18h] imul esi,[ebp-1Ch] imul esi,edi test esi,esi pop ecx jnz L00011C4F push SSZ00011744_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push esi push C0000013h jmp L00011C76 L00011978: lea eax,[ebp-10h] push eax push [ebp-0Ch] push edi push [ebp+0Ch] call SUB_L00016D26 jmp L0001199A L0001198A: lea eax,[ebp-10h] push eax push [ebp-0Ch] push edi push [ebp+0Ch] call SUB_L000164EE L0001199A: mov [ebp-04h],eax mov eax,[ebp-10h] jmp L00011C56 L000119A5: push SSZ0001174C_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ00011754_TI_Msg_ jmp L00011AB5 L000119BB: push SSZ0001175C_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint and dword ptr [ebx+0Ch],00000000h and byte ptr [ebx+14h],00h and byte ptr [ebx+16h],00h pop ecx mov dword ptr [ebx],00000018h mov dword ptr [ebx+04h],L00020000 mov dword ptr [ebx+08h],00000020h mov dword ptr [ebx+10h],00000003h jmp L00011C4F L000119F2: push SSZ00011764_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint and byte ptr [ebx+05h],00h mov byte ptr [ebx],01h mov byte ptr [ebx+04h],01h mov dword ptr [ebx+08h],0000000Ch and byte ptr [ebx+0Dh],00h and dword ptr [ebx+14h],00000000h pop ecx mov byte ptr [ebx+0Eh],01h mov byte ptr [ebx+0Fh],01h mov dword ptr [ebx+10h],00000008h jmp L00011C4F L00011A2B: push SSZ0001176C_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ00011774_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ0001177C_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov edx,[ebp-08h] cmp edx,0000001Fh pop ecx jnc L00011A62 push 00000000h push C0000002h jmp L00011C76 L00011A62: push 00000020h xor ecx,ecx pop eax L00011A67: mov [ebx+ecx+10h],cl inc ecx cmp ecx,eax jc L00011A67 and dword ptr [ebp-04h],00000000h mov [ebx],eax mov [ebp+08h],edx jmp L00011C59 L00011A7E: sub esi,002D1400h jz L00011B2A sub esi,001FEC04h jz L00011B17 sub esi,0000000Ch jz L00011B04 sub esi,00000008h jz L00011AF1 sub esi,0009BFF0h jz L00011ADE sub esi,000F4013h jz L00011ACB L00011AB0: push SSZ00011784_TI_Msg_ L00011AB5: call jmp_ntoskrnl.exe!DbgPrint and dword ptr [ebp+08h],00000000h pop ecx mov dword ptr [ebp-04h],C0000002h jmp L00011C59 L00011ACB: push SSZ0001178C_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ00011794_TI_Msg_ jmp L00011AB5 L00011ADE: push SSZ0001179C_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ000117A4_TI_Msg_ jmp L00011AB5 L00011AF1: push SSZ000117AC_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ000117B4_TI_Msg_ jmp L00011AB5 L00011B04: push SSZ000117BC_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ000117C4_TI_Msg_ jmp L00011AB5 L00011B17: push SSZ000117CC_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ000117D4_TI_Msg_ jmp L00011AB5 L00011B2A: push SSZ000117DC_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[ebx] xor esi,esi sub eax,esi pop ecx jz L00011BC8 dec eax jz L00011B52 dec eax jnz L00011C59 push SSZ000117E4_TI_Msg_ jmp L00011B70 L00011B52: push SSZ000117EC_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[ebx+04h] sub eax,esi pop ecx jz L00011B7B dec eax jnz L00011C59 push SSZ000117F4_TI_Msg_ L00011B70: call jmp_ntoskrnl.exe!DbgPrint pop ecx jmp L00011C59 L00011B7B: push SSZ000117FC_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint and byte ptr [ebp-1Ch],00h and byte ptr [ebp-1Bh],00h and byte ptr [ebp-1Ah],00h and byte ptr [ebp-19h],00h push 00000020h pop eax mov [ebp-30h],eax mov [ebp-2Ch],eax mov dword ptr [ebp-28h],L00020000 mov [ebp-24h],eax mov dword ptr [ebp-20h],00000003h mov byte ptr [ebp-18h],05h mov [ebp-16h],si mov dword ptr [esp],SSZ00011804_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint lea esi,[ebp-30h] jmp L00011C3B L00011BC8: push SSZ0001180C_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[ebx+04h] sub eax,esi pop ecx jz L00011BE4 dec eax jnz L00011C59 push SSZ00011814_TI_Msg_ jmp L00011B70 L00011BE4: push SSZ0001181C_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ00011824_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint and byte ptr [ebp-30h],00h and byte ptr [ebp-2Fh],00h and byte ptr [ebp-2Dh],00h pop ecx push 00000028h pop eax cmp [ebp-08h],eax mov [ebp-38h],eax mov [ebp-34h],eax mov byte ptr [ebp-2Eh],01h mov [ebp-2Ch],esi mov [ebp-28h],esi mov [ebp-24h],esi mov [ebp-20h],esi mov [ebp-1Ch],esi mov [ebp-18h],esi jbe L00011C2E mov [ebp-08h],eax L00011C2E: push SSZ0001182C_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint lea esi,[ebp-38h] L00011C3B: pop ecx mov ecx,[ebp-08h] mov eax,ecx shr ecx,02h mov edi,ebx rep movsd mov ecx,eax and ecx,00000003h rep movsb L00011C4F: mov eax,[ebp-08h] and dword ptr [ebp-04h],00000000h L00011C56: mov [ebp+08h],eax L00011C59: push SSZ00011834_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ0001183C_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push [ebp+08h] push [ebp-04h] L00011C76: push [ebp+0Ch] call SUB_L000171FE pop edi pop esi pop ebx leave retn 0008h ;------------------------------------------------------------------------------ Align 2 L00011C86: mov eax,[esp+04h] mov eax,[eax+28h] push [esp+08h] add eax,0000006Ch push eax call SUB_L00010396 retn 0008h ;------------------------------------------------------------------------------ Align 2 SSZ00011C9E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011CA6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011CAE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011CB6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011CBE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011CC6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011CCE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011CD6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011CDE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011CE6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011CEE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011CF6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011CFE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011D06_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011D0E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011D16_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011D1E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011D26_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011D2E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011D36_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L00011D3E: push ebp mov ebp,esp push ebx push esi push edi mov edi,[ebp+08h] mov ebx,[edi+28h] mov eax,[ebx] mov edx,[eax+28h] mov eax,[ebp+0Ch] mov eax,[eax+60h] mov esi,[eax+04h] movzx ecx,[esi+02h] sub ecx,00000000h jz L00011DC5 dec ecx jz L00011DAF dec ecx jz L00011D99 sub ecx,00000005h jz L00011D8F dec ecx jz L00011D85 push SSZ00011C9E_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ00011CA6_TI_Msg_ jmp L00011F3F L00011D85: push SSZ00011CAE_TI_Msg_ jmp L00011F55 L00011D8F: push SSZ00011CB6_TI_Msg_ jmp L00011F55 L00011D99: push SSZ00011CBE_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ00011CC6_TI_Msg_ jmp L00011F3F L00011DAF: push SSZ00011CCE_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esi+18h],00000001h jmp L00011F5A L00011DC5: movzx ecx,[esi+30h] cmp ecx,00000025h jg L00011F08 jz L00011EB2 test ecx,ecx jz L00011E68 cmp ecx,00000015h jz L00011E4F cmp ecx,0000001Ah jz L00011E09 cmp ecx,0000001Eh jnz L00011F1B push SSZ00011CD6_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ00011CDE_TI_Msg_ jmp L00011F3F L00011E09: push SSZ00011CE6_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push [ebp+0Ch] push edi call SUB_L00011650 test eax,eax jl L00011E3C push 00000004h mov byte ptr [esi+03h],01h mov esi,[esi+10h] pop eax xor ecx,ecx cmp esi,eax jz L00011F63 mov eax,esi jmp L00011F63 L00011E3C: xor eax,eax mov byte ptr [esi+03h],06h mov [esi+10h],eax mov ecx,C0000002h jmp L00011F63 L00011E4F: push SSZ00011CEE_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov byte ptr [esi+03h],04h mov ecx,C0000185h jmp L00011F61 L00011E68: mov ecx,[edx+000001B8h] xor eax,eax mov al,[ebx+40h] push eax call SUB_L00017F06 test al,al jnz L00011F5B mov eax,[esi+1Ch] test eax,eax mov byte ptr [esi+03h],80h jz L00011EA6 cmp byte ptr [esi+0Bh],00h jz L00011EA6 mov cl,[eax+02h] and cl,F2h or cl,02h or byte ptr [eax+07h],FFh mov [eax+02h],cl mov byte ptr [eax+0Ch],3Ah L00011EA6: push 00000000h push C0000013h jmp L00011F65 L00011EB2: push SSZ00011CF6_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[ebx+5Ch] mov edi,[esi+18h] dec eax mov [ebp+08h],eax mov dword ptr [esp],SSZ00011CFE_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[ebp+08h] mov [edi+03h],al mov [edi+02h],ah mov ax,[ebp+0Ah] mov [edi+01h],al mov [edi],ah mov al,[ebx+54h] mov [edi+07h],al mov al,[ebx+55h] mov [edi+06h],al mov al,[ebx+56h] pop ecx mov [edi+05h],al mov al,[ebx+57h] mov [edi+04h],al push 00000008h mov byte ptr [esi+03h],01h xor ecx,ecx pop eax jmp L00011F63 L00011F08: sub ecx,00000028h jz L00011F6F dec ecx dec ecx jz L00011F6F sub ecx,00000005h jz L00011F50 sub ecx,00000006h jz L00011F2E L00011F1B: push SSZ00011D06_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ00011D0E_TI_Msg_ jmp L00011F3F L00011F2E: push SSZ00011D16_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ00011D1E_TI_Msg_ L00011F3F: call jmp_ntoskrnl.exe!DbgPrint pop ecx mov byte ptr [esi+03h],06h mov ecx,C0000002h jmp L00011F61 L00011F50: push SSZ00011D26_TI_Msg_ L00011F55: call jmp_ntoskrnl.exe!DbgPrint L00011F5A: pop ecx L00011F5B: mov byte ptr [esi+03h],01h xor ecx,ecx L00011F61: xor eax,eax L00011F63: push eax push ecx L00011F65: push [ebp+0Ch] call SUB_L000171FE jmp L00011FBE L00011F6F: mov ecx,[ebp+0Ch] mov ecx,[ecx+04h] test ecx,ecx jnz L00011F91 push SSZ00011D2E_TI_Msg_ L00011F7E: call jmp_ntoskrnl.exe!DbgPrint pop ecx push 00000000h mov byte ptr [esi+03h],06h push C000000Dh jmp L00011F65 L00011F91: mov edx,[ecx+18h] add edx,[ecx+10h] test [edi+5Ch],edx jz L00011FA3 push SSZ00011D36_TI_Msg_ jmp L00011F7E L00011FA3: or byte ptr [eax+03h],01h push L00011C86 push [ebp+0Ch] add ebx,0000006Ch push edi push ebx call SUB_L00010676 mov eax,00000103h L00011FBE: pop edi pop esi pop ebx pop ebp retn 0008h ;------------------------------------------------------------------------------ Align 2 SSZ00011FC6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011FCE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011FD6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011FDE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011FE6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011FEE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011FF6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00011FFE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012006_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001200E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012016_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001201E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012026_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001202E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012036_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001203E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012046_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001204E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012056_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001205E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012066_TI_Msg_: db 'TI Msg',0Ah,0 L0001206E: push ebp mov ebp,esp sub esp,00000014h mov eax,[ebp+08h] push ebx push esi mov esi,[eax+28h] mov eax,[esi] mov eax,[eax+28h] mov [ebp-10h],eax add eax,00000134h push edi mov ecx,eax mov [ebp-0Ch],eax call [ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] mov eax,[ebp+0Ch] mov eax,[eax+60h] mov edi,[eax+04h] xor ebx,ebx push SSZ00011FC6_TI_Msg_ mov [ebp-04h],ebx mov [ebp-08h],ebx call jmp_ntoskrnl.exe!DbgPrint cmp [edi+02h],bl mov eax,[esi+40h] pop ecx mov [ebp-14h],eax jnz L0001244F movzx eax,[edi+30h] sub eax,00000028h jz L0001229F dec eax dec eax jnz L0001244F push SSZ00011FCE_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov al,[edi+32h] mov [ebp-01h],al mov al,[edi+33h] mov [ebp-02h],al mov al,[edi+34h] mov [ebp-03h],al mov al,[edi+35h] mov [ebp-04h],al mov al,[edi+37h] mov [ebp-07h],al mov al,[edi+38h] mov [ebp-08h],al mov dword ptr [esp],SSZ00011FD6_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[ebp-04h] cmp eax,[esi+5Ch] pop ecx mov ecx,[ebp-08h] mov [esi+000000BCh],eax mov [esi+000000C0h],ecx jbe L00012145 push SSZ00011FDE_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov ecx,[ebp-0Ch] call [ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] push SSZ00011FE6_TI_Msg_ jmp L0001230D L00012145: mov eax,[esi+54h] imul eax,ecx push SSZ00011FEE_TI_Msg_ mov [esi+000000A4h],ebx mov [esi+000000A8h],eax mov [esi+000000A0h],eax call jmp_ntoskrnl.exe!DbgPrint mov eax,[edi+18h] and byte ptr [esi+000000B8h],00h mov [esi+000000B0h],eax mov eax,00006000h cmp [esi+000000A8h],eax pop ecx jbe L00012196 push SSZ00011FF6_TI_Msg_ mov [esi+000000A0h],eax call jmp_ntoskrnl.exe!DbgPrint pop ecx L00012196: mov eax,[esi+000000B0h] mov ecx,[esi+000000A0h] and eax,00000FFFh lea ebx,[eax+ecx+00000FFFh] push SSZ00011FFE_TI_Msg_ shr ebx,0Ch call jmp_ntoskrnl.exe!DbgPrint mov edx,[ebp-14h] test edx,edx pop ecx mov [esi+000000ACh],ebx jz L000121D3 cmp edx,00000001h jz L000121D3 cmp edx,00000002h jnz L000121FB L000121D3: mov al,[esi+48h] cmp al,12h jz L000121EE cmp al,22h jz L000121EE cmp al,01h jz L000121E6 cmp al,04h jnz L000121FB L000121E6: lea eax,[esi+00000114h] jmp L000121F4 L000121EE: lea eax,[esi+000000C4h] L000121F4: xor ecx,ecx inc ecx lock xadd [eax],ecx L000121FB: mov ecx,[ebp-10h] mov eax,[ecx+edx*4+00000190h] mov edx,[eax+04h] push esi push L0001151C push ebx push [ecx] push eax call [edx+10h] test eax,eax jge L0001244F push SSZ00012006_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov ecx,[ebp-0Ch] call [ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] lea eax,[esi+000000C4h] xor ebx,ebx cmp [eax],ebx jle L00012244 or ecx,FFFFFFFFh lock xadd [eax],ecx L00012244: lea eax,[esi+00000114h] cmp [eax],ebx jle L00012255 or ecx,FFFFFFFFh lock xadd [eax],ecx L00012255: push SSZ0001200E_TI_Msg_ mov byte ptr [edi+03h],80h call jmp_ntoskrnl.exe!DbgPrint mov eax,[edi+1Ch] cmp eax,ebx pop ecx jz L0001227D cmp byte ptr [edi+0Bh],00h jz L0001227D mov cl,[eax+02h] and cl,F4h or cl,04h L0001227A: mov [eax+02h],cl L0001227D: push [ebp+08h] add esi,0000006Ch push esi mov [edi+10h],ebx call SUB_L000105BC push ebx L0001228D: push C0000001h push [ebp+0Ch] call SUB_L000171FE jmp L00012458 L0001229F: push SSZ00012016_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov al,[edi+32h] mov [ebp-01h],al mov al,[edi+33h] mov [ebp-02h],al mov al,[edi+34h] mov [ebp-03h],al mov al,[edi+35h] mov [ebp-04h],al mov al,[edi+37h] mov [ebp-07h],al mov al,[edi+38h] mov [ebp-08h],al mov eax,[ebp-04h] mov [esi+000000BCh],eax mov eax,[ebp-08h] mov [esi+000000C0h],eax mov dword ptr [esp],SSZ0001201E_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[ebp-04h] cmp eax,[esi+5Ch] pop ecx jbe L0001233A push SSZ00012026_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov ecx,[ebp-0Ch] call [ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] push SSZ0001202E_TI_Msg_ L0001230D: mov byte ptr [edi+03h],80h call jmp_ntoskrnl.exe!DbgPrint mov eax,[edi+1Ch] cmp eax,ebx pop ecx jz L0001227D cmp byte ptr [edi+0Bh],00h jz L0001227D mov cl,[eax+02h] and cl,F5h or cl,05h jmp L0001227A L0001233A: mov eax,[esi+54h] imul eax,[ebp-08h] cmp eax,[edi+10h] jbe L0001235D push SSZ00012036_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ0001203E_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx L0001235D: mov eax,[esi+54h] imul eax,[ebp-08h] push SSZ00012046_TI_Msg_ mov [esi+000000A4h],ebx mov [esi+000000A8h],eax mov [esi+000000A0h],eax call jmp_ntoskrnl.exe!DbgPrint mov eax,[edi+18h] and byte ptr [esi+000000B8h],00h mov [esi+000000B0h],eax mov eax,00006000h cmp [esi+000000A8h],eax pop ecx jbe L000123AF push SSZ0001204E_TI_Msg_ mov [esi+000000A0h],eax call jmp_ntoskrnl.exe!DbgPrint pop ecx L000123AF: mov eax,[esi+000000B0h] mov ecx,[esi+000000A0h] and eax,00000FFFh lea ebx,[eax+ecx+00000FFFh] push SSZ00012056_TI_Msg_ shr ebx,0Ch call jmp_ntoskrnl.exe!DbgPrint mov eax,[ebp-14h] pop ecx mov ecx,[ebp-10h] push esi push L0001151C mov [esi+000000ACh],ebx mov eax,[ecx+eax*4+00000190h] mov edx,[eax+04h] push ebx push [ecx] push eax call [edx+10h] test eax,eax jge L0001244F push SSZ0001205E_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov ecx,[ebp-0Ch] call [ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] push SSZ00012066_TI_Msg_ mov byte ptr [edi+03h],80h call jmp_ntoskrnl.exe!DbgPrint mov eax,[edi+1Ch] test eax,eax pop ecx jz L00012438 cmp byte ptr [edi+0Bh],00h jz L00012438 mov cl,[eax+02h] and cl,F4h or cl,04h mov [eax+02h],cl L00012438: push [ebp+08h] and dword ptr [edi+10h],00000000h add esi,0000006Ch push esi call SUB_L000105BC push 00000000h jmp L0001228D L0001244F: mov ecx,[ebp-0Ch] call [ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] L00012458: pop edi pop esi pop ebx leave retn 0008h ;------------------------------------------------------------------------------ Align 4 SSZ00012460_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012468_TI_Msg_: db 'TI Msg',0Ah,0 L00012470: push esi push SSZ00012460_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov esi,[esp+10h] mov eax,[esi+08h] movzx eax,[eax+40h] pop ecx push eax mov eax,[esi+04h] mov ecx,[eax+000001B8h] call SUB_L00017DE4 push [esi] call jmp_ntoskrnl.exe!IoFreeWorkItem push 00000000h push esi call [ntoskrnl.exe!ExFreePoolWithTag] push SSZ00012468_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx pop esi retn 0008h ;------------------------------------------------------------------------------ Align 2 SSZ000124B6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000124BE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000124C6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000124CE_TI_Msg_: db 'TI Msg',0Ah,0 L000124D6: push ebx push edi mov edi,[esp+10h] mov eax,[edi] mov ebx,[eax+28h] push SSZ000124B6_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint cmp dword ptr [edi+000000C4h],00000000h pop ecx mov byte ptr [edi+000000F0h],01h jnz L00012554 push esi push SSZ000124BE_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push 0000000Ch call SUB_L000142D0 mov esi,eax test esi,esi jz L00012548 push [ebx] call jmp_ntoskrnl.exe!IoAllocateWorkItem test eax,eax mov [esi],eax jz L00012538 push esi push 00000000h push L00012470 push eax mov [esi+04h],ebx mov [esi+08h],edi call jmp_ntoskrnl.exe!IoQueueWorkItem jmp L00012553 L00012538: push 00000000h push esi call [ntoskrnl.exe!ExFreePoolWithTag] push SSZ000124C6_TI_Msg_ jmp L0001254D L00012548: push SSZ000124CE_TI_Msg_ L0001254D: call jmp_ntoskrnl.exe!DbgPrint pop ecx L00012553: pop esi L00012554: pop edi pop ebx retn 0010h ;------------------------------------------------------------------------------ Align 2 SSZ0001255A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012562_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001256A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012572_TI_Msg_: db 'TI Msg',0Ah,0 L0001257A: push ebx push edi mov edi,[esp+10h] mov eax,[edi] mov ebx,[eax+28h] push SSZ0001255A_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint cmp dword ptr [edi+00000114h],00000000h pop ecx mov byte ptr [edi+00000140h],01h jnz L000125F8 push esi push SSZ00012562_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push 0000000Ch call SUB_L000142D0 mov esi,eax test esi,esi jz L000125EC push [ebx] call jmp_ntoskrnl.exe!IoAllocateWorkItem test eax,eax mov [esi],eax jz L000125DC push esi push 00000000h push L00012470 push eax mov [esi+04h],ebx mov [esi+08h],edi call jmp_ntoskrnl.exe!IoQueueWorkItem jmp L000125F7 L000125DC: push 00000000h push esi call [ntoskrnl.exe!ExFreePoolWithTag] push SSZ0001256A_TI_Msg_ jmp L000125F1 L000125EC: push SSZ00012572_TI_Msg_ L000125F1: call jmp_ntoskrnl.exe!DbgPrint pop ecx L000125F7: pop esi L000125F8: pop edi pop ebx retn 0010h ;------------------------------------------------------------------------------ Align 2 SSZ000125FE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012606_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001260E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012616_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001261E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012626_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001262E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012636_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001263E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012646_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001264E: mov eax,[esp+04h] push ebx push esi mov esi,[eax+28h] mov eax,[esi] push edi mov edi,[eax+28h] push SSZ000125FE_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint xor ebx,ebx cmp [esi+69h],bl pop ecx jz L00012760 push SSZ00012606_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov al,[esi+48h] cmp al,01h pop ecx jz L00012689 cmp al,04h jnz L000126CE L00012689: cmp [esi+00000228h],ebx jz L000126CE push SSZ0001260E_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi+00000228h] pop ecx mov ecx,[eax+04h] push ebx push [esi+0000022Ch] push [esi+00000234h] push [esi+00000230h] push [esi+00000238h] push eax call [ecx+0Ch] mov [esi+00000228h],ebx mov [esi+0000022Ch],ebx L000126CE: cmp [edi],ebx jz L00012700 push SSZ00012616_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx lea ecx,[edi+00000114h] call [HAL.dll!ExAcquireFastMutex] mov ecx,[esi+64h] mov eax,[esi+60h] mov [ecx],eax mov [eax+04h],ecx lea ecx,[edi+00000114h] call [HAL.dll!ExReleaseFastMutex] L00012700: push SSZ0001261E_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push [esp+10h] call [ntoskrnl.exe!IoDeleteDevice] mov eax,[esi+40h] lea eax,[eax+edi+00000108h] mov [esi+04h],ebx cmp [eax],bl jz L00012777 mov [eax],bl mov eax,[esi+40h] lea ecx,[eax+eax*4] mov [edi+ecx*4+00000144h],eax mov esi,[esi+40h] add esi,00000010h lea eax,[esi+esi*4] mov byte ptr [edi+eax*4],01h push SSZ00012626_TI_Msg_ mov byte ptr [edi+000001B0h],01h call jmp_ntoskrnl.exe!DbgPrint pop ecx push ebx push [edi+3Ch] call [ntoskrnl.exe!IoInvalidateDeviceRelations] jmp L00012777 L00012760: cmp [esi+68h],bl jz L0001276C push SSZ0001262E_TI_Msg_ jmp L00012771 L0001276C: push SSZ00012636_TI_Msg_ L00012771: call jmp_ntoskrnl.exe!DbgPrint pop ecx L00012777: push SSZ0001263E_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov ecx,[esp+14h] xor dl,dl mov [ecx+18h],ebx call [ntoskrnl.exe!IofCompleteRequest] push SSZ00012646_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx pop edi pop esi xor eax,eax pop ebx retn 0008h ;------------------------------------------------------------------------------ SSZ000127A4_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000127AC_TI_Msg_: db 'TI Msg',0Ah,0 SWC000127B4_HackMask: unicode 'HackMask',0000h Align 4 SWC000127C8_Classpnp: unicode 'Classpnp',0000h Align 4 SSZ000127DC_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L000127E4: push esi mov esi,[esp+08h] push edi mov edi,[esi+28h] push SSZ000127A4_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ000127AC_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx xor eax,eax inc eax push eax push eax push esi call [ntoskrnl.exe!PoSetPowerState] push 00000001h push SWC000127B4_HackMask push SWC000127C8_Classpnp push esi call SUB_L00017118 add edi,0000006Ch push edi call SUB_L00010380 push esi push edi call SUB_L00010512 push SSZ000127DC_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx pop edi xor eax,eax pop esi retn 0008h ;------------------------------------------------------------------------------ SSZ00012844_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001284C_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L00012854: mov eax,[esp+04h] push esi mov esi,[eax+28h] push SSZ00012844_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push C0000056h add esi,0000006Ch push esi call SUB_L00010728 push SSZ0001284C_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx xor eax,eax pop esi retn 0008h ;------------------------------------------------------------------------------ SSZ00012886_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001288E: push esi push edi push [esp+0Ch] call [ntoskrnl.exe!wcslen] mov esi,eax pop ecx lea edi,[esi+esi+04h] push edi call SUB_L0001429A mov edx,eax test edx,edx jnz L000128BC push SSZ00012886_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx xor eax,eax jmp L000128DF L000128BC: mov ecx,edi push ebx mov ebx,ecx shr ecx,02h xor eax,eax mov edi,edx rep stosd mov ecx,ebx and ecx,00000003h rep stosb mov ecx,esi mov esi,[esp+10h] mov edi,edx rep movsw mov eax,edx pop ebx L000128DF: pop edi pop esi retn 0004h ;------------------------------------------------------------------------------ SSZ000128E4_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000128EC_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L000128F4: push edi mov edi,[esp+0Ch] mov eax,[edi+60h] cmp dword ptr [eax+04h],00000004h jz L00012912 push SSZ000128E4_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[edi+18h] pop ecx jmp L0001294B L00012912: push esi push 00000008h call SUB_L0001429A mov esi,eax test esi,esi jnz L00012927 mov eax,C000009Ah jmp L0001294A L00012927: mov ecx,[esp+0Ch] mov dword ptr [esi],00000001h mov [esi+04h],ecx call [ntoskrnl.exe!ObfReferenceObject] push SSZ000128EC_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx xor eax,eax mov [edi+1Ch],esi L0001294A: pop esi L0001294B: pop edi retn 0008h ;------------------------------------------------------------------------------ Align 4 SSZ00012950_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012958_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L00012960: mov eax,[esp+04h] mov eax,[eax+28h] mov eax,[eax] mov ecx,[eax+28h] mov eax,[esp+08h] mov eax,[eax+60h] push esi mov esi,[eax+04h] xor eax,eax inc eax cmp [esi+02h],ax jnz L000129FC cmp word ptr [esi],0040h jc L000129FC mov edx,[esi+04h] mov [esi+14h],eax push 00000004h pop eax and edx,FFFC02D0h mov [esi+18h],eax mov [esi+1Ch],eax mov [esi+20h],eax mov [esi+24h],eax mov [esi+28h],eax xor eax,eax or edx,00000010h mov [esi+2Ch],eax mov [esi+30h],eax mov [esi+34h],eax mov [esi+38h],eax mov [esi+3Ch],eax mov [esi+04h],edx cmp [ecx+000000F0h],eax jz L000129D3 push SSZ00012950_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint and byte ptr [esi+05h],FDh jmp L000129E1 L000129D3: push SSZ00012958_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint or byte ptr [esi+05h],02h L000129E1: mov eax,[esi+04h] or dword ptr [esi+08h],FFFFFFFFh or dword ptr [esi+0Ch],FFFFFFFFh and eax,FFFFFFBFh or eax,00000080h mov [esi+04h],eax pop ecx xor eax,eax jmp L00012A01 L000129FC: mov eax,C0000001h L00012A01: pop esi retn 0008h ;------------------------------------------------------------------------------ Align 2 SSZ00012A06_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012A0E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012A16_TI_Msg_: db 'TI Msg',0Ah,0 L00012A1E: mov ecx,[esp+04h] push esi push edi call [ntoskrnl.exe!ObfDereferenceObject] mov esi,[esp+10h] mov eax,[esi+60h] mov edi,[eax+04h] push SSZ00012A06_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ00012A0E_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint cmp dword ptr [esi+18h],C00000BBh pop ecx jnz L00012A6F cmp dword ptr [esp+14h],00000000h jz L00012A7B push SSZ00012A16_TI_Msg_ mov dword ptr [edi+18h],C0000001h call jmp_ntoskrnl.exe!DbgPrint pop ecx jmp L00012A7B L00012A6F: mov eax,[esi+18h] mov [edi+18h],eax mov eax,[esi+1Ch] mov [edi+1Ch],eax L00012A7B: mov eax,[esi+1Ch] push esi mov [edi+1Ch],eax call [ntoskrnl.exe!IoFreeIrp] xor dl,dl mov ecx,edi call [ntoskrnl.exe!IofCompleteRequest] pop edi mov eax,C0000016h pop esi retn 000Ch ;------------------------------------------------------------------------------ SSZ00012A9C_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012AA4_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012AAC_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012AB4_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012ABC_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012AC4_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012ACC_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012AD4_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012ADC_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012AE4_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012AEC_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012AF4_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012AFC_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012B04_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012B0C_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012B14_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012B1C_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012B24_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012B2C_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012B34_TI_Msg_: db 'TI Msg',0Ah,0 L00012B3C: unicode '%03X',0000h db 00h; db 00h; SSZ00012B48_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012B50_TI_Msg_: db 'TI Msg',0Ah,0 SWC00012B58_GenDisk: unicode 'GenDisk',0000h SSZ00012B68_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012B70_TI_Msg_: db 'TI Msg',0Ah,0 SWC00012B78_FlashMedia_UnknownDevice: unicode 'FlashMedia\UnknownDevice',0000h Align 4 SWC00012BAC_FlashMedia_SdDevice0: unicode 'FlashMedia\SdDevice0',0000h Align 4 SWC00012BD8_FlashMedia_SdDevice1: unicode 'FlashMedia\SdDevice1',0000h Align 4 SWC00012C04_FlashMedia_SdDevice2: unicode 'FlashMedia\SdDevice2',0000h Align 4 SWC00012C30_FlashMedia_SdDevice3: unicode 'FlashMedia\SdDevice3',0000h Align 4 SWC00012C5C_FlashMedia_MemoryStickProDevice0: unicode 'FlashMedia\MemoryStickProDevice0',0000h db 00h; db 00h; db 00h; db 00h; db 00h; db 00h; SWC00012CA4_FlashMedia_MemoryStickProDevice1: unicode 'FlashMedia\MemoryStickProDevice1',0000h db 00h; db 00h; db 00h; db 00h; db 00h; db 00h; SWC00012CEC_FlashMedia_MemoryStickProDevice2: unicode 'FlashMedia\MemoryStickProDevice2',0000h Align 4 SWC00012D30_FlashMedia_MmcDevice0: unicode 'FlashMedia\MmcDevice0',0000h SWC00012D5C_FlashMedia_MmcDevice1: unicode 'FlashMedia\MmcDevice1',0000h SWC00012D88_FlashMedia_MmcDevice2: unicode 'FlashMedia\MmcDevice2',0000h SWC00012DB4_FlashMedia_MmcDevice3: unicode 'FlashMedia\MmcDevice3',0000h SWC00012DE0_FlashMedia_XDDevice0: unicode 'FlashMedia\XDDevice0',0000h Align 4 SWC00012E0C_FlashMedia_XDDevice1: unicode 'FlashMedia\XDDevice1',0000h Align 4 SWC00012E38_FlashMedia_XDDevice2: unicode 'FlashMedia\XDDevice2',0000h Align 4 SWC00012E64_FlashMedia_MemoryStickDevice0: unicode 'FlashMedia\MemoryStickDevice0',0000h SWC00012EA0_FlashMedia_MemoryStickDevice1: unicode 'FlashMedia\MemoryStickDevice1',0000h SWC00012EDC_FlashMedia_MemoryStickDevice2: unicode 'FlashMedia\MemoryStickDevice2',0000h SWC00012F18_FlashMedia_SmartMediaDevice0: unicode 'FlashMedia\SmartMediaDevice0',0000h Align 4 SWC00012F54_FlashMedia_SmartMediaDevice1: unicode 'FlashMedia\SmartMediaDevice1',0000h Align 4 SWC00012F90_FlashMedia_SmartMediaDevice2: unicode 'FlashMedia\SmartMediaDevice2',0000h Align 4 SSZ00012FCC_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00012FD4_TI_Msg_: db 'TI Msg',0Ah,0 SWC00012FDC_FlashMedia_XDDevice0: unicode 'FlashMedia\XDDevice0',0000h Align 4 SWC00013008_FlashMedia_XDDevice1: unicode 'FlashMedia\XDDevice1',0000h Align 4 SWC00013034_FlashMedia_XDDevice2: unicode 'FlashMedia\XDDevice2',0000h Align 4 SWC00013060_FlashMedia_MmcSd: unicode 'FlashMedia\MmcSd',0000h Align 4 SWC00013084_FlashMedia_SmartMediaDevice0: unicode 'FlashMedia\SmartMediaDevice0',0000h Align 4 SWC000130C0_FlashMedia_SmartMediaDevice1: unicode 'FlashMedia\SmartMediaDevice1',0000h Align 4 SWC000130FC_FlashMedia_SmartMediaDevice2: unicode 'FlashMedia\SmartMediaDevice2',0000h Align 4 SWC00013138_FlashMedia_MemoryStickDevice0: unicode 'FlashMedia\MemoryStickDevice0',0000h SWC00013174_FlashMedia_MemoryStickDevice1: unicode 'FlashMedia\MemoryStickDevice1',0000h SWC000131B0_FlashMedia_MemoryStickDevice2: unicode 'FlashMedia\MemoryStickDevice2',0000h SWC000131EC_FlashMedia_UnknownDevice: unicode 'FlashMedia\UnknownDevice',0000h Align 4 SWC00013220_FlashMedia_SdDevice0: unicode 'FlashMedia\SdDevice0',0000h Align 4 SWC0001324C_FlashMedia_SdDevice1: unicode 'FlashMedia\SdDevice1',0000h Align 4 SWC00013278_FlashMedia_SdDevice2: unicode 'FlashMedia\SdDevice2',0000h Align 4 SWC000132A4_FlashMedia_SdDevice3: unicode 'FlashMedia\SdDevice3',0000h db 00h; db 00h; db 00h; db 00h; db 00h; db 00h; SWC000132D4_FlashMedia_MemoryStickProDevice0: unicode 'FlashMedia\MemoryStickProDevice0',0000h db 00h; db 00h; db 00h; db 00h; db 00h; db 00h; SWC0001331C_FlashMedia_MemoryStickProDevice1: unicode 'FlashMedia\MemoryStickProDevice1',0000h db 00h; db 00h; db 00h; db 00h; db 00h; db 00h; SWC00013364_FlashMedia_MemoryStickProDevice2: unicode 'FlashMedia\MemoryStickProDevice2',0000h Align 4 SWC000133A8_FlashMedia_MmcDevice0: unicode 'FlashMedia\MmcDevice0',0000h SWC000133D4_FlashMedia_MmcDevice1: unicode 'FlashMedia\MmcDevice1',0000h SWC00013400_FlashMedia_MmcDevice2: unicode 'FlashMedia\MmcDevice2',0000h SWC0001342C_FlashMedia_MmcDevice3: unicode 'FlashMedia\MmcDevice3',0000h SSZ00013458_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00013460_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00013468_TI_Msg_: db 'TI Msg',0Ah,0 SWC00013470_XD0_Device: unicode 'XD0 Device',0000h Align 4 SWC00013488_XD1_Device: unicode 'XD1 Device',0000h Align 4 SWC000134A0_XD2_Device: unicode 'XD2 Device',0000h Align 4 SWC000134B8_MmcSd_Device: unicode 'MmcSd Device',0000h Align 4 SWC000134D4_SmartMedia0_Device: unicode 'SmartMedia0 Device',0000h Align 4 SWC000134FC_SmartMedia1_Device: unicode 'SmartMedia1 Device',0000h Align 4 SWC00013524_SmartMedia2_Device: unicode 'SmartMedia2 Device',0000h Align 4 SWC0001354C_MemoryStick0_Device: unicode 'MemoryStick0 Device',0000h SWC00013574_MemoryStick1_Device: unicode 'MemoryStick1 Device',0000h SWC0001359C_MemoryStick2_Device: unicode 'MemoryStick2 Device',0000h SWC000135C4_Unknown_Device: unicode 'Unknown Device',0000h Align 4 SWC000135E4_SD0_Device: unicode 'SD0 Device',0000h Align 4 SWC000135FC_SD1_Device: unicode 'SD1 Device',0000h Align 4 SWC00013614_SD2_Device: unicode 'SD2 Device',0000h Align 4 SWC0001362C_SD3_Device: unicode 'SD3 Device',0000h Align 4 SWC00013644_MemoryStickPro0_Device: unicode 'MemoryStickPro0 Device',0000h Align 4 SWC00013674_MemoryStickPro1_Device: unicode 'MemoryStickPro1 Device',0000h Align 4 SWC000136A4_MemoryStickPro2_Device: unicode 'MemoryStickPro2 Device',0000h Align 4 SWC000136D4_MMC0_Device: unicode 'MMC0 Device',0000h SWC000136EC_MMC1_Device: unicode 'MMC1 Device',0000h SWC00013704_MMC2_Device: unicode 'MMC2 Device',0000h SWC0001371C_MMC3_Device: unicode 'MMC3 Device',0000h SSZ00013734_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001373C_TI_Msg_: db 'TI Msg',0Ah,0 SWC00013744_FlashMedia__d: unicode 'FlashMedia %d',0000h SSZ00013760_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00013768_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00013770_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00013778_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00013780_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00013788_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00013790_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00013798_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000137A0_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000137A8_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000137B0_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000137B8_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000137C0_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000137C8_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000137D0_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000137D8_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000137E0_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000137E8_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000137F0_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000137F8_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00013800_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00013808_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00013810_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L00013818: push ebp mov ebp,esp sub esp,00000194h mov eax,[ebp+0Ch] push ebx mov ebx,[eax+60h] mov eax,[eax+18h] push esi push edi mov edi,[ebp+08h] mov esi,[edi+28h] mov cl,[esi+40h] mov [ebp-04h],eax movzx eax,[ebx+01h] cmp eax,00000018h mov [ebp+0Bh],cl ja CASE_00014235_PROC000E jmp [CASE_PROCTABLE_00014235+eax*4] CASE_00014235_PROC0000: push SSZ00012A9C_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint xor ebx,ebx inc ebx cmp [esi+10h],ebx pop ecx jnz L0001387D push SSZ00012AA4_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push ebx push edi call SUB_L00012854 test eax,eax jl L0001387D and dword ptr [esi+10h],00000000h L0001387D: push [ebp+0Ch] push edi call SUB_L000127E4 test eax,eax mov [ebp-04h],eax jl L0001410E mov [esi+10h],ebx jmp L0001410E CASE_00014235_PROC0005: push SSZ00012AAC_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx lea eax,[esi+6Ch] push eax call SUB_L000103E4 test al,al jz L000138BB L000138B1: push C0000001h jmp L0001411C L000138BB: mov dword ptr [esi+10h],00000002h jmp L0001410A CASE_00014235_PROC0004: push SSZ00012AB4_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push 00000001h push edi call SUB_L00012854 test eax,eax jl L0001410A and dword ptr [esi+10h],00000000h jmp L0001410A CASE_00014235_PROC0006: push SSZ00012ABC_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint cmp dword ptr [esi+10h],00000002h pop ecx jz L00013906 push SSZ00012AC4_TI_Msg_ jmp L000139AE L00013906: mov dword ptr [esi+10h],00000001h jmp L000139C7 CASE_00014235_PROC0001: push SSZ00012ACC_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint cmp dword ptr [esi+10h],00000001h pop ecx jnz L0001394B push SSZ00012AD4_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx lea eax,[esi+6Ch] push eax call SUB_L000103E4 test al,al jz L0001394B push SSZ00012ADC_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx jmp L000138B1 L0001394B: mov eax,[esi+10h] mov [esi+14h],eax mov dword ptr [esi+10h],00000003h jmp L0001410A CASE_00014235_PROC0002: push SSZ00012AE4_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint cmp dword ptr [esi+10h],00000004h pop ecx jz L00013976 push 00000001h push edi call SUB_L00012854 L00013976: push [ebp+0Ch] mov dword ptr [esi+10h],00000005h push edi call SUB_L0001264E push SSZ00012AEC_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx xor eax,eax jmp L0001422E CASE_00014235_PROC0003: push SSZ00012AF4_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint cmp dword ptr [esi+10h],00000003h pop ecx jz L000139B8 push SSZ00012AFC_TI_Msg_ L000139AE: call jmp_ntoskrnl.exe!DbgPrint jmp L00014109 L000139B8: mov eax,[esi+14h] cmp eax,00000001h mov [esi+10h],eax jnz L0001410A L000139C7: push edi add esi,0000006Ch push esi call SUB_L00010512 jmp L0001410A CASE_00014235_PROC0017: push SSZ00012B04_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push 00000000h push edi call SUB_L00012854 mov dword ptr [esi+10h],00000004h jmp L0001410A CASE_00014235_PROC0009: push SSZ00012B0C_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push [ebp+0Ch] push edi call SUB_L00012960 jmp L00013A1F CASE_00014235_PROC0007: push SSZ00012B14_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push [ebp+0Ch] push edi call SUB_L000128F4 L00013A1F: mov [ebp-04h],eax jmp L0001410E CASE_00014235_PROC0015: push SSZ00012B1C_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push 00000018h call SUB_L0001429A test eax,eax jnz L00013A54 push SSZ00012B24_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov dword ptr [ebp-04h],C000009Ah jmp L0001410E L00013A54: mov ecx,[ebp+0Ch] and dword ptr [eax+14h],00000000h mov esi,L00022FEC mov edi,eax movsd movsd movsd movsd mov dword ptr [eax+10h],0000000Fh mov [ecx+1Ch],eax jmp L0001410A CASE_00014235_PROC0013: push SSZ00012B2C_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov ebx,[ebx+04h] sub ebx,00000000h pop ecx jz L00013CDC dec ebx jz L00013B05 dec ebx jz L00013ADB dec ebx jnz L0001410E push SSZ00012B34_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint push [esi+50h] lea eax,[ebp-00000194h] push L00012B3C push eax call [ntoskrnl.exe!swprintf] add esp,00000010h lea eax,[ebp-00000194h] push eax call SUB_L0001288E mov esi,eax test esi,esi jz L0001410E push SSZ00012B48_TI_Msg_ jmp L000140FE L00013ADB: push SSZ00012B50_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SWC00012B58_GenDisk call SUB_L0001288E mov esi,eax test esi,esi jz L0001410E push SSZ00012B68_TI_Msg_ jmp L000140FE L00013B05: push SSZ00012B70_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint movzx eax,[esi+48h] dec eax pop ecx jz L00013C8F dec eax jz L00013C59 dec eax dec eax jz L00013C23 sub eax,0000000Eh jz L00013C59 dec eax jz L00013BD6 sub eax,0000000Fh jz L00013B99 dec eax jz L00013B4C push SWC00012B78_FlashMedia_UnknownDevice jmp L00013CC3 L00013B4C: mov bl,[ebp+0Bh] test bl,bl jnz L00013B61 push SWC00012BAC_FlashMedia_SdDevice0 call SUB_L0001288E mov esi,eax jmp L00013B64 L00013B61: mov esi,[ebp+0Ch] L00013B64: cmp bl,01h jnz L00013B75 push SWC00012BD8_FlashMedia_SdDevice1 call SUB_L0001288E mov esi,eax L00013B75: cmp bl,02h jnz L00013B86 push SWC00012C04_FlashMedia_SdDevice2 call SUB_L0001288E mov esi,eax L00013B86: cmp bl,03h jnz L00013CCA push SWC00012C30_FlashMedia_SdDevice3 jmp L00013CC3 L00013B99: cmp byte ptr [ebp+0Bh],00h jnz L00013BAD push SWC00012C5C_FlashMedia_MemoryStickProDevice0 call SUB_L0001288E mov esi,eax jmp L00013BB0 L00013BAD: mov esi,[ebp+0Ch] L00013BB0: cmp byte ptr [ebp+0Bh],01h jnz L00013BC2 push SWC00012CA4_FlashMedia_MemoryStickProDevice1 call SUB_L0001288E mov esi,eax L00013BC2: cmp byte ptr [ebp+0Bh],02h jnz L00013CCA push SWC00012CEC_FlashMedia_MemoryStickProDevice2 jmp L00013CC3 L00013BD6: mov bl,[ebp+0Bh] test bl,bl jnz L00013BEB push SWC00012D30_FlashMedia_MmcDevice0 call SUB_L0001288E mov esi,eax jmp L00013BEE L00013BEB: mov esi,[ebp+0Ch] L00013BEE: cmp bl,01h jnz L00013BFF push SWC00012D5C_FlashMedia_MmcDevice1 call SUB_L0001288E mov esi,eax L00013BFF: cmp bl,02h jnz L00013C10 push SWC00012D88_FlashMedia_MmcDevice2 call SUB_L0001288E mov esi,eax L00013C10: cmp bl,03h jnz L00013CCA push SWC00012DB4_FlashMedia_MmcDevice3 jmp L00013CC3 L00013C23: cmp byte ptr [ebp+0Bh],00h jnz L00013C37 push SWC00012DE0_FlashMedia_XDDevice0 call SUB_L0001288E mov esi,eax jmp L00013C3A L00013C37: mov esi,[ebp+0Ch] L00013C3A: cmp byte ptr [ebp+0Bh],01h jnz L00013C4C push SWC00012E0C_FlashMedia_XDDevice1 call SUB_L0001288E mov esi,eax L00013C4C: cmp byte ptr [ebp+0Bh],02h jnz L00013CCA push SWC00012E38_FlashMedia_XDDevice2 jmp L00013CC3 L00013C59: cmp byte ptr [ebp+0Bh],00h jnz L00013C6D push SWC00012E64_FlashMedia_MemoryStickDevice0 call SUB_L0001288E mov esi,eax jmp L00013C70 L00013C6D: mov esi,[ebp+0Ch] L00013C70: cmp byte ptr [ebp+0Bh],01h jnz L00013C82 push SWC00012EA0_FlashMedia_MemoryStickDevice1 call SUB_L0001288E mov esi,eax L00013C82: cmp byte ptr [ebp+0Bh],02h jnz L00013CCA push SWC00012EDC_FlashMedia_MemoryStickDevice2 jmp L00013CC3 L00013C8F: cmp byte ptr [ebp+0Bh],00h jnz L00013CA3 push SWC00012F18_FlashMedia_SmartMediaDevice0 call SUB_L0001288E mov esi,eax jmp L00013CA6 L00013CA3: mov esi,[ebp+0Ch] L00013CA6: cmp byte ptr [ebp+0Bh],01h jnz L00013CB8 push SWC00012F54_FlashMedia_SmartMediaDevice1 call SUB_L0001288E mov esi,eax L00013CB8: cmp byte ptr [ebp+0Bh],02h jnz L00013CCA push SWC00012F90_FlashMedia_SmartMediaDevice2 L00013CC3: call SUB_L0001288E mov esi,eax L00013CCA: test esi,esi jz L0001410E push SSZ00012FCC_TI_Msg_ jmp L000140FE L00013CDC: push SSZ00012FD4_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint movzx eax,[esi+48h] cmp eax,00000012h pop ecx jg L00013DCF jz L00013D92 dec eax jz L00013D55 dec eax jz L00013D92 dec eax jz L00013D4B dec eax jnz L00013DE0 cmp byte ptr [ebp+0Bh],00h jnz L00013D22 push SWC00012FDC_FlashMedia_XDDevice0 call SUB_L0001288E mov esi,eax jmp L00013D25 L00013D22: mov esi,[ebp+0Ch] L00013D25: cmp byte ptr [ebp+0Bh],01h jnz L00013D37 push SWC00013008_FlashMedia_XDDevice1 call SUB_L0001288E mov esi,eax L00013D37: cmp byte ptr [ebp+0Bh],02h jnz L00013EB5 push SWC00013034_FlashMedia_XDDevice2 jmp L00013EAE L00013D4B: push SWC00013060_FlashMedia_MmcSd jmp L00013EAE L00013D55: cmp byte ptr [ebp+0Bh],00h jnz L00013D69 push SWC00013084_FlashMedia_SmartMediaDevice0 call SUB_L0001288E mov esi,eax jmp L00013D6C L00013D69: mov esi,[ebp+0Ch] L00013D6C: cmp byte ptr [ebp+0Bh],01h jnz L00013D7E push SWC000130C0_FlashMedia_SmartMediaDevice1 call SUB_L0001288E mov esi,eax L00013D7E: cmp byte ptr [ebp+0Bh],02h jnz L00013EB5 push SWC000130FC_FlashMedia_SmartMediaDevice2 jmp L00013EAE L00013D92: cmp byte ptr [ebp+0Bh],00h jnz L00013DA6 push SWC00013138_FlashMedia_MemoryStickDevice0 call SUB_L0001288E mov esi,eax jmp L00013DA9 L00013DA6: mov esi,[ebp+0Ch] L00013DA9: cmp byte ptr [ebp+0Bh],01h jnz L00013DBB push SWC00013174_FlashMedia_MemoryStickDevice1 call SUB_L0001288E mov esi,eax L00013DBB: cmp byte ptr [ebp+0Bh],02h jnz L00013EB5 push SWC000131B0_FlashMedia_MemoryStickDevice2 jmp L00013EAE L00013DCF: sub eax,00000013h jz L00013E6A sub eax,0000000Fh jz L00013E34 dec eax jz L00013DEA L00013DE0: push SWC000131EC_FlashMedia_UnknownDevice jmp L00013EAE L00013DEA: mov bl,[ebp+0Bh] test bl,bl jnz L00013DFF push SWC00013220_FlashMedia_SdDevice0 call SUB_L0001288E mov esi,eax jmp L00013E02 L00013DFF: mov esi,[ebp+0Ch] L00013E02: cmp bl,01h jnz L00013E13 push SWC0001324C_FlashMedia_SdDevice1 call SUB_L0001288E mov esi,eax L00013E13: cmp bl,02h jnz L00013E24 push SWC00013278_FlashMedia_SdDevice2 call SUB_L0001288E mov esi,eax L00013E24: cmp bl,03h jnz L00013EB5 push SWC000132A4_FlashMedia_SdDevice3 jmp L00013EAE L00013E34: cmp byte ptr [ebp+0Bh],00h jnz L00013E48 push SWC000132D4_FlashMedia_MemoryStickProDevice0 call SUB_L0001288E mov esi,eax jmp L00013E4B L00013E48: mov esi,[ebp+0Ch] L00013E4B: cmp byte ptr [ebp+0Bh],01h jnz L00013E5D push SWC0001331C_FlashMedia_MemoryStickProDevice1 call SUB_L0001288E mov esi,eax L00013E5D: cmp byte ptr [ebp+0Bh],02h jnz L00013EB5 push SWC00013364_FlashMedia_MemoryStickProDevice2 jmp L00013EAE L00013E6A: mov bl,[ebp+0Bh] test bl,bl jnz L00013E7F push SWC000133A8_FlashMedia_MmcDevice0 call SUB_L0001288E mov esi,eax jmp L00013E82 L00013E7F: mov esi,[ebp+0Ch] L00013E82: cmp bl,01h jnz L00013E93 push SWC000133D4_FlashMedia_MmcDevice1 call SUB_L0001288E mov esi,eax L00013E93: cmp bl,02h jnz L00013EA4 push SWC00013400_FlashMedia_MmcDevice2 call SUB_L0001288E mov esi,eax L00013EA4: cmp bl,03h jnz L00013EB5 push SWC0001342C_FlashMedia_MmcDevice3 L00013EAE: call SUB_L0001288E mov esi,eax L00013EB5: test esi,esi jz L0001410E push SSZ00013458_TI_Msg_ jmp L000140FE CASE_00014235_PROC000C: push SSZ00013460_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov ebx,[ebx+04h] test ebx,ebx pop ecx jnz L000140C0 push SSZ00013468_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint movzx eax,[esi+48h] cmp eax,00000012h pop ecx jg L00013FCF jz L00013F92 dec eax jz L00013F55 dec eax jz L00013F92 dec eax jz L00013F4B dec eax jnz L00013FE0 cmp [ebp+0Bh],bl jnz L00013F22 push SWC00013470_XD0_Device call SUB_L0001288E mov esi,eax jmp L00013F25 L00013F22: mov esi,[ebp+0Ch] L00013F25: cmp byte ptr [ebp+0Bh],01h jnz L00013F37 push SWC00013488_XD1_Device call SUB_L0001288E mov esi,eax L00013F37: cmp byte ptr [ebp+0Bh],02h jnz L000140B5 push SWC000134A0_XD2_Device jmp L000140AE L00013F4B: push SWC000134B8_MmcSd_Device jmp L000140AE L00013F55: cmp byte ptr [ebp+0Bh],00h jnz L00013F69 push SWC000134D4_SmartMedia0_Device call SUB_L0001288E mov esi,eax jmp L00013F6C L00013F69: mov esi,[ebp+0Ch] L00013F6C: cmp byte ptr [ebp+0Bh],01h jnz L00013F7E push SWC000134FC_SmartMedia1_Device call SUB_L0001288E mov esi,eax L00013F7E: cmp byte ptr [ebp+0Bh],02h jnz L000140B5 push SWC00013524_SmartMedia2_Device jmp L000140AE L00013F92: cmp byte ptr [ebp+0Bh],00h jnz L00013FA6 push SWC0001354C_MemoryStick0_Device call SUB_L0001288E mov esi,eax jmp L00013FA9 L00013FA6: mov esi,[ebp+0Ch] L00013FA9: cmp byte ptr [ebp+0Bh],01h jnz L00013FBB push SWC00013574_MemoryStick1_Device call SUB_L0001288E mov esi,eax L00013FBB: cmp byte ptr [ebp+0Bh],02h jnz L000140B5 push SWC0001359C_MemoryStick2_Device jmp L000140AE L00013FCF: sub eax,00000013h jz L0001406A sub eax,0000000Fh jz L00014034 dec eax jz L00013FEA L00013FE0: push SWC000135C4_Unknown_Device jmp L000140AE L00013FEA: mov bl,[ebp+0Bh] test bl,bl jnz L00013FFF push SWC000135E4_SD0_Device call SUB_L0001288E mov esi,eax jmp L00014002 L00013FFF: mov esi,[ebp+0Ch] L00014002: cmp bl,01h jnz L00014013 push SWC000135FC_SD1_Device call SUB_L0001288E mov esi,eax L00014013: cmp bl,02h jnz L00014024 push SWC00013614_SD2_Device call SUB_L0001288E mov esi,eax L00014024: cmp bl,03h jnz L000140B5 push SWC0001362C_SD3_Device jmp L000140AE L00014034: cmp byte ptr [ebp+0Bh],00h jnz L00014048 push SWC00013644_MemoryStickPro0_Device call SUB_L0001288E mov esi,eax jmp L0001404B L00014048: mov esi,[ebp+0Ch] L0001404B: cmp byte ptr [ebp+0Bh],01h jnz L0001405D push SWC00013674_MemoryStickPro1_Device call SUB_L0001288E mov esi,eax L0001405D: cmp byte ptr [ebp+0Bh],02h jnz L000140B5 push SWC000136A4_MemoryStickPro2_Device jmp L000140AE L0001406A: mov bl,[ebp+0Bh] test bl,bl jnz L0001407F push SWC000136D4_MMC0_Device call SUB_L0001288E mov esi,eax jmp L00014082 L0001407F: mov esi,[ebp+0Ch] L00014082: cmp bl,01h jnz L00014093 push SWC000136EC_MMC1_Device call SUB_L0001288E mov esi,eax L00014093: cmp bl,02h jnz L000140A4 push SWC00013704_MMC2_Device call SUB_L0001288E mov esi,eax L000140A4: cmp bl,03h jnz L000140B5 push SWC0001371C_MMC3_Device L000140AE: call SUB_L0001288E mov esi,eax L000140B5: test esi,esi jz L0001410E push SSZ00013734_TI_Msg_ jmp L000140FE L000140C0: cmp ebx,00000001h jnz L0001410E push SSZ0001373C_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint push [esi+50h] lea eax,[ebp-00000194h] push SWC00013744_FlashMedia__d push eax call [ntoskrnl.exe!swprintf] add esp,00000010h lea eax,[ebp-00000194h] push eax call SUB_L0001288E mov esi,eax test esi,esi jz L0001410E push SSZ00013760_TI_Msg_ L000140FE: call jmp_ntoskrnl.exe!DbgPrint mov eax,[ebp+0Ch] mov [eax+1Ch],esi L00014109: pop ecx L0001410A: and dword ptr [ebp-04h],00000000h L0001410E: push SSZ00013768_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push [ebp-04h] L0001411C: push [ebp+0Ch] call SUB_L00017220 jmp L0001422E CASE_00014235_PROC0018: push SSZ00013770_TI_Msg_ jmp L000141FC CASE_00014235_PROC0016: push SSZ00013778_TI_Msg_ jmp L000141FC CASE_00014235_PROC000B: push SSZ00013780_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ00013788_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov ecx,[ebp+0Ch] push edi call SUB_L00022828 push SSZ00013790_TI_Msg_ jmp L000141B0 CASE_00014235_PROC000A: push SSZ00013798_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ000137A0_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov ecx,[ebp+0Ch] push edi call SUB_L00022828 push SSZ000137A8_TI_Msg_ jmp L000141B0 CASE_00014235_PROC000D: push SSZ000137B0_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ000137B8_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov ecx,[ebp+0Ch] push edi call SUB_L00022828 push SSZ000137C0_TI_Msg_ L000141B0: mov esi,eax call jmp_ntoskrnl.exe!DbgPrint pop ecx mov eax,esi jmp L0001422E CASE_00014235_PROC0014: push SSZ000137C8_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ000137D0_TI_Msg_ jmp L0001421F CASE_00014235_PROC0008: push SSZ000137D8_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ000137E0_TI_Msg_ jmp L0001421F CASE_00014235_PROC000F: push SSZ000137E8_TI_Msg_ jmp L000141FC CASE_00014235_PROC0010: push SSZ000137F0_TI_Msg_ jmp L000141FC CASE_00014235_PROC0011: push SSZ000137F8_TI_Msg_ jmp L000141FC CASE_00014235_PROC0012: push SSZ00013800_TI_Msg_ L000141FC: call jmp_ntoskrnl.exe!DbgPrint pop ecx mov ecx,[ebp+0Ch] mov eax,edi call SUB_L00022842 jmp L0001422E CASE_00014235_PROC000E: push SSZ00013808_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ00013810_TI_Msg_ L0001421F: call jmp_ntoskrnl.exe!DbgPrint pop ecx mov ecx,[ebp+0Ch] push edi call SUB_L00022828 L0001422E: pop edi pop esi pop ebx leave retn 0008h ;------------------------------------------------------------------------------ CASE_PROCTABLE_00014235: dd CASE_00014235_PROC0000 dd CASE_00014235_PROC0001 dd CASE_00014235_PROC0002 dd CASE_00014235_PROC0003 dd CASE_00014235_PROC0004 dd CASE_00014235_PROC0005 dd CASE_00014235_PROC0006 dd CASE_00014235_PROC0007 dd CASE_00014235_PROC0008 dd CASE_00014235_PROC0009 dd CASE_00014235_PROC000A dd CASE_00014235_PROC000B dd CASE_00014235_PROC000C dd CASE_00014235_PROC000D dd CASE_00014235_PROC000E dd CASE_00014235_PROC000F dd CASE_00014235_PROC0010 dd CASE_00014235_PROC0011 dd CASE_00014235_PROC0012 dd CASE_00014235_PROC0013 dd CASE_00014235_PROC0014 dd CASE_00014235_PROC0015 dd CASE_00014235_PROC0016 dd CASE_00014235_PROC0017 dd CASE_00014235_PROC0018 Align 2 SUB_L0001429A: push 50583643h push [esp+08h] push 00000001h call [ntoskrnl.exe!ExAllocatePoolWithTag] mov edx,eax test edx,edx jz L000142CB mov ecx,[esp+04h] push esi mov esi,ecx push edi shr ecx,02h xor eax,eax mov edi,edx rep stosd mov ecx,esi and ecx,00000003h rep stosb pop edi pop esi L000142CB: mov eax,edx retn 0004h ;------------------------------------------------------------------------------ SUB_L000142D0: push 4E583643h push [esp+08h] push 00000000h call [ntoskrnl.exe!ExAllocatePoolWithTag] mov edx,eax test edx,edx jnz L000142FF mov ecx,[esp+04h] push esi mov esi,ecx push edi xor edi,edi shr ecx,02h rep stosd mov ecx,esi and ecx,00000003h rep stosb pop edi pop esi L000142FF: mov eax,edx retn 0004h ;------------------------------------------------------------------------------ SUB_L00014304: push 4E583643h push [esp+08h] push 00000000h call [ntoskrnl.exe!ExAllocatePoolWithTag] mov edx,eax test edx,edx jz L00014335 mov ecx,[esp+04h] push esi mov esi,ecx push edi shr ecx,02h xor eax,eax mov edi,edx rep stosd mov ecx,esi and ecx,00000003h rep stosb pop edi pop esi L00014335: mov eax,edx retn ;------------------------------------------------------------------------------ SUB_L00014338: cmp dword ptr [esp+04h],00000000h jz L0001434B push 00000000h push [esp+08h] call [ntoskrnl.exe!ExFreePoolWithTag] L0001434B: retn ;------------------------------------------------------------------------------ SUB_L0001434C: push ebp mov ebp,esp sub esp,00000010h mov eax,[ebp+08h] movsx eax,[eax+30h] push ebx push edi xor ebx,ebx push ebx push eax call [ntoskrnl.exe!IoAllocateIrp] mov edi,eax cmp edi,ebx jnz L00014375 mov eax,C000009Ah jmp L00014405 L00014375: push esi mov esi,[edi+60h] sub esi,00000024h jnz L00014385 mov esi,C000009Ah jmp L000143FB L00014385: cmp [ebp+10h],bl mov dword ptr [edi+18h],C00000BBh setz al add al,0Fh push ebx mov [esi+01h],al push ebx lea eax,[ebp-10h] push eax mov byte ptr [esi],1Bh call [ntoskrnl.exe!KeInitializeEvent] mov eax,[edi+60h] mov dword ptr [eax-08h],L0001723A mov byte ptr [eax-21h],E0h sub eax,00000024h lea ecx,[ebp-10h] mov [eax+20h],ecx mov eax,[ebp+0Ch] mov ecx,[eax] mov [esi+04h],ecx mov ecx,[eax+04h] mov [esi+08h],ecx mov ecx,[eax+08h] mov [esi+0Ch],ecx mov eax,[eax+0Ch] mov ecx,[ebp+08h] mov edx,edi mov [esi+10h],eax call [ntoskrnl.exe!IofCallDriver] mov esi,eax cmp esi,00000103h jnz L000143FB push ebx push ebx push ebx push 00000005h lea eax,[ebp-10h] push eax call [ntoskrnl.exe!KeWaitForSingleObject] L000143FB: push edi call [ntoskrnl.exe!IoFreeIrp] mov eax,esi pop esi L00014405: pop edi pop ebx leave retn 000Ch ;------------------------------------------------------------------------------ Align 4 SUB_L0001440C: push esi mov esi,[esp+0Ch] push edi push esi call [ntoskrnl.exe!PoStartNextPowerIrp] mov edi,[esi+18h] xor dl,dl mov ecx,esi call [ntoskrnl.exe!IofCompleteRequest] mov eax,edi pop edi pop esi retn 0008h ;------------------------------------------------------------------------------ Align 2 L0001442E: push [esp+08h] call [ntoskrnl.exe!PoStartNextPowerIrp] push 00000000h push [esp+0Ch] call SUB_L00017220 retn 0008h ;------------------------------------------------------------------------------ SSZ00014446_TI_Msg_: db 'TI Msg',0Ah,0 L0001444E: push esi push edi mov edi,[esp+10h] mov esi,[edi+60h] push edi call [ntoskrnl.exe!PoStartNextPowerIrp] cmp dword ptr [esi+08h],00000001h jnz L0001447E push SSZ00014446_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push [esi+0Ch] push 00000001h push [esp+14h] call [ntoskrnl.exe!PoSetPowerState] L0001447E: push 00000000h push edi call SUB_L00017220 pop edi pop esi retn 0008h ;------------------------------------------------------------------------------ Align 4 L0001448C: push [esp+08h] call [ntoskrnl.exe!PoStartNextPowerIrp] push 00000000h push C00000BBh push [esp+10h] call SUB_L000171FE retn 0008h ;------------------------------------------------------------------------------ Align 2 SSZ000144AA_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000144B2_TI_Msg_: db 'TI Msg',0Ah,0 L000144BA: push esp dec ecx and [ebp+73h],cl or al,[eax] SUB_L000144C2: mov eax,[esp+04h] push ebx mov ebx,[esp+0Ch] push esi mov esi,[eax+28h] push edi mov edi,[ebx+60h] push SSZ000144AA_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov esi,[esi+10h] cmp esi,00000005h pop ecx jz L00014509 cmp esi,00000004h jz L00014509 movzx eax,[edi+01h] cmp eax,00000004h push ebx push [esp+14h] jc L00014500 call SUB_L0001440C jmp L00014536 L00014500: call [L00023304+eax*4] jmp L00014536 L00014509: push SSZ000144B2_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push ebx call [ntoskrnl.exe!PoStartNextPowerIrp] and dword ptr [ebx+18h],00000000h xor dl,dl mov ecx,ebx call [ntoskrnl.exe!IofCompleteRequest] push L000144BA call jmp_ntoskrnl.exe!DbgPrint pop ecx xor eax,eax L00014536: pop edi pop esi pop ebx retn 0008h ;------------------------------------------------------------------------------ SSZ0001453C_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014544_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001454C_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014554_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001455C_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014564_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001456C_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014574_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001457C_TI_Msg_: db 'TI Msg',0Ah,0 L00014584: push ebp mov ebp,esp sub esp,0000000Ch mov eax,[ebp+0Ch] push ebx push esi mov esi,[eax+04h] push edi push SSZ0001453C_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov ecx,[esi+000001B8h] call SUB_L000181A6 and byte ptr [ebp-01h],00h and byte ptr [ebp-06h],00h xor edi,edi cmp [esi+000001B4h],edi jbe L00014700 L000145BF: push [ebp-06h] mov ecx,[esi+000001B8h] call SUB_L0001775E test al,al jz L00014642 cmp al,A1h jz L000145DC push SSZ00014544_TI_Msg_ jmp L00014638 L000145DC: push SSZ0001454C_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint lea eax,[edi+edi*4+50h] lea ebx,[esi+eax*4] cmp byte ptr [ebx],00h pop ecx jz L00014633 push SSZ00014554_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint and byte ptr [ebx],00h lea eax,[edi+edi*4] lea eax,[esi+eax*4] or dword ptr [eax+00000144h],FFFFFFFFh and byte ptr [eax+00000141h],00h mov byte ptr [eax+0000014Ch],07h L0001461B: pop ecx push 00000000h push [esi+3Ch] mov byte ptr [esi+000001B0h],01h call [ntoskrnl.exe!IoInvalidateDeviceRelations] jmp L000146DC L00014633: push SSZ0001455C_TI_Msg_ L00014638: call jmp_ntoskrnl.exe!DbgPrint jmp L000146DB L00014642: push SSZ00014564_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint lea eax,[edi+edi*4+50h] lea ebx,[esi+eax*4] cmp byte ptr [ebx],00h pop ecx jnz L00014672 push SSZ0001456C_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint lea eax,[edi+edi*4] mov [esi+eax*4+00000144h],edi mov byte ptr [ebx],01h jmp L0001461B L00014672: mov ecx,[esi+000001B8h] lea eax,[ebp-0Ch] push eax push [ebp-06h] call SUB_L00017D90 push SSZ00014574_TI_Msg_ mov [ebp-02h],al call jmp_ntoskrnl.exe!DbgPrint lea ebx,[edi+esi] and byte ptr [ebx+00000104h],00h and byte ptr [ebx+00000108h],00h cmp byte ptr [ebp-02h],00h pop ecx jnz L000146DC lea eax,[edi+edi*4] mov eax,[esi+eax*4+00000150h] cmp eax,[ebp-0Ch] jz L000146DC push SSZ0001457C_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov byte ptr [ebx+00000104h],01h mov byte ptr [ebx+00000108h],01h and byte ptr [esi+000001B0h],00h mov byte ptr [ebp-01h],01h L000146DB: pop ecx L000146DC: inc [ebp-06h] movzx edi,[ebp-06h] cmp edi,[esi+000001B4h] jc L000145BF cmp byte ptr [ebp-01h],00h jz L00014700 push 00000000h push [esi+3Ch] call [ntoskrnl.exe!IoInvalidateDeviceRelations] L00014700: lea ebx,[esi+0000010Ch] mov edi,[ebx] jmp L00014761 L0001470A: cmp byte ptr [edi+08h],00h jz L0001475F cmp dword ptr [edi-1Ch],00000000h jz L0001475F cmp byte ptr [edi-24h],00h jz L0001475F mov al,[edi-18h] cmp al,01h jz L00014727 cmp al,04h jnz L00014753 L00014727: cmp dword ptr [edi+000001C8h],00000000h jz L00014753 push [edi+000001D8h] mov ecx,[esi+000001B8h] push [edi+000001D0h] xor eax,eax mov al,[edi-20h] push [edi+000001CCh] push eax call SUB_L00017C16 L00014753: push [edi-1Ch] lea eax,[edi+0Ch] push eax call SUB_L00010512 L0001475F: mov edi,[edi] L00014761: cmp edi,ebx jnz L0001470A mov esi,[ebp+0Ch] push [esi] call jmp_ntoskrnl.exe!IoFreeWorkItem push 00000000h push esi call [ntoskrnl.exe!ExFreePoolWithTag] pop edi pop esi pop ebx leave retn 0008h ;------------------------------------------------------------------------------ Align 4 SSZ00014780_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014788_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014790_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014798_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000147A0_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000147A8_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000147B0_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L000147B8: mov eax,[esp+04h] mov ecx,[eax+28h] mov eax,[esp+08h] mov [ecx+1Ch],eax sub eax,00000000h jz L00014804 dec eax jz L000147FD dec eax jz L000147F6 dec eax jz L000147EF dec eax jz L000147E8 dec eax jz L000147E1 push SSZ00014780_TI_Msg_ jmp L00014809 L000147E1: push SSZ00014788_TI_Msg_ jmp L00014809 L000147E8: push SSZ00014790_TI_Msg_ jmp L00014809 L000147EF: push SSZ00014798_TI_Msg_ jmp L00014809 L000147F6: push SSZ000147A0_TI_Msg_ jmp L00014809 L000147FD: push SSZ000147A8_TI_Msg_ jmp L00014809 L00014804: push SSZ000147B0_TI_Msg_ L00014809: call jmp_ntoskrnl.exe!DbgPrint pop ecx retn 0008h ;------------------------------------------------------------------------------ SSZ00014812_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001481A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014822_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001482A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014832_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001483A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014842_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001484A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014852_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001485A: mov eax,[esp+04h] mov ecx,[eax+28h] mov eax,[esp+08h] cmp eax,00000007h mov [ecx+18h],eax ja L000148AC jmp [CASE_PROCTABLE_000148BA+eax*4] CASE_000148BA_PROC0000: push SSZ00014812_TI_Msg_ jmp L000148B1 CASE_000148BA_PROC0001: push SSZ0001481A_TI_Msg_ jmp L000148B1 CASE_000148BA_PROC0002: push SSZ00014822_TI_Msg_ jmp L000148B1 CASE_000148BA_PROC0003: push SSZ0001482A_TI_Msg_ jmp L000148B1 CASE_000148BA_PROC0004: push SSZ00014832_TI_Msg_ jmp L000148B1 CASE_000148BA_PROC0005: push SSZ0001483A_TI_Msg_ jmp L000148B1 CASE_000148BA_PROC0006: push SSZ00014842_TI_Msg_ jmp L000148B1 CASE_000148BA_PROC0007: push SSZ0001484A_TI_Msg_ jmp L000148B1 L000148AC: push SSZ00014852_TI_Msg_ L000148B1: call jmp_ntoskrnl.exe!DbgPrint pop ecx retn 0008h ;------------------------------------------------------------------------------ CASE_PROCTABLE_000148BA: dd CASE_000148BA_PROC0000 dd CASE_000148BA_PROC0001 dd CASE_000148BA_PROC0002 dd CASE_000148BA_PROC0003 dd CASE_000148BA_PROC0004 dd CASE_000148BA_PROC0005 dd CASE_000148BA_PROC0006 dd CASE_000148BA_PROC0007 SSZ000148DA_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000148E2_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000148EA_TI_Msg_: db 'TI Msg',0Ah,0 L000148F2: push ebx push esi push edi mov edi,[esp+1Ch] mov eax,[edi] mov esi,[edi+04h] mov ebx,[eax+28h] push SSZ000148DA_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[esp+24h] mov eax,[eax] mov [esi+18h],eax mov dword ptr [esp],SSZ000148E2_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push esi call [ntoskrnl.exe!PoStartNextPowerIrp] and dword ptr [esi+1Ch],00000000h xor dl,dl mov ecx,esi call [ntoskrnl.exe!IofCompleteRequest] push 00000000h push edi call [ntoskrnl.exe!ExFreePoolWithTag] push esi add ebx,00000024h push ebx call SUB_L00010774 push SSZ000148EA_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx pop edi pop esi pop ebx retn 0014h ;------------------------------------------------------------------------------ SSZ0001495A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014962_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001496A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014972_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001497A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014982_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001498A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014992_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001499A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000149A2_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000149AA_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L000149B2: push ebp mov ebp,esp sub esp,00000020h push ebx push esi mov esi,[ebp+0Ch] mov eax,[esi+60h] push edi mov edi,[ebp+08h] mov ebx,[edi+28h] push SSZ0001495A_TI_Msg_ mov [ebp-04h],eax call jmp_ntoskrnl.exe!DbgPrint mov eax,[ebp-04h] mov eax,[eax+0Ch] dec eax pop ecx jz L000149F1 push SSZ00014962_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [ebp+0Ch],00000004h jmp L00014A02 L000149F1: push SSZ0001496A_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [ebp+0Ch],00000001h L00014A02: pop ecx push 00000008h call SUB_L000142D0 test eax,eax mov [ebp-08h],eax jnz L00014A2F push SSZ00014972_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push esi call [ntoskrnl.exe!PoStartNextPowerIrp] mov dword ptr [esi+18h],C000009Ah jmp L00014B63 L00014A2F: push SSZ0001497A_TI_Msg_ mov [eax],edi mov [eax+04h],esi call jmp_ntoskrnl.exe!DbgPrint and dword ptr [ebp+08h],00000000h or eax,FFFFFFFFh lea edi,[ebp-20h] stosd stosd stosd stosd mov eax,[ebp-04h] cmp byte ptr [eax+01h],02h pop ecx jnz L00014B1B cmp dword ptr [ebp+0Ch],00000004h jnz L00014B1B lea eax,[ebx+0000010Ch] mov edi,[eax] jmp L00014ABF L00014A6E: cmp byte ptr [edi+08h],00h jz L00014AB7 push SSZ00014982_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ0001498A_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint cmp dword ptr [edi-1Ch],00000000h pop ecx jz L00014AB7 cmp byte ptr [edi-24h],00h jz L00014AB7 lea eax,[edi+0Ch] push eax call SUB_L000105AA lea eax,[edi+68h] push eax call [ntoskrnl.exe!KeCancelTimer] mov ecx,[ebp+08h] mov eax,[edi-20h] inc [ebp+08h] mov [ebp+ecx*4-20h],eax L00014AB7: mov edi,[edi] lea eax,[ebx+0000010Ch] L00014ABF: cmp edi,eax jnz L00014A6E or dword ptr [ebp-0Ch],FFFFFFFFh lea eax,[ebp-10h] push eax xor edi,edi push edi push edi mov dword ptr [ebp-10h],FFA47280h call [ntoskrnl.exe!KeDelayExecutionThread] cmp [ebp+08h],edi jbe L00014AF9 L00014AE1: mov ecx,[ebx+000001B8h] xor eax,eax mov al,[ebp+edi*4-20h] push eax call SUB_L00017DE4 inc edi cmp edi,[ebp+08h] jc L00014AE1 L00014AF9: push SSZ00014992_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ0001499A_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov ecx,[ebx+000001B8h] call SUB_L00018104 L00014B1B: mov eax,[ebp-04h] movzx eax,[eax+01h] push 00000000h push [ebp-08h] push L000148F2 push [ebp+0Ch] push eax push [ebx+3Ch] call [ntoskrnl.exe!PoRequestPowerIrp] mov edi,eax cmp edi,00000103h jz L00014B7B push SSZ000149A2_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push 00000000h push [ebp-08h] call [ntoskrnl.exe!ExFreePoolWithTag] push esi call [ntoskrnl.exe!PoStartNextPowerIrp] mov [esi+18h],edi L00014B63: and dword ptr [esi+1Ch],00000000h mov ecx,esi xor dl,dl call [ntoskrnl.exe!IofCompleteRequest] add ebx,00000024h push esi push ebx call SUB_L00010774 L00014B7B: push SSZ000149AA_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx pop edi pop esi pop ebx leave retn 0008h ;------------------------------------------------------------------------------ Align 2 SSZ00014B8E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014B96_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014B9E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014BA6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014BAE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014BB6_TI_Msg_: db 'TI Msg',0Ah,0 L00014BBE: mov eax,[esp+04h] push ebx push esi mov esi,[esp+10h] mov ebx,[esi+18h] push edi mov edi,[eax+28h] push SSZ00014B8E_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint test ebx,ebx pop ecx jge L00014BFE push SSZ00014B96_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push esi call [ntoskrnl.exe!PoStartNextPowerIrp] push esi add edi,00000024h push edi call SUB_L00010774 xor eax,eax jmp L00014C3B L00014BFE: push SSZ00014B9E_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ00014BA6_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ00014BAE_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push esi push [esp+14h] call SUB_L000149B2 push SSZ00014BB6_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov eax,C0000016h L00014C3B: pop edi pop esi pop ebx retn 000Ch ;------------------------------------------------------------------------------ Align 2 SSZ00014C42_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014C4A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014C52_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014C5A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014C62_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014C6A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014C72_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014C7A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014C82_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014C8A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014C92_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014C9A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014CA2_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014CAA_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014CB2_TI_Msg_: db 'TI Msg',0Ah,0 L00014CBA: push ebp mov ebp,esp push ebx push esi mov esi,[ebp+0Ch] mov eax,[esi+18h] push edi mov edi,[ebp+08h] mov ebx,[edi+28h] mov [ebp+0Ch],eax mov eax,[esi+60h] push SSZ00014C42_TI_Msg_ mov [ebp+08h],eax call jmp_ntoskrnl.exe!DbgPrint cmp byte ptr [esi+21h],00h pop ecx jz L00014CF8 push SSZ00014C4A_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi+60h] or byte ptr [eax+03h],01h pop ecx L00014CF8: cmp dword ptr [ebp+0Ch],00000000h jge L00014D32 push SSZ00014C52_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push esi call [ntoskrnl.exe!PoStartNextPowerIrp] cmp dword ptr [ebp+10h],00000000h jz L00014D21 push 00000000h push [ebp+10h] call [ntoskrnl.exe!ExFreePoolWithTag] L00014D21: push esi add ebx,00000024h push ebx call SUB_L00010774 xor eax,eax jmp L00014E69 L00014D32: mov eax,[ebp+08h] cmp byte ptr [eax+01h],02h jnz L00014E28 mov eax,[ebp+10h] mov ecx,[eax+04h] cmp ecx,[eax] jge L00014DCD push SSZ00014C5A_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push 00000001h push edi call SUB_L000147B8 push SSZ00014C62_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx xor eax,eax inc eax push eax push eax push edi call [ntoskrnl.exe!PoSetPowerState] push SSZ00014C6A_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push 00000008h call SUB_L000142D0 mov edi,eax test edi,edi jz L00014DC3 push [ebx] call jmp_ntoskrnl.exe!IoAllocateWorkItem test eax,eax mov [edi],eax jz L00014DAF push edi push 00000000h push L00014584 push eax mov [edi+04h],ebx call jmp_ntoskrnl.exe!IoQueueWorkItem jmp L00014DC3 L00014DAF: push 00000000h push edi call [ntoskrnl.exe!ExFreePoolWithTag] push SSZ00014C72_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx L00014DC3: and dword ptr [esi+18h],00000000h and dword ptr [esi+1Ch],00000000h jmp L00014E10 L00014DCD: push SSZ00014C7A_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ00014C82_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ00014C8A_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push 00000004h push edi call SUB_L000147B8 push SSZ00014C92_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push 00000004h pop eax push eax push 00000001h push edi call [ntoskrnl.exe!PoSetPowerState] L00014E10: push SSZ00014C9A_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push 00000000h push [ebp+10h] call [ntoskrnl.exe!ExFreePoolWithTag] jmp L00014E33 L00014E28: push SSZ00014CA2_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx L00014E33: push SSZ00014CAA_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push esi call [ntoskrnl.exe!PoStartNextPowerIrp] xor dl,dl mov ecx,esi call [ntoskrnl.exe!IofCompleteRequest] push esi add ebx,00000024h push ebx call SUB_L00010774 push SSZ00014CB2_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov eax,C0000016h L00014E69: pop edi pop esi pop ebx pop ebp retn 000Ch ;------------------------------------------------------------------------------ SSZ00014E70_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014E78_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014E80_TI_Msg_: db 'TI Msg',0Ah,0 L00014E88: push esi mov esi,[esp+0Ch] push edi push [esi] mov edi,[esi+04h] call jmp_ntoskrnl.exe!IoFreeWorkItem push SSZ00014E70_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push 00000000h push 00000000h xor eax,eax push 00000000h inc eax push eax push 00000002h push edi call [ntoskrnl.exe!PoRequestPowerIrp] cmp eax,00000103h jz L00014EC8 push SSZ00014E78_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx L00014EC8: push SSZ00014E80_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push 00000000h push esi call [ntoskrnl.exe!ExFreePoolWithTag] pop edi pop esi retn 0008h ;------------------------------------------------------------------------------ Align 2 SSZ00014EE2_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014EEA_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014EF2_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014EFA_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014F02_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014F0A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014F12_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014F1A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014F22_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014F2A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014F32_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014F3A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014F42_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014F4A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014F52_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014F5A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014F62_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014F6A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014F72_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014F7A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014F82_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014F8A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014F92_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014F9A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014FA2_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014FAA_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014FB2_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014FBA_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014FC2_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014FCA_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014FD2_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014FDA_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014FE2_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00014FEA_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L00014FF2: push ebp mov ebp,esp sub esp,0000000Ch mov eax,[ebp+08h] push ebx mov ebx,[ebp+0Ch] push esi mov esi,[eax+28h] push edi mov edi,[ebx+60h] mov eax,[edi+0Ch] push SSZ00014EE2_TI_Msg_ mov [ebp-04h],esi mov [ebp-08h],eax call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi+10h] cmp eax,00000005h pop ecx jz L000153C1 cmp eax,00000004h jz L000153C1 test eax,eax jnz L00015063 push SSZ00014EEA_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push ebx call [ntoskrnl.exe!PoStartNextPowerIrp] inc [ebx+23h] add dword ptr [ebx+60h],00000024h push ebx push [esi+08h] call [ntoskrnl.exe!PoCallDriver] mov esi,eax push SSZ00014EF2_TI_Msg_ jmp L000153EA L00015063: lea eax,[esi+24h] push ebx push eax mov [ebp+0Ch],eax call SUB_L00010740 test eax,eax mov [ebp-0Ch],eax jge L000150A5 push SSZ00014EFA_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push ebx call [ntoskrnl.exe!PoStartNextPowerIrp] xor dl,dl mov ecx,ebx call [ntoskrnl.exe!IofCompleteRequest] push SSZ00014F02_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[ebp-0Ch] jmp L000153F1 L000150A5: movzx eax,[edi+01h] dec eax cmp dword ptr [edi+08h],00000000h jnz L0001526E dec eax jz L0001511F dec eax jz L000150C4 push SSZ00014F0A_TI_Msg_ jmp L0001527D L000150C4: push SSZ00014F12_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ00014F1A_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[ebx+60h] or byte ptr [eax+03h],01h mov esi,[ebx+60h] pop ecx lea eax,[esi-24h] push 00000007h mov edi,eax pop ecx rep movsd and byte ptr [eax+03h],00h mov eax,[ebx+60h] and dword ptr [eax-04h],00000000h sub eax,00000024h mov dword ptr [eax+1Ch],L00014BBE mov byte ptr [eax+03h],E0h mov eax,[ebp-04h] push ebx push [eax+08h] call [ntoskrnl.exe!PoCallDriver] push SSZ00014F22_TI_Msg_ jmp L000153B5 L0001511F: push SSZ00014F2A_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ00014F32_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push [ebp-08h] push [ebp+08h] call SUB_L0001485A cmp dword ptr [ebp-08h],00000001h jnz L0001522A push SSZ00014F3A_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ00014F42_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ00014F4A_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ00014F52_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push 0000000Ch call SUB_L000142D0 mov edi,eax test edi,edi jz L000151C6 push [ebp+08h] call jmp_ntoskrnl.exe!IoAllocateWorkItem test eax,eax mov [edi],eax jz L000151B0 mov ecx,[esi+3Ch] mov [edi+04h],ecx xor ecx,ecx push edi inc ecx push ecx push L00014E88 push eax mov [edi+08h],ecx call jmp_ntoskrnl.exe!IoQueueWorkItem jmp L000151E5 L000151B0: push SSZ00014F5A_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push 00000000h push edi call [ntoskrnl.exe!ExFreePoolWithTag] jmp L000151D1 L000151C6: push SSZ00014F62_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx L000151D1: xor ecx,ecx push ecx push ecx xor eax,eax push ecx inc eax push eax push 00000002h push [esi+3Ch] call [ntoskrnl.exe!PoRequestPowerIrp] L000151E5: push ebx call [ntoskrnl.exe!PoStartNextPowerIrp] inc [ebx+23h] add dword ptr [ebx+60h],00000024h push ebx push [esi+08h] call [ntoskrnl.exe!PoCallDriver] push ebx push [ebp+0Ch] mov esi,eax call SUB_L00010774 push SSZ00014F6A_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ00014F72_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ00014F7A_TI_Msg_ jmp L000153EA L0001522A: mov eax,[ebx+60h] or byte ptr [eax+03h],01h mov esi,[ebx+60h] lea eax,[esi-24h] push 00000007h mov edi,eax pop ecx rep movsd and byte ptr [eax+03h],00h mov eax,[ebx+60h] and dword ptr [eax-04h],00000000h sub eax,00000024h mov dword ptr [eax+1Ch],L00014BBE mov byte ptr [eax+03h],E0h mov eax,[ebp-04h] push ebx push [eax+08h] call [ntoskrnl.exe!PoCallDriver] push SSZ00014F82_TI_Msg_ jmp L000153B5 L0001526E: dec eax jz L00015316 dec eax jz L000152BB push SSZ00014F8A_TI_Msg_ L0001527D: call jmp_ntoskrnl.exe!DbgPrint pop ecx push SSZ00014F92_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push ebx call [ntoskrnl.exe!PoStartNextPowerIrp] inc [ebx+23h] add dword ptr [ebx+60h],00000024h push ebx push [esi+08h] call [ntoskrnl.exe!PoCallDriver] push ebx push [ebp+0Ch] mov esi,eax call SUB_L00010774 push SSZ00014F9A_TI_Msg_ jmp L000153EA L000152BB: push SSZ00014FA2_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ00014FAA_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[ebx+60h] or byte ptr [eax+03h],01h mov esi,[ebx+60h] pop ecx lea eax,[esi-24h] push 00000007h mov edi,eax pop ecx rep movsd and byte ptr [eax+03h],00h mov eax,[ebx+60h] and dword ptr [eax-04h],00000000h sub eax,00000024h mov dword ptr [eax+1Ch],L00014CBA mov byte ptr [eax+03h],E0h mov eax,[ebp-04h] push ebx push [eax+08h] call [ntoskrnl.exe!PoCallDriver] push SSZ00014FB2_TI_Msg_ jmp L000153B5 L00015316: push SSZ00014FBA_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ00014FC2_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push 00000008h call SUB_L000142D0 test eax,eax jnz L0001536C push SSZ00014FCA_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push ebx call [ntoskrnl.exe!PoStartNextPowerIrp] mov esi,C000009Ah xor dl,dl mov ecx,ebx mov [ebx+18h],esi call [ntoskrnl.exe!IofCompleteRequest] push ebx push [ebp+0Ch] call SUB_L00010774 push SSZ00014FD2_TI_Msg_ jmp L000153EA L0001536C: mov ecx,[esi+1Ch] mov [eax],ecx mov ecx,[ebp-08h] mov [eax+04h],ecx mov ecx,[ebx+60h] or byte ptr [ecx+03h],01h mov esi,[ebx+60h] lea edx,[esi-24h] push 00000007h pop ecx mov edi,edx rep movsd and byte ptr [edx+03h],00h mov ecx,[ebx+60h] sub ecx,00000024h mov [ecx+20h],eax mov eax,[ebp-04h] push ebx mov dword ptr [ecx+1Ch],L00014CBA mov byte ptr [ecx+03h],E0h push [eax+08h] call [ntoskrnl.exe!PoCallDriver] push SSZ00014FDA_TI_Msg_ L000153B5: call jmp_ntoskrnl.exe!DbgPrint mov eax,00000103h jmp L000153F1 L000153C1: push SSZ00014FE2_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push ebx call [ntoskrnl.exe!PoStartNextPowerIrp] mov esi,C0000056h xor dl,dl mov ecx,ebx mov [ebx+18h],esi call [ntoskrnl.exe!IofCompleteRequest] push SSZ00014FEA_TI_Msg_ L000153EA: call jmp_ntoskrnl.exe!DbgPrint mov eax,esi L000153F1: pop ecx pop edi pop esi pop ebx leave retn 0008h ;------------------------------------------------------------------------------ Align 2 SSZ000153FA_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00015402_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001540A_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L00015412: push 00000010h push L00023000 call SUB_L00021128 xor ebx,ebx push ebx push ebx push ebx push [ebp+0Ch] push [ebp+08h] call [ntoskrnl.exe!IoAllocateMdl] mov esi,eax mov [ebp-1Ch],esi cmp esi,ebx jz L00015486 mov [ebp-04h],ebx push SSZ000153FA_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx xor eax,eax cmp [ebp+10h],bl setz al push eax push ebx push esi call [ntoskrnl.exe!MmProbeAndLockPages] L00015457: or dword ptr [ebp-04h],FFFFFFFFh jmp L00015491 L0001545D: mov eax,[ebp-14h] mov eax,[eax] mov eax,[eax] mov [ebp-20h],eax xor eax,eax inc eax retn ;------------------------------------------------------------------------------ L0001546B: mov esp,[ebp-18h] push SSZ00015402_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push [ebp-1Ch] call [ntoskrnl.exe!IoFreeMdl] xor esi,esi jmp L00015457 L00015486: push SSZ0001540A_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx L00015491: mov eax,esi call SUB_L00021161 retn 000Ch ;------------------------------------------------------------------------------ Align 4 SSZ0001549C_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L000154A4: push SSZ0001549C_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push [esp+04h] call [ntoskrnl.exe!MmUnlockPages] jmp_ntoskrnl.exe!IoFreeMdl: jmp [ntoskrnl.exe!IoFreeMdl] Align 4 SSZ000154C0_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000154C8_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000154D0_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000154D8_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000154E0_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000154E8_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000154F0_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000154F8_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00015500_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00015508_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00015510_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00015518_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00015520_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00015528_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00015530_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00015538_TI_Msg_: db 'TI Msg',0Ah,0 L00015540: push ebp mov ebp,esp sub esp,00000034h push ebx mov ebx,[ebp+0Ch] push esi mov esi,[ebx+14h] push edi xor ecx,ecx push ecx push ecx push ecx lea eax,[esi+000001A4h] push ecx push eax mov [ebp-14h],eax call [ntoskrnl.exe!KeWaitForSingleObject] mov eax,[ebx+10h] mov edx,[esi+00000248h] mov cl,[ebx+18h] mov [ebp-08h],eax mov eax,[ebx+08h] mov [ebp-1Ch],eax mov eax,[ebx+0Ch] shr edx,09h test cl,cl mov [ebp-10h],edx mov dl,[esi+40h] mov [ebp-18h],eax mov eax,[ebx+1Ch] mov edi,[eax+0Ch] mov [ebp-02h],cl mov [ebp-20h],eax mov [ebp-0Ch],dl jz L0001566F push SSZ000154C0_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint cmp byte ptr [esi+00000260h],00h pop ecx jnz L0001564D mov al,[edi+1Eh] mov [ebp-34h],al xor eax,eax mov ah,[edi+1Fh] movzx ecx,[edi+21h] mov al,[edi+20h] shl eax,08h or eax,ecx movzx ecx,[edi+22h] shl eax,08h or eax,ecx mov [ebp-30h],eax xor eax,eax mov ah,[edi+23h] movzx ecx,[edi+25h] mov al,[edi+24h] shl eax,08h or eax,ecx mov [ebp-2Ch],eax mov al,[edi+26h] shr al,04h mov [ebp-28h],al mov al,[edi+26h] and al,08h cmp al,08h setz al mov [ebp-27h],al mov al,[edi+26h] and al,04h cmp al,04h setz al mov [ebp-26h],al mov al,[edi+26h] and al,02h cmp al,02h setz al mov [ebp-25h],al mov al,[edi+26h] and al,01h dec al neg al sbb al,al inc al mov [ebp-24h],al lea eax,[ebp-10h] push eax push [ebp-1Ch] lea eax,[ebp-34h] push eax mov eax,[ebp-08h] push [ebp-0Ch] mov ecx,[eax+000001B8h] call SUB_L00017C52 jmp L00015665 L0001564D: lea eax,[ebp-10h] push eax push [ebp-1Ch] mov eax,[ebp-08h] push [ebp-0Ch] mov ecx,[eax+000001B8h] call SUB_L00017C92 L00015665: push SSZ000154C8_TI_Msg_ jmp L00015739 L0001566F: push SSZ000154D0_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint cmp byte ptr [esi+00000260h],00h pop ecx jnz L0001571C mov al,[edi+1Eh] mov [ebp-34h],al xor eax,eax mov ah,[edi+1Fh] movzx ecx,[edi+21h] mov al,[edi+20h] shl eax,08h or eax,ecx movzx ecx,[edi+22h] shl eax,08h or eax,ecx mov [ebp-30h],eax xor eax,eax mov ah,[edi+23h] movzx ecx,[edi+25h] mov al,[edi+24h] shl eax,08h or eax,ecx mov [ebp-2Ch],eax mov al,[edi+26h] shr al,04h mov [ebp-28h],al mov al,[edi+26h] and al,08h cmp al,08h setz al mov [ebp-27h],al mov al,[edi+26h] and al,04h cmp al,04h setz al mov [ebp-26h],al mov al,[edi+26h] and al,02h cmp al,02h setz al mov [ebp-25h],al mov al,[edi+26h] and al,01h dec al neg al sbb al,al inc al mov [ebp-24h],al lea eax,[ebp-10h] push eax push [ebp-1Ch] lea eax,[ebp-34h] push eax mov eax,[ebp-08h] push [ebp-0Ch] mov ecx,[eax+000001B8h] call SUB_L00017C52 jmp L00015734 L0001571C: lea eax,[ebp-10h] push eax push [ebp-1Ch] mov eax,[ebp-08h] push [ebp-0Ch] mov ecx,[eax+000001B8h] call SUB_L00017C92 L00015734: push SSZ000154D8_TI_Msg_ L00015739: mov [ebp-01h],al call jmp_ntoskrnl.exe!DbgPrint cmp byte ptr [ebp-02h],00h movzx eax,[ebp-0Ch] pop ecx mov ecx,[ebp-08h] setz [ebp-18h] push [ebp-18h] lea eax,[ecx+eax*4+00000190h] push [esi+00000248h] mov [ebp-0Ch],eax push [esi+00000258h] mov eax,[eax] push [esi+0000025Ch] mov ecx,[eax+04h] push [esi+00000280h] push eax call [ecx+14h] push SSZ000154E0_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint cmp byte ptr [ebp-01h],00h pop ecx jz L0001586A push 00000000h push [ebp-14h] call [ntoskrnl.exe!KeReleaseMutex] mov eax,[edi+18h] add eax,edi cmp byte ptr [ebp-01h],C1h mov byte ptr [edi+02h],02h mov cl,[eax+02h] jnz L000157B9 and cl,F7h or cl,07h jmp L000157CD L000157B9: cmp byte ptr [ebp-01h],82h jnz L000157C7 and cl,F5h or cl,05h jmp L000157CD L000157C7: and cl,F4h or cl,04h L000157CD: mov [eax+02h],cl and dword ptr [edi+0Ch],00000000h and byte ptr [esi+00000260h],00h mov cl,02h call [HAL.dll!KfRaiseIrql] push [esi+00000254h] mov [ebp+0Fh],al mov eax,[ebp-0Ch] mov eax,[eax] push [esi+0000025Ch] mov ecx,[eax+04h] push eax call [ecx+1Ch] mov cl,[ebp+0Fh] call [HAL.dll!KfLowerIrql] push SSZ000154E8_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi+00000280h] xor edi,edi cmp eax,edi pop ecx jz L00015849 lea ecx,[esi+00000284h] cmp byte ptr [ecx],00h jz L00015849 and byte ptr [ecx],00h cmp byte ptr [esi+0000027Dh],00h push eax jz L0001583D call SUB_L000154A4 jmp L00015843 L0001583D: call [ntoskrnl.exe!IoFreeMdl] L00015843: mov [esi+00000280h],edi L00015849: push [ebx] call jmp_ntoskrnl.exe!IoFreeWorkItem push edi push ebx call [ntoskrnl.exe!ExFreePoolWithTag] push SSZ000154F0_TI_Msg_ L0001585D: call jmp_ntoskrnl.exe!DbgPrint pop ecx push edi push edi jmp L00015AAC L0001586A: mov eax,[esi+00000248h] sub [esi+00000250h],eax add [esi+0000024Ch],eax push SSZ000154F8_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi+00000250h] test eax,eax pop ecx jz L00015ABE lea ebx,[esi+00000248h] mov ecx,[ebx] add [esi+00000258h],ecx mov ecx,00006000h cmp eax,ecx jbe L000158B5 mov [ebx],ecx push SSZ00015500_TI_Msg_ jmp L000158BC L000158B5: mov [ebx],eax push SSZ00015508_TI_Msg_ L000158BC: call jmp_ntoskrnl.exe!DbgPrint pop ecx push SSZ00015510_TI_Msg_ mov byte ptr [esi+00000260h],01h call jmp_ntoskrnl.exe!DbgPrint mov eax,[ebp-0Ch] mov eax,[eax] pop ecx push [ebp-18h] mov ecx,[eax+04h] push ebx push [esi+00000258h] push [esi+0000025Ch] push [esi+00000280h] push eax call [ecx+20h] push SSZ00015518_TI_Msg_ mov [ebp-1Ch],eax mov [ebp-18h],edx call jmp_ntoskrnl.exe!DbgPrint pop ecx push 00000020h call SUB_L000142D0 mov ebx,eax test ebx,ebx jz L00015A08 mov eax,[ebp-08h] push [eax] call jmp_ntoskrnl.exe!IoAllocateWorkItem test eax,eax mov [ebx],eax jz L00015961 mov ecx,[ebp-1Ch] mov [ebx+08h],ecx mov ecx,[ebp-18h] mov [ebx+0Ch],ecx mov ecx,[ebp-08h] push ebx mov [ebx+10h],ecx mov cl,[ebp-02h] push 00000000h mov [ebx+18h],cl mov ecx,[ebp-20h] push L00015540 push eax mov [ebx+14h],esi mov [ebx+1Ch],ecx call jmp_ntoskrnl.exe!IoQueueWorkItem mov ebx,[ebp+0Ch] xor edi,edi jmp L00015B55 L00015961: push 00000000h push [ebp-14h] call [ntoskrnl.exe!KeReleaseMutex] mov eax,[edi+18h] add eax,edi mov byte ptr [edi+02h],02h mov cl,[eax+02h] xor edi,edi and cl,F5h push edi or cl,05h push ebx mov ebx,[ntoskrnl.exe!ExFreePoolWithTag] mov [eax+02h],cl call ebx mov cl,02h call [HAL.dll!KfRaiseIrql] push [esi+00000254h] mov [ebp-02h],al mov eax,[ebp-0Ch] mov eax,[eax] push [esi+0000025Ch] mov ecx,[eax+04h] push eax call [ecx+1Ch] mov cl,[ebp-02h] call [HAL.dll!KfLowerIrql] mov eax,[esi+00000280h] cmp eax,edi jz L000159EE lea ecx,[esi+00000284h] cmp byte ptr [ecx],00h jz L000159EE and byte ptr [ecx],00h cmp byte ptr [esi+0000027Dh],00h push eax jz L000159E2 call SUB_L000154A4 jmp L000159E8 L000159E2: call [ntoskrnl.exe!IoFreeMdl] L000159E8: mov [esi+00000280h],edi L000159EE: mov eax,[ebp+0Ch] push [eax] call jmp_ntoskrnl.exe!IoFreeWorkItem push edi push [ebp+0Ch] call ebx push SSZ00015520_TI_Msg_ jmp L0001585D L00015A08: mov eax,[edi+18h] add eax,edi mov byte ptr [edi+02h],02h mov cl,[eax+02h] and cl,F5h or cl,05h mov [eax+02h],cl mov cl,02h call [HAL.dll!KfRaiseIrql] push [esi+00000254h] mov bl,al mov eax,[ebp-0Ch] mov eax,[eax] push [esi+0000025Ch] mov ecx,[eax+04h] push eax call [ecx+1Ch] mov cl,bl call [HAL.dll!KfLowerIrql] mov eax,[esi+00000280h] xor ebx,ebx cmp eax,ebx jz L00015A7B lea ecx,[esi+00000284h] cmp [ecx],bl jz L00015A7B and [ecx],bl cmp [esi+0000027Dh],bl push eax jz L00015A6F call SUB_L000154A4 jmp L00015A75 L00015A6F: call [ntoskrnl.exe!IoFreeMdl] L00015A75: mov [esi+00000280h],ebx L00015A7B: mov edi,[ntoskrnl.exe!ExFreePoolWithTag] push ebx push ebx call edi mov eax,[ebp+0Ch] push [eax] call jmp_ntoskrnl.exe!IoFreeWorkItem push ebx push [ebp+0Ch] call edi push SSZ00015528_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push ebx push [ebp-14h] call [ntoskrnl.exe!KeReleaseMutex] push ebx push ebx L00015AAC: add esi,0000026Ch push esi call [ntoskrnl.exe!KeSetEvent] jmp L00015B79 L00015ABE: mov eax,[esi+0000024Ch] mov cl,02h mov [ebp-20h],eax call [HAL.dll!KfRaiseIrql] push [esi+00000254h] mov [ebp+0Fh],al mov eax,[ebp-0Ch] mov eax,[eax] push [esi+0000025Ch] mov ecx,[eax+04h] push eax call [ecx+1Ch] mov cl,[ebp+0Fh] call [HAL.dll!KfLowerIrql] and byte ptr [esi+00000260h],00h mov eax,[ebp-20h] and byte ptr [edi+02h],00h mov [edi+0Ch],eax mov eax,[esi+00000280h] xor edi,edi cmp eax,edi jz L00015B3B lea ecx,[esi+00000284h] cmp byte ptr [ecx],00h jz L00015B3B and byte ptr [ecx],00h cmp byte ptr [esi+0000027Dh],00h push eax jz L00015B2F call SUB_L000154A4 jmp L00015B35 L00015B2F: call [ntoskrnl.exe!IoFreeMdl] L00015B35: mov [esi+00000280h],edi L00015B3B: push edi push edi add esi,0000026Ch push esi call [ntoskrnl.exe!KeSetEvent] push SSZ00015530_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx L00015B55: push [ebx] call jmp_ntoskrnl.exe!IoFreeWorkItem push edi push ebx call [ntoskrnl.exe!ExFreePoolWithTag] push SSZ00015538_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push edi push [ebp-14h] call [ntoskrnl.exe!KeReleaseMutex] L00015B79: pop edi pop esi pop ebx leave retn 0008h ;------------------------------------------------------------------------------ SSZ00015B80_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00015B88_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00015B90_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00015B98_TI_Msg_: db 'TI Msg',0Ah,0 L00015BA0: push ebp mov ebp,esp sub esp,00000010h mov eax,[ebp+08h] push ebx mov ebx,[eax+28h] push esi lea ecx,[ebx+00000138h] push edi mov [ebp-08h],ecx call [ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] mov esi,[ebp+14h] cmp byte ptr [esi+00000268h],00h mov eax,[esi+00000264h] mov edi,[ebp+10h] setnz [ebp+17h] cmp byte ptr [ebp+17h],00h mov [ebp-04h],eax mov eax,[esi+40h] setz dl mov [esi+0000025Ch],edi mov eax,[ebx+eax*4+00000190h] mov ecx,[eax+04h] push edx lea edx,[esi+00000248h] push edx push [esi+00000258h] push edi push [esi+00000280h] push eax call [ecx+20h] push SSZ00015B80_TI_Msg_ mov [ebp-10h],eax mov [ebp-0Ch],edx call jmp_ntoskrnl.exe!DbgPrint pop ecx push 00000020h call SUB_L000142D0 mov edi,eax test edi,edi jz L00015C75 push [ebp+08h] call jmp_ntoskrnl.exe!IoAllocateWorkItem test eax,eax mov [edi],eax jz L00015C65 mov ecx,[ebp-10h] mov [edi+08h],ecx mov ecx,[ebp-0Ch] push edi mov [edi+0Ch],ecx mov cl,[ebp+17h] push 00000000h mov [edi+18h],cl mov ecx,[ebp-04h] push L00015540 push eax mov [edi+10h],ebx mov [edi+14h],esi mov [edi+1Ch],ecx call jmp_ntoskrnl.exe!IoQueueWorkItem jmp L00015C80 L00015C65: push 00000000h push edi call [ntoskrnl.exe!ExFreePoolWithTag] push SSZ00015B88_TI_Msg_ jmp L00015C7A L00015C75: push SSZ00015B90_TI_Msg_ L00015C7A: call jmp_ntoskrnl.exe!DbgPrint pop ecx L00015C80: push SSZ00015B98_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov ecx,[ebp-08h] call [ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] push 00000003h pop eax pop edi pop esi pop ebx leave retn 0010h ;------------------------------------------------------------------------------ SSZ00015C9E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00015CA6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00015CAE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00015CB6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00015CBE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00015CC6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00015CCE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00015CD6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00015CDE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00015CE6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00015CEE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00015CF6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00015CFE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00015D06_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00015D0E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00015D16_TI_Msg_: db 'TI Msg',0Ah,0 L00015D1E: push ebp mov ebp,esp sub esp,00000020h push ebx mov ebx,[ebp+0Ch] push esi mov esi,[ebx+14h] push edi xor ecx,ecx push ecx push ecx push ecx lea eax,[esi+000001A4h] push ecx push eax mov [ebp-14h],eax call [ntoskrnl.exe!KeWaitForSingleObject] mov eax,[ebx+10h] mov edx,[esi+00000248h] mov cl,[ebx+18h] mov [ebp-08h],eax mov eax,[ebx+08h] mov [ebp-1Ch],eax mov eax,[ebx+0Ch] shr edx,09h test cl,cl mov [ebp-10h],edx mov edx,[esi+40h] mov [ebp-18h],eax mov eax,[ebx+1Ch] mov edi,[eax+0Ch] mov [ebp-02h],cl mov [ebp-20h],eax mov [ebp-0Ch],edx jz L00015DD0 push SSZ00015C9E_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint cmp byte ptr [esi+00000260h],00h pop ecx lea eax,[ebp-10h] push eax push [ebp-1Ch] jnz L00015DB8 xor eax,eax mov ax,[esi+0000028Ch] push eax push [esi+00000288h] mov eax,[ebp-08h] push [ebp-0Ch] mov ecx,[eax+000001B8h] call SUB_L000179FA jmp L00015DC9 L00015DB8: mov eax,[ebp-08h] push [ebp-0Ch] mov ecx,[eax+000001B8h] call SUB_L00017A88 L00015DC9: push SSZ00015CA6_TI_Msg_ jmp L00015E24 L00015DD0: push SSZ00015CAE_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint cmp byte ptr [esi+00000260h],00h pop ecx lea eax,[ebp-10h] push eax push [ebp-1Ch] jnz L00015E0E xor eax,eax mov ax,[esi+0000028Ch] push eax push [esi+00000288h] mov eax,[ebp-08h] push [ebp-0Ch] mov ecx,[eax+000001B8h] call SUB_L00017B10 jmp L00015E1F L00015E0E: mov eax,[ebp-08h] push [ebp-0Ch] mov ecx,[eax+000001B8h] call SUB_L00017B9E L00015E1F: push SSZ00015CB6_TI_Msg_ L00015E24: mov [ebp-01h],al call jmp_ntoskrnl.exe!DbgPrint cmp byte ptr [ebp-02h],00h mov eax,[ebp-08h] pop ecx mov ecx,[ebp-0Ch] setz [ebp-18h] push [ebp-18h] lea eax,[eax+ecx*4+00000190h] push [esi+00000248h] mov [ebp-0Ch],eax push [esi+00000258h] mov eax,[eax] push [esi+0000025Ch] mov ecx,[eax+04h] push [esi+00000280h] push eax call [ecx+14h] push SSZ00015CBE_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint cmp byte ptr [ebp-01h],00h pop ecx jz L00015F54 push 00000000h push [ebp-14h] call [ntoskrnl.exe!KeReleaseMutex] mov eax,[edi+18h] add eax,edi cmp byte ptr [ebp-01h],C1h mov byte ptr [edi+02h],02h mov cl,[eax+02h] jnz L00015EA3 and cl,F7h or cl,07h jmp L00015EB7 L00015EA3: cmp byte ptr [ebp-01h],82h jnz L00015EB1 and cl,F5h or cl,05h jmp L00015EB7 L00015EB1: and cl,F4h or cl,04h L00015EB7: mov [eax+02h],cl and dword ptr [edi+0Ch],00000000h and byte ptr [esi+00000260h],00h mov cl,02h call [HAL.dll!KfRaiseIrql] push [esi+00000254h] mov [ebp+0Fh],al mov eax,[ebp-0Ch] mov eax,[eax] push [esi+0000025Ch] mov ecx,[eax+04h] push eax call [ecx+1Ch] mov cl,[ebp+0Fh] call [HAL.dll!KfLowerIrql] push SSZ00015CC6_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi+00000280h] xor edi,edi cmp eax,edi pop ecx jz L00015F33 lea ecx,[esi+00000284h] cmp byte ptr [ecx],00h jz L00015F33 and byte ptr [ecx],00h cmp byte ptr [esi+0000027Dh],00h push eax jz L00015F27 call SUB_L000154A4 jmp L00015F2D L00015F27: call [ntoskrnl.exe!IoFreeMdl] L00015F2D: mov [esi+00000280h],edi L00015F33: push [ebx] call jmp_ntoskrnl.exe!IoFreeWorkItem push edi push ebx call [ntoskrnl.exe!ExFreePoolWithTag] push SSZ00015CCE_TI_Msg_ L00015F47: call jmp_ntoskrnl.exe!DbgPrint pop ecx push edi push edi jmp L0001619B L00015F54: mov eax,[esi+00000248h] sub [esi+00000250h],eax add [esi+0000024Ch],eax push SSZ00015CD6_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi+00000250h] test eax,eax pop ecx jz L000161AD lea ebx,[esi+00000248h] mov ecx,[ebx] add [esi+00000258h],ecx mov ecx,00006000h cmp eax,ecx jbe L00015F9F mov [ebx],ecx push SSZ00015CDE_TI_Msg_ jmp L00015FA6 L00015F9F: mov [ebx],eax push SSZ00015CE6_TI_Msg_ L00015FA6: call jmp_ntoskrnl.exe!DbgPrint pop ecx push SSZ00015CEE_TI_Msg_ mov byte ptr [esi+00000260h],01h call jmp_ntoskrnl.exe!DbgPrint mov eax,[ebp-0Ch] mov eax,[eax] pop ecx push [ebp-18h] mov ecx,[eax+04h] push ebx push [esi+00000258h] push [esi+0000025Ch] push [esi+00000280h] push eax call [ecx+20h] push SSZ00015CF6_TI_Msg_ mov [ebp-1Ch],eax mov [ebp-18h],edx call jmp_ntoskrnl.exe!DbgPrint pop ecx push 00000020h call SUB_L000142D0 mov ebx,eax test ebx,ebx jz L000160F2 mov eax,[ebp-08h] push [eax] call jmp_ntoskrnl.exe!IoAllocateWorkItem test eax,eax mov [ebx],eax jz L0001604B mov ecx,[ebp-1Ch] mov [ebx+08h],ecx mov ecx,[ebp-18h] mov [ebx+0Ch],ecx mov ecx,[ebp-08h] push ebx mov [ebx+10h],ecx mov cl,[ebp-02h] push 00000000h mov [ebx+18h],cl mov ecx,[ebp-20h] push L00015D1E push eax mov [ebx+14h],esi mov [ebx+1Ch],ecx call jmp_ntoskrnl.exe!IoQueueWorkItem mov ebx,[ebp+0Ch] xor edi,edi jmp L00016244 L0001604B: push 00000000h push [ebp-14h] call [ntoskrnl.exe!KeReleaseMutex] mov eax,[edi+18h] add eax,edi mov byte ptr [edi+02h],02h mov cl,[eax+02h] and cl,F5h or cl,05h mov [eax+02h],cl mov cl,02h call [HAL.dll!KfRaiseIrql] push [esi+00000254h] mov [ebp-02h],al mov eax,[ebp-0Ch] mov eax,[eax] push [esi+0000025Ch] mov ecx,[eax+04h] push eax call [ecx+1Ch] mov cl,[ebp-02h] call [HAL.dll!KfLowerIrql] xor edi,edi push edi push ebx mov ebx,[ntoskrnl.exe!ExFreePoolWithTag] call ebx mov eax,[esi+00000280h] cmp eax,edi jz L000160D8 lea ecx,[esi+00000284h] cmp byte ptr [ecx],00h jz L000160D8 and byte ptr [ecx],00h cmp byte ptr [esi+0000027Dh],00h push eax jz L000160CC call SUB_L000154A4 jmp L000160D2 L000160CC: call [ntoskrnl.exe!IoFreeMdl] L000160D2: mov [esi+00000280h],edi L000160D8: mov eax,[ebp+0Ch] push [eax] call jmp_ntoskrnl.exe!IoFreeWorkItem push edi push [ebp+0Ch] call ebx push SSZ00015CFE_TI_Msg_ jmp L00015F47 L000160F2: push 00000000h push [ebp-14h] call [ntoskrnl.exe!KeReleaseMutex] mov eax,[edi+18h] add eax,edi mov byte ptr [edi+02h],02h mov cl,[eax+02h] and cl,F5h or cl,05h mov [eax+02h],cl mov cl,02h call [HAL.dll!KfRaiseIrql] push [esi+00000254h] mov bl,al mov eax,[ebp-0Ch] mov eax,[eax] push [esi+0000025Ch] mov ecx,[eax+04h] push eax call [ecx+1Ch] mov cl,bl call [HAL.dll!KfLowerIrql] mov eax,[esi+00000280h] xor edi,edi cmp eax,edi jz L00016173 lea ecx,[esi+00000284h] cmp byte ptr [ecx],00h jz L00016173 and byte ptr [ecx],00h cmp byte ptr [esi+0000027Dh],00h push eax jz L00016167 call SUB_L000154A4 jmp L0001616D L00016167: call [ntoskrnl.exe!IoFreeMdl] L0001616D: mov [esi+00000280h],edi L00016173: push edi push edi mov edi,[ntoskrnl.exe!ExFreePoolWithTag] call edi mov ebx,[ebp+0Ch] push [ebx] call jmp_ntoskrnl.exe!IoFreeWorkItem push 00000000h push ebx call edi push SSZ00015D06_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push 00000000h push 00000000h L0001619B: add esi,0000026Ch push esi call [ntoskrnl.exe!KeSetEvent] jmp L00016268 L000161AD: mov eax,[esi+0000024Ch] mov cl,02h mov [ebp-20h],eax call [HAL.dll!KfRaiseIrql] push [esi+00000254h] mov [ebp+0Fh],al mov eax,[ebp-0Ch] mov eax,[eax] push [esi+0000025Ch] mov ecx,[eax+04h] push eax call [ecx+1Ch] mov cl,[ebp+0Fh] call [HAL.dll!KfLowerIrql] and byte ptr [esi+00000260h],00h mov eax,[ebp-20h] and byte ptr [edi+02h],00h mov [edi+0Ch],eax mov eax,[esi+00000280h] xor edi,edi cmp eax,edi jz L0001622A lea ecx,[esi+00000284h] cmp byte ptr [ecx],00h jz L0001622A and byte ptr [ecx],00h cmp byte ptr [esi+0000027Dh],00h push eax jz L0001621E call SUB_L000154A4 jmp L00016224 L0001621E: call [ntoskrnl.exe!IoFreeMdl] L00016224: mov [esi+00000280h],edi L0001622A: push edi push edi add esi,0000026Ch push esi call [ntoskrnl.exe!KeSetEvent] push SSZ00015D0E_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx L00016244: push [ebx] call jmp_ntoskrnl.exe!IoFreeWorkItem push edi push ebx call [ntoskrnl.exe!ExFreePoolWithTag] push SSZ00015D16_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push edi push [ebp-14h] call [ntoskrnl.exe!KeReleaseMutex] L00016268: pop edi pop esi pop ebx leave retn 0008h ;------------------------------------------------------------------------------ Align 4 SSZ00016270_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00016278_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00016280_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00016288_TI_Msg_: db 'TI Msg',0Ah,0 L00016290: push ebp mov ebp,esp sub esp,00000010h mov eax,[ebp+08h] push ebx mov ebx,[eax+28h] push esi lea ecx,[ebx+00000138h] push edi mov [ebp-08h],ecx call [ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] mov esi,[ebp+14h] cmp byte ptr [esi+00000268h],00h mov eax,[esi+00000264h] mov edi,[ebp+10h] setnz [ebp+17h] cmp byte ptr [ebp+17h],00h mov [ebp-04h],eax mov eax,[esi+40h] setz dl mov [esi+0000025Ch],edi mov eax,[ebx+eax*4+00000190h] mov ecx,[eax+04h] push edx lea edx,[esi+00000248h] push edx push [esi+00000258h] push edi push [esi+00000280h] push eax call [ecx+20h] push SSZ00016270_TI_Msg_ mov [ebp-10h],eax mov [ebp-0Ch],edx call jmp_ntoskrnl.exe!DbgPrint pop ecx push 00000020h call SUB_L000142D0 mov edi,eax test edi,edi jz L00016365 push [ebp+08h] call jmp_ntoskrnl.exe!IoAllocateWorkItem test eax,eax mov [edi],eax jz L00016355 mov ecx,[ebp-10h] mov [edi+08h],ecx mov ecx,[ebp-0Ch] push edi mov [edi+0Ch],ecx mov cl,[ebp+17h] push 00000000h mov [edi+18h],cl mov ecx,[ebp-04h] push L00015D1E push eax mov [edi+10h],ebx mov [edi+14h],esi mov [edi+1Ch],ecx call jmp_ntoskrnl.exe!IoQueueWorkItem jmp L00016370 L00016355: push 00000000h push edi call [ntoskrnl.exe!ExFreePoolWithTag] push SSZ00016278_TI_Msg_ jmp L0001636A L00016365: push SSZ00016280_TI_Msg_ L0001636A: call jmp_ntoskrnl.exe!DbgPrint pop ecx L00016370: push SSZ00016288_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov ecx,[ebp-08h] call [ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] push 00000003h pop eax pop edi pop esi pop ebx leave retn 0010h ;------------------------------------------------------------------------------ SSZ0001638E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00016396_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001639E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000163A6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000163AE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000163B6_tiFalshMedia_SdDevice: db 'tiFalshMedia\SdDevice',0 Align 2 SSZ000163CE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000163D6_tiFalshMedia_SdDevice: db 'tiFalshMedia\SdDevice',0 Align 2 SSZ000163EE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000163F6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000163FE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00016406_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001640E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00016416_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001641E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00016426_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001642E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00016436_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001643E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00016446_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001644E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00016456_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001645E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00016466_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001646E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00016476_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001647E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00016486_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001648E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00016496_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001649E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000164A6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000164AE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000164B6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000164BE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000164C6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000164CE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000164D6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000164DE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000164E6_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L000164EE: push ebp mov ebp,esp sub esp,00000020h push ebx push esi mov esi,[ebp+0Ch] mov al,[esi+40h] push edi push SSZ0001638E_TI_Msg_ mov [ebp-04h],al call jmp_ntoskrnl.exe!DbgPrint pop ecx mov ecx,[ebp+08h] mov ebx,[ecx+0Ch] movzx eax,[ebx+1Ch] cmp eax,0000002Ah jg L0001689D jz L00016648 xor edi,edi cmp eax,edi jz L00016629 cmp eax,00000012h jz L00016590 cmp eax,0000001Dh jz L0001657D cmp eax,00000025h jz L0001654B cmp eax,00000028h jz L0001664A jmp L000168B9 L0001654B: mov edi,[ebx+14h] mov eax,[esi+5Ch] add edi,ebx dec eax push SSZ00016396_TI_Msg_ mov [ebp+10h],eax call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ0001639E_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[ebp+10h] mov [edi],eax mov eax,[esi+54h] mov [edi+04h],eax jmp L00016942 L0001657D: push SSZ000163A6_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint and byte ptr [ebx+02h],00h jmp L00016BE9 L00016590: mov eax,[ebx+0Ch] cmp eax,0000001Eh jnc L000165C2 mov eax,[ebx+18h] add eax,ebx mov byte ptr [ebx+02h],02h mov cl,[eax+02h] and cl,F5h or cl,05h mov [eax+02h],cl mov eax,[ebp+14h] push SSZ000163AE_TI_Msg_ mov [eax],edi call jmp_ntoskrnl.exe!DbgPrint pop ecx jmp L00016CC2 L000165C2: cmp eax,00000038h mov eax,[ebx+14h] push 00000005h pop ecx lea edi,[ebx+eax+08h] jnc L000165E7 mov esi,SSZ000163B6_tiFalshMedia_SdDevice rep movsd push SSZ000163CE_TI_Msg_ movsw call jmp_ntoskrnl.exe!DbgPrint pop ecx jmp L00016622 L000165E7: mov eax,[ebp+10h] push [ebp-04h] mov esi,SSZ000163D6_tiFalshMedia_SdDevice rep movsd movsw mov ecx,[eax+000001B8h] call SUB_L00017D52 push 00000005h pop ecx mov esi,eax mov eax,[ebx+14h] lea edi,[ebp-20h] rep movsd push 00000005h lea edi,[ebx+eax+24h] pop ecx lea esi,[ebp-20h] rep movsd mov eax,[ebx+14h] mov byte ptr [ebx+eax+38h],C1h L00016622: push SSZ000163EE_TI_Msg_ jmp L0001662E L00016629: push SSZ000163F6_TI_Msg_ L0001662E: mov eax,[ebx+14h] add eax,[ebx+0Ch] mov ecx,[ebp+14h] and byte ptr [ebx+02h],00h mov [ecx],eax call jmp_ntoskrnl.exe!DbgPrint pop ecx jmp L00016C91 L00016648: xor edi,edi L0001664A: and byte ptr [esi+0000027Dh],00h cmp dword ptr [ebx+0Ch],00000200h jc L00016866 mov [esi+00000264h],ecx cmp byte ptr [ebx+08h],01h jnz L0001667D push SSZ000163FE_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov byte ptr [esi+00000268h],01h jmp L0001668E L0001667D: push SSZ00016406_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint and byte ptr [esi+00000268h],00h L0001668E: xor eax,eax mov ah,[ebx+1Eh] pop ecx movzx ecx,[ebx+20h] push SSZ0001640E_TI_Msg_ mov al,[ebx+1Fh] shl eax,08h or eax,ecx movzx ecx,[ebx+21h] shl eax,08h or eax,ecx mov [esi+00000288h],eax xor eax,eax mov ah,[ebx+23h] mov al,[ebx+24h] mov [esi+0000028Ch],eax call jmp_ntoskrnl.exe!DbgPrint mov eax,[ebx+14h] pop ecx push edi push edi push edi push [ebx+0Ch] add eax,ebx push eax call [ntoskrnl.exe!IoAllocateMdl] cmp eax,edi mov [esi+00000280h],eax jnz L0001671A push SSZ00016416_TI_Msg_ L000166E9: call jmp_ntoskrnl.exe!DbgPrint mov eax,[ebx+18h] add eax,ebx mov byte ptr [ebx+02h],02h pop ecx mov cl,[eax+02h] and cl,F5h or cl,05h mov [eax+02h],cl mov eax,[ebp+14h] mov [eax],edi and byte ptr [esi+00000284h],00h mov eax,C000009Ah jmp L00016CC7 L0001671A: push eax mov byte ptr [esi+00000284h],01h call [ntoskrnl.exe!MmBuildMdlForNonPagedPool] mov [esi+0000024Ch],edi mov eax,[ebx+0Ch] push SSZ0001641E_TI_Msg_ mov [esi+00000250h],eax mov [esi+00000248h],eax call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi+00000280h] pop ecx mov ecx,[eax+18h] add ecx,[eax+10h] and byte ptr [esi+00000260h],00h mov eax,00006000h cmp [esi+00000250h],eax mov [esi+00000258h],ecx jbe L0001677F push SSZ00016426_TI_Msg_ mov [esi+00000248h],eax call jmp_ntoskrnl.exe!DbgPrint pop ecx L0001677F: mov eax,[esi+00000258h] mov ecx,[esi+00000248h] and eax,00000FFFh lea edi,[eax+ecx+00000FFFh] push SSZ0001642E_TI_Msg_ shr edi,0Ch call jmp_ntoskrnl.exe!DbgPrint pop ecx mov cl,02h mov [esi+00000254h],edi call [HAL.dll!KfRaiseIrql] mov ecx,[ebp+10h] push esi push L00016290 mov [ebp+0Fh],al movzx eax,[ebp-04h] mov eax,[ecx+eax*4+00000190h] mov edx,[eax+04h] push edi push [ecx] push eax call [edx+10h] mov cl,[ebp+0Fh] mov [ebp+10h],eax call [HAL.dll!KfLowerIrql] xor edi,edi cmp [ebp+10h],edi jge L00016821 push SSZ00016436_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[ebx+18h] mov byte ptr [ebx+02h],02h add eax,ebx pop ecx mov cl,[eax+02h] and cl,F5h or cl,05h mov [eax+02h],cl mov eax,[ebp+14h] mov [eax],edi push [esi+00000280h] and byte ptr [esi+00000284h],00h call [ntoskrnl.exe!IoFreeMdl] jmp L00016892 L00016821: or dword ptr [ebp-08h],FFFFFFFFh lea eax,[ebp-0Ch] push eax push edi push edi push edi add esi,0000026Ch push esi mov dword ptr [ebp-0Ch],FECED300h call [ntoskrnl.exe!KeWaitForSingleObject] push esi mov edi,eax call [ntoskrnl.exe!KeClearEvent] cmp edi,00000102h jnz L0001685C push SSZ0001643E_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx L0001685C: push SSZ00016446_TI_Msg_ jmp L00016BE4 L00016866: push SSZ0001644E_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[ebx+18h] add eax,ebx mov byte ptr [ebx+02h],02h pop ecx mov cl,[eax+02h] and cl,F5h or cl,05h mov [eax+02h],cl mov eax,[ebp+14h] mov [eax],edi and byte ptr [esi+00000284h],00h L00016892: mov [esi+00000280h],edi jmp L00016CC2 L0001689D: sub eax,000000D0h jz L00016C27 dec eax jz L00016952 sub eax,0000001Dh jz L0001690A dec eax jz L000168E3 xor edi,edi L000168B9: push SSZ00016456_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[ebx+18h] add eax,ebx mov byte ptr [ebx+02h],02h pop ecx mov cl,[eax+02h] and cl,F5h or cl,05h mov [eax+02h],cl mov eax,[ebp+14h] mov [eax],edi jmp L00016CC2 L000168E3: push SSZ0001645E_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[ebp+10h] pop ecx mov ecx,[eax+000001B8h] push 00000001h push [ebp-04h] call SUB_L00017E46 and byte ptr [ebx+02h],00h jmp L00016BEA L0001690A: movzx eax,[ebp-04h] mov esi,[ebx+14h] mov ecx,[ebp+10h] lea eax,[eax+eax*4] add esi,ebx cmp byte ptr [ecx+eax*4+0000014Ch],22h jnz L00016934 push SSZ00016466_TI_Msg_ mov word ptr [esi],0001h call jmp_ntoskrnl.exe!DbgPrint jmp L00016942 L00016934: push SSZ0001646E_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint and word ptr [esi],0000h L00016942: mov eax,[ebx+0Ch] and byte ptr [ebx+02h],00h add eax,[ebx+14h] pop ecx jmp L00016C8C L00016952: and byte ptr [esi+0000027Dh],00h cmp byte ptr [esi+0000027Ch],00h jz L00016BF5 cmp dword ptr [ebx+0Ch],00000200h jc L00016AD1 push SSZ00016476_TI_Msg_ mov [esi+00000264h],ecx call jmp_ntoskrnl.exe!DbgPrint cmp byte ptr [ebx+08h],01h pop ecx setz al xor edi,edi push edi push edi mov [esi+00000268h],al mov eax,[ebx+14h] push edi push [ebx+0Ch] add eax,ebx push eax call [ntoskrnl.exe!IoAllocateMdl] cmp eax,edi mov [esi+00000280h],eax jnz L000169B9 push SSZ0001647E_TI_Msg_ jmp L000166E9 L000169B9: push eax mov byte ptr [esi+00000284h],01h call [ntoskrnl.exe!MmBuildMdlForNonPagedPool] mov eax,[esi+00000280h] mov [esi+0000024Ch],edi mov eax,[eax+14h] push SSZ00016486_TI_Msg_ mov [esi+00000250h],eax mov [esi+00000248h],eax call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi+00000280h] pop ecx mov ecx,[eax+18h] add ecx,[eax+10h] and byte ptr [esi+00000260h],00h mov eax,00006000h cmp [esi+00000250h],eax mov [esi+00000258h],ecx jbe L00016A24 push SSZ0001648E_TI_Msg_ mov [esi+00000248h],eax call jmp_ntoskrnl.exe!DbgPrint pop ecx L00016A24: mov eax,[esi+00000258h] mov ecx,[esi+00000248h] and eax,00000FFFh lea edi,[eax+ecx+00000FFFh] push SSZ00016496_TI_Msg_ shr edi,0Ch call jmp_ntoskrnl.exe!DbgPrint pop ecx mov cl,02h mov [esi+00000254h],edi call [HAL.dll!KfRaiseIrql] mov ecx,[ebp+10h] push esi push L00015BA0 mov [ebp+0Fh],al movzx eax,[ebp-04h] mov eax,[ecx+eax*4+00000190h] mov edx,[eax+04h] push edi push [ecx] push eax call [edx+10h] mov cl,[ebp+0Fh] mov edi,eax call [HAL.dll!KfLowerIrql] test edi,edi jge L00016BC0 push SSZ0001649E_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[ebx+18h] mov byte ptr [ebx+02h],02h add eax,ebx pop ecx mov cl,[eax+02h] and cl,F5h or cl,05h mov [eax+02h],cl mov eax,[ebp+14h] and dword ptr [eax],00000000h push [esi+00000280h] and byte ptr [esi+00000284h],00h call [ntoskrnl.exe!IoFreeMdl] and dword ptr [esi+00000280h],00000000h jmp L00016CC2 L00016AD1: mov al,[ebx+1Eh] movzx ecx,[ebx+21h] mov [ebp-20h],al xor eax,eax mov ah,[ebx+1Fh] push SSZ000164A6_TI_Msg_ mov al,[ebx+20h] shl eax,08h or eax,ecx movzx ecx,[ebx+22h] shl eax,08h or eax,ecx movzx ecx,[ebx+25h] mov [ebp-1Ch],eax xor eax,eax mov ah,[ebx+23h] mov al,[ebx+24h] shl eax,08h or eax,ecx mov [ebp-18h],eax call jmp_ntoskrnl.exe!DbgPrint mov al,[ebx+26h] mov cl,al shr cl,04h mov [ebp-14h],cl mov cl,al and cl,08h cmp cl,08h setz cl mov [ebp-13h],cl mov cl,al and cl,04h cmp cl,04h setz cl mov [ebp-12h],cl mov cl,al and cl,02h cmp cl,02h setz cl and al,01h dec al neg al sbb al,al inc al mov [ebp-11h],cl mov [ebp-10h],al mov dword ptr [esp],SSZ000164AE_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[ebx+14h] pop ecx add eax,ebx push eax lea eax,[ebp-20h] push eax mov eax,[ebp+10h] push [ebp-04h] mov ecx,[eax+000001B8h] call SUB_L00017CD2 push SSZ000164B6_TI_Msg_ mov [ebp+13h],al call jmp_ntoskrnl.exe!DbgPrint cmp byte ptr [ebp+13h],00h pop ecx jz L00016BEA push SSZ000164BE_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[ebx+18h] add eax,ebx mov byte ptr [ebx+02h],02h pop ecx mov cl,[eax+02h] and cl,F5h or cl,05h mov [eax+02h],cl mov eax,[ebp+14h] and dword ptr [eax],00000000h mov eax,C0000001h jmp L00016CC7 L00016BC0: lea edi,[esi+0000026Ch] mov esi,[ntoskrnl.exe!KeClearEvent] push edi call esi xor eax,eax push eax push eax push eax push eax push edi call [ntoskrnl.exe!KeWaitForSingleObject] push edi call esi push SSZ000164C6_TI_Msg_ L00016BE4: call jmp_ntoskrnl.exe!DbgPrint L00016BE9: pop ecx L00016BEA: mov eax,[ebx+14h] add eax,[ebx+0Ch] jmp L00016C8C L00016BF5: push SSZ000164CE_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint and byte ptr [esi+00000284h],00h mov eax,[ebx+18h] add eax,ebx mov byte ptr [ebx+02h],02h pop ecx mov cl,[eax+02h] and cl,F5h or cl,05h mov [eax+02h],cl mov eax,[ebp+14h] and dword ptr [eax],00000000h jmp L00016CC2 L00016C27: and byte ptr [esi+0000027Dh],00h cmp byte ptr [ebx+26h],01h jnz L00016C95 push SSZ000164D6_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint and byte ptr [ebp+0Eh],00h and byte ptr [ebp+0Fh],00h pop ecx lea eax,[ebp+0Eh] push eax mov eax,[ebp+10h] push [ebp-04h] mov byte ptr [esi+0000027Ch],01h mov ecx,[eax+000001B8h] call SUB_L00017D18 push SSZ000164DE_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[ebx+14h] add eax,ebx mov byte ptr [eax],01h pop ecx mov cl,[ebp+0Eh] mov [eax+01h],cl mov cl,[ebp+0Fh] mov [eax+02h],cl mov eax,[ebx+14h] and byte ptr [ebx+02h],00h add eax,00000003h L00016C8C: mov ecx,[ebp+14h] mov [ecx],eax L00016C91: xor eax,eax jmp L00016CC7 L00016C95: push SSZ000164E6_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[ebx+18h] add eax,ebx mov byte ptr [ebx+02h],02h pop ecx mov cl,[eax+02h] and cl,F5h or cl,05h mov [eax+02h],cl mov eax,[ebp+14h] and dword ptr [eax],00000000h and byte ptr [esi+0000027Ch],00h L00016CC2: mov eax,C0000002h L00016CC7: pop edi pop esi pop ebx leave retn 0010h ;------------------------------------------------------------------------------ SSZ00016CCE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00016CD6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00016CDE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00016CE6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00016CEE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00016CF6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00016CFE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00016D06_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00016D0E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00016D16_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00016D1E_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L00016D26: push ebp mov ebp,esp push ecx and byte ptr [ebp-01h],00h push ebx push esi mov esi,[ebp+0Ch] mov al,[esi+40h] push edi push SSZ00016CCE_TI_Msg_ mov [ebp+0Fh],al call jmp_ntoskrnl.exe!DbgPrint mov ebx,[ebp+08h] mov edi,[ebx+0Ch] mov eax,[edi+0Ch] cmp eax,00000200h pop ecx jnc L00016D69 test al,03h jz L00016D69 push SSZ00016CD6_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx jmp L00016F41 L00016D69: movzx eax,[edi+1Ch] sub eax,00000028h jz L00016DAD dec eax dec eax jz L00016DAD sub eax,000000A7h jz L00016DEA push SSZ00016CDE_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint L00016D87: mov eax,[edi+18h] add eax,edi mov byte ptr [edi+02h],02h pop ecx mov cl,[eax+02h] and cl,F5h or cl,05h mov [eax+02h],cl L00016D9D: mov eax,[ebp+14h] and dword ptr [eax],00000000h mov eax,C0000002h jmp L00016FD3 L00016DAD: movzx ecx,[edi+20h] xor eax,eax mov ah,[edi+1Eh] push SSZ00016CE6_TI_Msg_ mov byte ptr [ebp-01h],01h mov al,[edi+1Fh] shl eax,08h or eax,ecx movzx ecx,[edi+21h] shl eax,08h or eax,ecx mov [esi+00000288h],eax xor eax,eax mov ah,[edi+23h] mov al,[edi+24h] mov [esi+0000028Ch],eax call jmp_ntoskrnl.exe!DbgPrint pop ecx L00016DEA: cmp byte ptr [esi+0000027Ch],00h jnz L00016E14 mov al,[edi+1Ch] cmp al,28h jz L00016E14 cmp al,2Ah jz L00016E14 push SSZ00016CEE_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint and byte ptr [esi+00000284h],00h jmp L00016D87 L00016E14: cmp byte ptr [edi+1Ch],D1h jnz L00016E1E and byte ptr [ebp-01h],00h L00016E1E: and dword ptr [esi+00000280h],00000000h and byte ptr [esi+00000284h],00h mov [esi+00000264h],ebx cmp byte ptr [edi+08h],01h jnz L00016E41 mov byte ptr [esi+00000268h],01h jmp L00016E48 L00016E41: and byte ptr [esi+00000268h],00h L00016E48: xor eax,eax mov al,[esi+00000268h] push eax push [edi+0Ch] push [edi+14h] call SUB_L00015412 test eax,eax mov [esi+00000280h],eax jz L00016F41 and dword ptr [esi+0000024Ch],00000000h mov byte ptr [esi+0000027Dh],01h mov byte ptr [esi+00000284h],01h mov eax,[edi+0Ch] push SSZ00016CF6_TI_Msg_ mov [esi+00000250h],eax mov [esi+00000248h],eax call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi+00000280h] pop ecx mov ecx,[eax+18h] add ecx,[eax+10h] and byte ptr [esi+00000260h],00h mov eax,00006000h cmp [esi+00000250h],eax mov [esi+00000258h],ecx jbe L00016ED0 push SSZ00016CFE_TI_Msg_ mov [esi+00000248h],eax call jmp_ntoskrnl.exe!DbgPrint pop ecx L00016ED0: mov eax,[esi+00000258h] mov ecx,[esi+00000248h] and eax,00000FFFh lea ebx,[eax+ecx+00000FFFh] push SSZ00016D06_TI_Msg_ shr ebx,0Ch call jmp_ntoskrnl.exe!DbgPrint pop ecx mov cl,02h mov [esi+00000254h],ebx call [HAL.dll!KfRaiseIrql] cmp byte ptr [ebp-01h],00h mov ecx,[ebp+10h] mov [ebp+0Bh],al movzx eax,[ebp+0Fh] mov eax,[ecx+eax*4+00000190h] mov edx,[eax+04h] push esi jnz L00016F26 push L00015BA0 jmp L00016F2B L00016F26: push L00016290 L00016F2B: push ebx push [ecx] push eax call [edx+10h] mov cl,[ebp+0Bh] mov ebx,eax call [HAL.dll!KfLowerIrql] test ebx,ebx jge L00016F98 L00016F41: push SSZ00016D0E_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[edi+18h] add eax,edi mov byte ptr [edi+02h],02h pop ecx mov cl,[eax+02h] and cl,F5h or cl,05h mov [eax+02h],cl and byte ptr [esi+0000027Dh],00h lea edi,[esi+00000280h] mov eax,[edi] test eax,eax jz L00016D9D add esi,00000284h cmp byte ptr [esi],00h jz L00016D9D and byte ptr [esi],00h push eax call SUB_L000154A4 and dword ptr [edi],00000000h jmp L00016D9D L00016F98: xor eax,eax push eax push eax push eax push eax add esi,0000026Ch push esi call [ntoskrnl.exe!KeWaitForSingleObject] push esi call [ntoskrnl.exe!KeClearEvent] push SSZ00016D16_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ00016D1E_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[edi+0Ch] pop ecx mov ecx,[ebp+14h] mov [ecx],eax xor eax,eax L00016FD3: pop edi pop esi pop ebx leave retn 0010h ;------------------------------------------------------------------------------ SSZ00016FDA_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00016FE2_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00016FEA_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00016FF2_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00016FFA_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00017002_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001700A_TI_Msg_: db 'TI Msg',0Ah,0 SUB_QueryRegistryValues: push ebp mov ebp,esp sub esp,0000043Ch push esi push edi push SSZ00016FDA_TI_Msg_ mov dword ptr [ebp-04h],00000001h call jmp_ntoskrnl.exe!DbgPrint push [ebp+08h] mov esi,[ntoskrnl.exe!wcslen] call esi push [ebp+08h] xor eax,eax mov ecx,00000080h lea edi,[ebp-0000043Ch] rep stosd call esi shl eax,1 push eax push [ebp+08h] lea eax,[ebp-0000043Ch] push eax call [ntoskrnl.exe!memmove] push SSZ00016FE2_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint push SSZ00016FEA_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov esi,[ebp+10h] add esp,00000020h push 0000000Eh pop ecx xor eax,eax push 00000004h lea edi,[ebp-3Ch] rep stosd mov eax,[ebp+0Ch] mov [ebp-34h],eax pop eax xor edi,edi push edi mov [ebp-2Ch],eax mov [ebp-24h],eax push edi lea eax,[ebp-3Ch] push eax lea eax,[ebp-0000043Ch] push eax lea ecx,[ebp-04h] push 80000000h mov dword ptr [ebp-38h],00000020h mov [ebp-30h],esi mov [ebp-28h],ecx call [ntoskrnl.exe!RtlQueryRegistryValues] test eax,eax jl L000170DB push SSZ00016FF2_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ00016FFA_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint xor eax,eax jmp L000170F8 L000170DB: push SSZ00017002_TI_Msg_ mov [esi],edi call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ0001700A_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,C0000001h L000170F8: pop ecx pop edi pop esi leave retn 000Ch ;------------------------------------------------------------------------------ Align 4 SSZ00017100_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00017108_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00017110_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L00017118: push ebp mov ebp,esp sub esp,00000024h push ebx push esi push edi lea eax,[ebp+08h] push eax mov esi,L0002001F push esi push 00000001h push [ebp+08h] call [ntoskrnl.exe!IoOpenDeviceRegistryKey] mov edi,eax xor ebx,ebx cmp edi,ebx jl L0001719F cmp [ebp+0Ch],ebx jz L0001719F push SSZ00017100_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push [ebp+0Ch] lea eax,[ebp-0Ch] push eax call [ntoskrnl.exe!RtlInitUnicodeString] mov eax,[ebp+08h] push ebx push ebx mov [ebp-20h],eax push ebx lea eax,[ebp-0Ch] mov [ebp-1Ch],eax push ebx lea eax,[ebp-24h] push eax push esi lea eax,[ebp-04h] push eax mov dword ptr [ebp-24h],00000018h mov dword ptr [ebp-18h],00000240h mov [ebp-14h],ebx mov [ebp-10h],ebx call [ntoskrnl.exe!ZwCreateKey] mov edi,eax cmp edi,ebx jge L000171AE push [ebp+08h] call [ntoskrnl.exe!ZwClose] jmp L000171AA L0001719F: push SSZ00017108_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx L000171AA: cmp edi,ebx jl L000171F4 L000171AE: push SSZ00017110_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint cmp [ebp+0Ch],ebx mov eax,[ebp-04h] pop ecx jnz L000171C4 mov eax,[ebp+08h] L000171C4: push 00000004h lea ecx,[ebp+14h] push ecx push 00000004h push [ebp+10h] push eax push 40000000h call [ntoskrnl.exe!RtlWriteRegistryValue] cmp [ebp+0Ch],ebx mov edi,eax jz L000171EB push [ebp-04h] call [ntoskrnl.exe!ZwClose] L000171EB: push [ebp+08h] call [ntoskrnl.exe!ZwClose] L000171F4: mov eax,edi pop edi pop esi pop ebx leave retn 0010h ;------------------------------------------------------------------------------ Align 2 SUB_L000171FE: mov ecx,[esp+04h] mov eax,[esp+0Ch] push esi mov esi,[esp+0Ch] xor dl,dl mov [ecx+18h],esi mov [ecx+1Ch],eax call [ntoskrnl.exe!IofCompleteRequest] mov eax,esi pop esi retn 000Ch ;------------------------------------------------------------------------------ Align 4 SUB_L00017220: mov ecx,[esp+04h] push esi mov esi,[esp+0Ch] xor dl,dl mov [ecx+18h],esi call [ntoskrnl.exe!IofCompleteRequest] mov eax,esi pop esi retn 0008h ;------------------------------------------------------------------------------ L0001723A: push 00000000h push 00000000h push [esp+14h] call [ntoskrnl.exe!KeSetEvent] mov eax,C0000016h retn 000Ch ;------------------------------------------------------------------------------ SUB_L00017250: push [esp+08h] mov eax,[esp+08h] add eax,00000044h push eax call [ntoskrnl.exe!IoSetDeviceInterfaceState] retn 0008h ;------------------------------------------------------------------------------ Align 2 SUB_L00017266: push esi mov esi,[esp+08h] push 00000000h add esi,00000044h push esi call [ntoskrnl.exe!IoSetDeviceInterfaceState] push esi call [ntoskrnl.exe!RtlFreeUnicodeString] pop esi retn 0004h ;------------------------------------------------------------------------------ SUB_L00017282: push ebp mov ebp,esp mov eax,[ebp+08h] mov eax,[eax] pop ebp retn 0004h ;------------------------------------------------------------------------------ SUB_L0001728E: push ebp mov ebp,esp mov eax,[ebp+08h] mov ax,[eax] pop ebp retn 0004h ;------------------------------------------------------------------------------ Align 4 SUB_L0001729C: push ebp mov ebp,esp mov eax,[ebp+08h] mov ecx,[ebp+0Ch] mov [eax],ecx pop ebp retn 0008h ;------------------------------------------------------------------------------ Align 4 SUB_L000172AC: push ebp mov ebp,esp movzx eax,[ebp+0Ch] mov ecx,[ebp+08h] mov [ecx],eax pop ebp retn 0008h ;------------------------------------------------------------------------------ SSZ000172BC_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L000172C4: mov eax,[esp+04h] push esi mov esi,ecx and dword ptr [esi+18h],00000000h and byte ptr [esi+1Ch],00h push SSZ000172BC_TI_Msg_ mov [esi],eax call jmp_ntoskrnl.exe!DbgPrint pop ecx push 00000004h lea ecx,[esi+30h] lea eax,[esi+20h] pop edx L000172E9: and dword ptr [eax],00000000h and byte ptr [ecx],00h add eax,00000004h inc ecx dec edx jnz L000172E9 mov dword ptr [esi+34h],00000004h mov byte ptr [esi+38h],02h mov eax,esi pop esi retn 0004h ;------------------------------------------------------------------------------ Align 4 SSZ00017308_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L00017310: push ebx push esi push SSZ00017308_TI_Msg_ mov esi,ecx call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi] pop ecx push FFFFFFFFh add eax,0000000Ch push eax call SUB_L0001729C xor bl,bl cmp dword ptr [esi+34h],00000000h jbe L00017350 xor eax,eax L00017336: mov eax,[esi+eax*4+20h] test eax,eax jz L00017346 mov edx,[eax] push 00000001h mov ecx,eax call [edx] L00017346: inc bl movzx eax,bl cmp eax,[esi+34h] jc L00017336 L00017350: pop esi pop ebx retn ;------------------------------------------------------------------------------ Align 4 SSZ00017354_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001735C: mov eax,[esp+04h] cmp eax,00000004h mov [ecx+34h],eax jz L0001736C and byte ptr [ecx+38h],00h L0001736C: push SSZ00017354_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx retn 0004h ;------------------------------------------------------------------------------ SSZ0001737A_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L00017382: push esi push SSZ0001737A_TI_Msg_ mov esi,ecx call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi] pop ecx push FFFFFFFFh add eax,0000000Ch push eax call SUB_L0001729C mov eax,[esi] push 8000000Fh add eax,00000008h push eax call SUB_L0001729C pop esi retn ;------------------------------------------------------------------------------ Align 4 SUB_L000173B0: push ebp mov ebp,esp push ecx push ecx push esi mov esi,ecx mov eax,[esi] add eax,00000014h push eax call SUB_L00017282 cmp eax,FFFFFFFFh mov [esi+18h],eax jz L0001750B test eax,eax jz L0001750B mov ecx,80000000h and eax,ecx cmp eax,ecx push ebx setz bl cmp byte ptr [esi+1Ch],00h jnz L000174F8 test bl,bl jz L000174F8 mov eax,[esi] push edi push ecx add eax,0000000Ch push eax call SUB_L0001729C mov ecx,[esi+20h] test ecx,ecx jz L00017440 mov eax,[esi+18h] mov edx,00010000h mov edi,eax and edi,edx cmp edi,edx setz [ebp-08h] mov edx,00000100h and eax,edx cmp eax,edx setz [ebp-04h] cmp byte ptr [ebp-08h],00h jnz L00017435 cmp byte ptr [ebp-04h],00h jz L00017440 L00017435: push [ebp-04h] mov eax,[ecx] push [ebp-08h] call [eax+0Ch] L00017440: mov ecx,[esi+24h] test ecx,ecx jz L0001747D mov eax,[esi+18h] mov edx,L00020000 mov edi,eax and edi,edx cmp edi,edx setz [ebp-08h] mov edx,00000200h and eax,edx cmp eax,edx setz [ebp-04h] cmp byte ptr [ebp-08h],00h jnz L00017472 cmp byte ptr [ebp-04h],00h jz L0001747D L00017472: push [ebp-04h] mov eax,[ecx] push [ebp-08h] call [eax+0Ch] L0001747D: mov ecx,[esi+28h] test ecx,ecx jz L000174BA mov eax,[esi+18h] mov edx,00040000h mov edi,eax and edi,edx cmp edi,edx setz [ebp-08h] mov edx,00000400h and eax,edx cmp eax,edx setz [ebp-04h] cmp byte ptr [ebp-08h],00h jnz L000174AF cmp byte ptr [ebp-04h],00h jz L000174BA L000174AF: push [ebp-04h] mov eax,[ecx] push [ebp-08h] call [eax+0Ch] L000174BA: mov ecx,[esi+2Ch] test ecx,ecx jz L000174F7 mov eax,[esi+18h] mov edx,00080000h mov edi,eax and edi,edx cmp edi,edx setz [ebp-08h] mov edx,00000800h and eax,edx cmp eax,edx setz [ebp-04h] cmp byte ptr [ebp-08h],00h jnz L000174EC cmp byte ptr [ebp-04h],00h jz L000174F7 L000174EC: push [ebp-04h] mov eax,[ecx] push [ebp-08h] call [eax+0Ch] L000174F7: pop edi L000174F8: mov eax,[esi] push [esi+18h] add eax,00000014h push eax call SUB_L0001729C mov al,bl pop ebx jmp L0001750D L0001750B: xor al,al L0001750D: pop esi leave retn ;------------------------------------------------------------------------------ SSZ00017510_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00017518_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00017520_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00017528_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00017530_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00017538_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00017540_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00017548_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L00017550: push ebp mov ebp,esp push ecx push ecx and byte ptr [ebp-01h],00h push ebx movzx ebx,[ebp+08h] push esi push edi lea edi,[ebx+01h] mov esi,ecx shl edi,0Ah add edi,[esi] push SSZ00017510_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov ecx,[esi+ebx*4+20h] test ecx,ecx jz L00017589 call SUB_L0001A166 cmp al,43h mov [ebp-02h],al jz L000175C6 L00017589: push 00000020h call SUB_L00014304 test eax,eax pop ecx jz L000175A2 push edi mov ecx,eax call SUB_L0001AD3A mov [ebp-08h],eax jmp L000175A6 L000175A2: and dword ptr [ebp-08h],00000000h L000175A6: mov ecx,[ebp-08h] call SUB_L0001AE22 mov ecx,[ebp-08h] call SUB_L0001A166 mov ecx,[ebp-08h] test ecx,ecx mov [ebp-02h],al jz L000175C6 mov eax,[ecx] push 00000001h call [eax] L000175C6: movzx eax,[ebp-02h] dec eax jz L000176BE dec eax jz L0001766C dec eax jz L00017644 push SSZ00017518_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint cmp dword ptr [esi+ebx*4+20h],00000000h pop ecx mov byte ptr [ebp-01h],83h jz L00017605 push SSZ00017520_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov ecx,[esi+ebx*4+20h] call SUB_L0001A206 L00017605: mov eax,ebx sub eax,00000000h jz L0001762A dec eax jz L00017623 dec eax jz L0001761C dec eax jnz L0001763A push 00080800h jmp L0001762F L0001761C: push 00040400h jmp L0001762F L00017623: push L00020200 jmp L0001762F L0001762A: push 00010100h L0001762F: mov eax,[esi] add eax,0000000Ch push eax call SUB_L0001729C L0001763A: and byte ptr [ebx+esi+30h],00h jmp L000176EE L00017644: push SSZ00017528_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint push 000000F4h call SUB_L00014304 test eax,eax pop ecx pop ecx jz L000176E3 push edi mov ecx,eax call SUB_L000183CE jmp L000176E5 L0001766C: push SSZ00017530_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint cmp dword ptr [esi+14h],00000000h pop ecx jz L000176A0 push 000000D4h call SUB_L00014304 test eax,eax pop ecx jz L000176E3 mov cl,[ebp+08h] cmp cl,[esi+38h] setz cl push ecx L00017696: push edi mov ecx,eax call SUB_L0001B144 jmp L000176E5 L000176A0: push SSZ00017538_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint push 000000D4h call SUB_L00014304 test eax,eax pop ecx pop ecx jz L000176E3 push 00000000h jmp L00017696 L000176BE: push SSZ00017540_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],00000114h call SUB_L00014304 test eax,eax pop ecx jz L000176E3 push edi mov ecx,eax call SUB_L0001E736 jmp L000176E5 L000176E3: xor eax,eax L000176E5: mov [esi+ebx*4+20h],eax mov byte ptr [ebx+esi+30h],01h L000176EE: cmp byte ptr [ebx+esi+30h],00h jz L000176FF mov eax,[esi+ebx*4+20h] mov ecx,[esi+04h] mov [eax+08h],ecx L000176FF: cmp byte ptr [ebp-01h],00h jnz L00017738 sub ebx,00000000h jz L00017728 dec ebx jz L00017721 dec ebx jz L0001771A dec ebx jnz L00017738 push 00080800h jmp L0001772D L0001771A: push 00040400h jmp L0001772D L00017721: push L00020200 jmp L0001772D L00017728: push 00010100h L0001772D: mov eax,[esi] add eax,00000008h push eax call SUB_L0001729C L00017738: push SSZ00017548_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov al,[ebp-01h] pop ecx pop edi pop esi pop ebx leave retn 0004h ;------------------------------------------------------------------------------ Align 2 SSZ0001774E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00017756_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001775E: movzx eax,[esp+04h] cmp eax,[ecx+34h] jc L00017777 push SSZ0001774E_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov al,A0h jmp L0001778F L00017777: cmp byte ptr [eax+ecx+30h],00h jnz L0001778D push SSZ00017756_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov al,A1h jmp L0001778F L0001778D: xor al,al L0001778F: retn 0004h ;------------------------------------------------------------------------------ SSZ00017792_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001779A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000177A2_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000177AA_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000177B2_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000177BA_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L000177C2: push ebp mov ebp,esp push ecx push ecx push edi push SSZ00017792_TI_Msg_ mov edi,ecx call jmp_ntoskrnl.exe!DbgPrint pop ecx push [ebp+08h] mov ecx,edi call SUB_L0001775E test al,al jnz L00017945 push ebx movzx ebx,[ebp+08h] push esi lea esi,[edi+ebx*4+20h] mov eax,[esi] cmp byte ptr [eax+24h],00h jz L00017800 xor al,al jmp L00017943 L00017800: push SSZ0001779A_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi] mov ecx,[edi+08h] mov [eax+0Ch],ecx mov dword ptr [esp],SSZ000177A2_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi] mov ecx,[edi+10h] mov [eax+14h],ecx mov dword ptr [esp],SSZ000177AA_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi] pop ecx mov ecx,[edi+0Ch] mov [eax+10h],ecx mov ecx,[esi] call SUB_L0001A31A test al,al mov [ebp-01h],al jnz L00017943 mov ecx,[esi] call SUB_L0001A166 mov ecx,[esi] inc ebx shl ebx,0Ah add ebx,[edi] cmp al,12h mov [ebp-02h],al mov [ebp-08h],ecx jnz L000178D2 and dword ptr [esi],00000000h test ecx,ecx jz L00017873 mov eax,[ecx] push 00000001h call [eax] L00017873: cmp dword ptr [edi+14h],00000000h jz L0001789C push 00004538h call SUB_L00014304 test eax,eax pop ecx jz L000178BB mov cl,[ebp+08h] cmp cl,[edi+38h] setz cl push ecx L00017892: push ebx mov ecx,eax call SUB_L0001B8FA jmp L000178BD L0001789C: push SSZ000177B2_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],00004538h call SUB_L00014304 test eax,eax pop ecx jz L000178BB push 00000000h jmp L00017892 L000178BB: xor eax,eax L000178BD: mov [esi],eax mov ecx,[edi+04h] mov [eax+08h],ecx mov ecx,[esi] call SUB_L0001A31A mov ecx,[ebp-08h] mov [ebp-01h],al L000178D2: cmp byte ptr [ebp-02h],22h jnz L00017940 and dword ptr [esi],00000000h test ecx,ecx jz L000178E5 mov eax,[ecx] push 00000001h call [eax] L000178E5: cmp dword ptr [edi+14h],00000000h jz L0001790E push 000000D8h call SUB_L00014304 test eax,eax pop ecx jz L0001792C mov cl,[ebp+08h] cmp cl,[edi+38h] setz cl push ecx L00017904: push ebx mov ecx,eax call SUB_L0001D48E jmp L0001792E L0001790E: push SSZ000177BA_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint push 000000D8h call SUB_L00014304 test eax,eax pop ecx pop ecx jz L0001792C push 00000000h jmp L00017904 L0001792C: xor eax,eax L0001792E: mov [esi],eax mov ecx,[edi+04h] mov [eax+08h],ecx mov ecx,[esi] call SUB_L0001A31A mov [ebp-01h],al L00017940: mov al,[ebp-01h] L00017943: pop esi pop ebx L00017945: pop edi leave retn 0004h ;------------------------------------------------------------------------------ SSZ0001794A_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L00017952: push esi push SSZ0001794A_TI_Msg_ mov esi,ecx call jmp_ntoskrnl.exe!DbgPrint pop ecx push [esp+08h] mov ecx,esi call SUB_L0001775E test al,al jnz L0001797D movzx eax,[esp+08h] mov ecx,[esi+eax*4+20h] call SUB_L0001A166 L0001797D: pop esi retn 0004h ;------------------------------------------------------------------------------ Align 2 SSZ00017982_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001798A: push ebp mov ebp,esp sub esp,00000010h push esi push edi push SSZ00017982_TI_Msg_ mov esi,ecx call jmp_ntoskrnl.exe!DbgPrint pop ecx push [ebp+0Ch] xor eax,eax mov ecx,esi mov [ebp-04h],eax mov [ebp-10h],eax mov [ebp-08h],eax mov [ebp-0Ch],eax call SUB_L0001775E test al,al jz L000179C0 lea esi,[ebp-10h] jmp L000179D3 L000179C0: lea eax,[ebp-10h] push eax movzx eax,[ebp+0Ch] mov ecx,[esi+eax*4+20h] call SUB_L0001AA6A mov esi,eax L000179D3: mov eax,[ebp+08h] mov edi,eax movsd movsd movsd movsd pop edi pop esi leave retn 0008h ;------------------------------------------------------------------------------ SSZ000179E2_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000179EA_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000179F2_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L000179FA: push ebp mov ebp,esp push esi push SSZ000179E2_TI_Msg_ mov esi,ecx call jmp_ntoskrnl.exe!DbgPrint pop ecx push [ebp+08h] mov ecx,esi call SUB_L0001775E test al,al jnz L00017A6B cmp dword ptr [ebp+0Ch],FFFFFFFFh jnz L00017A23 mov al,82h jmp L00017A6B L00017A23: movzx eax,[ebp+08h] lea eax,[esi+eax*4+20h] mov ecx,[eax] cmp byte ptr [ecx+28h],00h jz L00017A42 push SSZ000179EA_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov al,C3h jmp L00017A6B L00017A42: push ebx push [ebp+18h] mov byte ptr [ecx+28h],01h push [ebp+14h] lea ecx,[ebp+10h] push ecx push [ebp+0Ch] mov ecx,[eax] call SUB_L0001A476 push SSZ000179F2_TI_Msg_ mov bl,al call jmp_ntoskrnl.exe!DbgPrint pop ecx mov al,bl pop ebx L00017A6B: pop esi pop ebp retn 0014h ;------------------------------------------------------------------------------ SSZ00017A70_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00017A78_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00017A80_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L00017A88: push ebp mov ebp,esp push ecx push esi push SSZ00017A70_TI_Msg_ mov esi,ecx call jmp_ntoskrnl.exe!DbgPrint pop ecx push [ebp+08h] mov ecx,esi call SUB_L0001775E test al,al jnz L00017AF3 movzx eax,[ebp+08h] lea eax,[esi+eax*4+20h] mov ecx,[eax] cmp byte ptr [ecx+28h],00h jz L00017AC7 push SSZ00017A78_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov al,C3h jmp L00017AF3 L00017AC7: push ebx push [ebp+10h] mov byte ptr [ecx+28h],01h push [ebp+0Ch] and dword ptr [ebp-04h],00000000h lea ecx,[ebp-04h] push ecx mov ecx,[eax] push FFFFFFFFh call SUB_L0001A476 push SSZ00017A80_TI_Msg_ mov bl,al call jmp_ntoskrnl.exe!DbgPrint pop ecx mov al,bl pop ebx L00017AF3: pop esi leave retn 000Ch ;------------------------------------------------------------------------------ SSZ00017AF8_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00017B00_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00017B08_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L00017B10: push ebp mov ebp,esp push esi push SSZ00017AF8_TI_Msg_ mov esi,ecx call jmp_ntoskrnl.exe!DbgPrint pop ecx push [ebp+08h] mov ecx,esi call SUB_L0001775E test al,al jnz L00017B81 cmp dword ptr [ebp+0Ch],FFFFFFFFh jnz L00017B39 mov al,82h jmp L00017B81 L00017B39: movzx eax,[ebp+08h] lea eax,[esi+eax*4+20h] mov ecx,[eax] cmp byte ptr [ecx+28h],00h jz L00017B58 push SSZ00017B00_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov al,C3h jmp L00017B81 L00017B58: push ebx push [ebp+18h] mov byte ptr [ecx+28h],01h push [ebp+14h] lea ecx,[ebp+10h] push ecx push [ebp+0Ch] mov ecx,[eax] call SUB_L0001A7B4 push SSZ00017B08_TI_Msg_ mov bl,al call jmp_ntoskrnl.exe!DbgPrint pop ecx mov al,bl pop ebx L00017B81: pop esi pop ebp retn 0014h ;------------------------------------------------------------------------------ SSZ00017B86_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00017B8E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00017B96_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L00017B9E: push ebp mov ebp,esp push ecx push esi push SSZ00017B86_TI_Msg_ mov esi,ecx call jmp_ntoskrnl.exe!DbgPrint pop ecx push [ebp+08h] mov ecx,esi call SUB_L0001775E test al,al jnz L00017C09 movzx eax,[ebp+08h] lea eax,[esi+eax*4+20h] mov ecx,[eax] cmp byte ptr [ecx+28h],00h jz L00017BDD push SSZ00017B8E_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov al,C3h jmp L00017C09 L00017BDD: push ebx push [ebp+10h] mov byte ptr [ecx+28h],01h push [ebp+0Ch] and dword ptr [ebp-04h],00000000h lea ecx,[ebp-04h] push ecx mov ecx,[eax] push FFFFFFFFh call SUB_L0001A7B4 push SSZ00017B96_TI_Msg_ mov bl,al call jmp_ntoskrnl.exe!DbgPrint pop ecx mov al,bl pop ebx L00017C09: pop esi leave retn 000Ch ;------------------------------------------------------------------------------ SSZ00017C0E_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L00017C16: push ebp mov ebp,esp push esi push SSZ00017C0E_TI_Msg_ mov esi,ecx call jmp_ntoskrnl.exe!DbgPrint pop ecx push [ebp+08h] mov ecx,esi call SUB_L0001775E test al,al jnz L00017C4D push [ebp+14h] movzx eax,[ebp+08h] push [ebp+10h] mov ecx,[esi+eax*4+20h] push [ebp+0Ch] call SUB_L0001A3FC xor al,al L00017C4D: pop esi pop ebp retn 0010h ;------------------------------------------------------------------------------ SUB_L00017C52: push ebp mov ebp,esp push esi push [ebp+08h] mov esi,ecx call SUB_L0001775E test al,al jnz L00017C8D movzx eax,[ebp+08h] lea esi,[esi+eax*4+20h] mov ecx,[esi] call SUB_L0001A166 cmp al,23h jz L00017C7B mov al,A2h jmp L00017C8D L00017C7B: mov ecx,[esi] push 00000000h push [ebp+14h] push [ebp+10h] push [ebp+0Ch] call SUB_L00019414 L00017C8D: pop esi pop ebp retn 0010h ;------------------------------------------------------------------------------ SUB_L00017C92: push esi push [esp+08h] mov esi,ecx call SUB_L0001775E test al,al jnz L00017CCD movzx eax,[esp+08h] lea esi,[esi+eax*4+20h] mov ecx,[esi] call SUB_L0001A166 cmp al,23h jz L00017CBA mov al,A2h jmp L00017CCD L00017CBA: mov ecx,[esi] push 00000000h push [esp+14h] push [esp+14h] push 00000000h call SUB_L00019414 L00017CCD: pop esi retn 000Ch ;------------------------------------------------------------------------------ Align 2 SUB_L00017CD2: push ebp mov ebp,esp push ecx push esi push [ebp+08h] mov esi,ecx call SUB_L0001775E test al,al jnz L00017D13 movzx eax,[ebp+08h] lea esi,[esi+eax*4+20h] mov ecx,[esi] call SUB_L0001A166 cmp al,23h jz L00017CFC mov al,A2h jmp L00017D13 L00017CFC: push [ebp+10h] mov ecx,[esi] and byte ptr [ebp-01h],00h lea eax,[ebp-01h] push eax push 00000000h push [ebp+0Ch] call SUB_L00019414 L00017D13: pop esi leave retn 000Ch ;------------------------------------------------------------------------------ SUB_L00017D18: push esi push [esp+08h] mov esi,ecx call SUB_L0001775E test al,al jnz L00017D4D movzx eax,[esp+08h] lea esi,[esi+eax*4+20h] mov ecx,[esi] call SUB_L0001A166 cmp al,23h jz L00017D40 mov al,A2h jmp L00017D4D L00017D40: push [esp+0Ch] mov ecx,[esi] call SUB_L00019902 xor al,al L00017D4D: pop esi retn 0008h ;------------------------------------------------------------------------------ Align 2 SUB_L00017D52: push esi push [esp+08h] mov esi,ecx call SUB_L0001775E test al,al jz L00017D69 mov eax,SSZ00023328_Invalid_Socket jmp L00017D8B L00017D69: movzx eax,[esp+08h] lea esi,[esi+eax*4+20h] mov ecx,[esi] call SUB_L0001A166 cmp al,23h jz L00017D84 mov eax,SSZ00023314_Not_an_SD_MMC_card jmp L00017D8B L00017D84: mov eax,[esi] add eax,000000CAh L00017D8B: pop esi retn 0004h ;------------------------------------------------------------------------------ Align 4 SUB_L00017D90: push esi push [esp+08h] mov esi,ecx call SUB_L0001775E test al,al jnz L00017DB4 movzx eax,[esp+08h] mov eax,[esi+eax*4+20h] mov eax,[eax+2Ch] mov ecx,[esp+0Ch] mov [ecx],eax xor al,al L00017DB4: pop esi retn 0008h ;------------------------------------------------------------------------------ SUB_L00017DB8: push esi push [esp+08h] mov esi,ecx call SUB_L0001775E test al,al jz L00017DCC mov al,01h jmp L00017DD8 L00017DCC: movzx eax,[esp+08h] mov eax,[esi+eax*4+20h] mov al,[eax+25h] L00017DD8: pop esi retn 0004h ;------------------------------------------------------------------------------ SSZ00017DDC_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L00017DE4: push esi push SSZ00017DDC_TI_Msg_ mov esi,ecx call jmp_ntoskrnl.exe!DbgPrint pop ecx push [esp+08h] mov ecx,esi call SUB_L0001775E test al,al jnz L00017E19 movzx eax,[esp+08h] mov ecx,[esi+eax*4+20h] cmp byte ptr [ecx+28h],00h jz L00017E14 mov al,C3h jmp L00017E19 L00017E14: mov eax,[ecx] call [eax+04h] L00017E19: pop esi retn 0004h ;------------------------------------------------------------------------------ Align 2 SUB_L00017E1E: push esi push [esp+08h] mov esi,ecx call SUB_L0001775E test al,al jnz L00017E42 movzx eax,[esp+08h] push [esp+0Ch] mov ecx,[esi+eax*4+20h] call SUB_L0001A1AC xor al,al L00017E42: pop esi retn 0008h ;------------------------------------------------------------------------------ SUB_L00017E46: push esi push [esp+08h] mov esi,ecx call SUB_L0001775E test al,al jnz L00017E79 movzx eax,[esp+08h] lea esi,[esi+eax*4+20h] mov ecx,[esi] call SUB_L0001A166 cmp al,22h jz L00017E6E mov al,A2h jmp L00017E79 L00017E6E: push [esp+0Ch] mov ecx,[esi] call SUB_L0001DB10 L00017E79: pop esi retn 0008h ;------------------------------------------------------------------------------ Align 2 SSZ00017E7E_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L00017E86: push esi push [esp+08h] mov esi,ecx call SUB_L0001775E test al,al jnz L00017EB5 movzx eax,[esp+08h] mov ecx,[esi+eax*4+20h] mov eax,[ecx] push ebx call [eax+18h] push SSZ00017E7E_TI_Msg_ mov bl,al call jmp_ntoskrnl.exe!DbgPrint pop ecx mov al,bl pop ebx L00017EB5: pop esi retn 0004h ;------------------------------------------------------------------------------ Align 2 SSZ00017EBA_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L00017EC2: push esi push SSZ00017EBA_TI_Msg_ mov esi,ecx call jmp_ntoskrnl.exe!DbgPrint mov eax,[esp+0Ch] pop ecx mov [esi+04h],eax xor al,al pop esi retn 0004h ;------------------------------------------------------------------------------ Align 2 SUB_L00017EDE: mov eax,[esp+04h] mov [ecx+08h],eax xor al,al retn 0004h ;------------------------------------------------------------------------------ SUB_L00017EEA: mov eax,[esp+04h] mov [ecx+10h],eax xor al,al retn 0004h ;------------------------------------------------------------------------------ SUB_L00017EF6: mov eax,[esp+04h] mov [ecx+14h],eax mov [ecx+0Ch],eax xor al,al retn 0004h ;------------------------------------------------------------------------------ Align 2 SUB_L00017F06: push [esp+04h] call SUB_L0001775E neg al sbb al,al inc al retn 0004h ;------------------------------------------------------------------------------ SUB_L00017F18: push ebx push esi mov esi,ecx xor ebx,ebx cmp [esi+1Ch],bl jz L00017F2A xor eax,eax jmp L00017FDF L00017F2A: mov ecx,[esi+20h] test ecx,ecx push edi mov edi,00000100h jz L00017F42 mov eax,[ecx] call [eax+08h] test edi,eax jz L00017F42 mov ebx,edi L00017F42: mov ecx,[esi+24h] test ecx,ecx jz L00017F58 mov eax,[ecx] call [eax+08h] test edi,eax jz L00017F58 or ebx,00000200h L00017F58: mov ecx,[esi+28h] test ecx,ecx jz L00017F6E mov eax,[ecx] call [eax+08h] test edi,eax jz L00017F6E or ebx,00000400h L00017F6E: mov ecx,[esi+2Ch] test ecx,ecx jz L00017F84 mov eax,[ecx] call [eax+08h] test edi,eax jz L00017F84 or ebx,00000800h L00017F84: test byte ptr [esi+18h],01h pop edi jz L00017F97 push 00000000h mov ecx,esi call SUB_L00017550 or ebx,00000001h L00017F97: test byte ptr [esi+18h],02h jz L00017FA9 push 00000001h mov ecx,esi call SUB_L00017550 or ebx,00000002h L00017FA9: test byte ptr [esi+18h],04h jz L00017FBB push 00000002h mov ecx,esi call SUB_L00017550 or ebx,00000004h L00017FBB: test byte ptr [esi+18h],08h jz L00017FCD push 00000003h mov ecx,esi call SUB_L00017550 or ebx,00000008h L00017FCD: mov eax,[esi] push 80000000h add eax,00000008h push eax call SUB_L0001729C mov eax,ebx L00017FDF: pop esi pop ebx retn ;------------------------------------------------------------------------------ SSZ00017FE2_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00017FEA_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00017FF2_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00017FFA_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00018002_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001800A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00018012_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001801A: push ebx push edi push SSZ00017FE2_TI_Msg_ mov ebx,ecx call jmp_ntoskrnl.exe!DbgPrint movzx edi,[esp+10h] cmp edi,[ebx+34h] pop ecx jc L00018045 push SSZ00017FEA_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov al,A0h jmp L000180DE L00018045: push esi lea esi,[ebx+edi*4+20h] cmp dword ptr [esi],00000000h jnz L0001805D push SSZ00017FF2_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov al,A1h jmp L000180DC L0001805D: push SSZ00017FFA_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi] mov eax,[eax+04h] pop ecx add eax,00000004h push eax call SUB_L0001728E mov eax,[esi] mov eax,[eax+04h] add eax,00000004h push eax call SUB_L0001728E and eax,0000FFF8h push eax mov eax,[esi] mov eax,[eax+04h] add eax,00000004h push eax call SUB_L000172AC push SSZ00018002_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi] mov eax,[eax+04h] pop ecx add eax,00000004h push eax call SUB_L0001728E push SSZ0001800A_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov ecx,[esi] test ecx,ecx jz L000180C8 mov eax,[ecx] push 00000001h call [eax] L000180C8: push SSZ00018012_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint and dword ptr [esi],00000000h and byte ptr [edi+ebx+30h],00h xor al,al L000180DC: pop ecx pop esi L000180DE: pop edi pop ebx retn 0004h ;------------------------------------------------------------------------------ Align 4 SSZ000180E4_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000180EC_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000180F4_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000180FC_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L00018104: push ebp mov ebp,esp push ecx push esi push SSZ000180E4_TI_Msg_ mov esi,ecx call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ000180EC_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi] pop ecx add eax,00000008h push eax call SUB_L00017282 mov eax,[esi] push 80000000h add eax,0000000Ch push eax call SUB_L0001729C push SSZ000180F4_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi] pop ecx add eax,00000008h push eax call SUB_L00017282 and byte ptr [ebp-04h],00h cmp dword ptr [esi+34h],00000000h jbe L00018173 L0001815D: push [ebp-04h] mov ecx,esi call SUB_L0001801A inc [ebp-04h] movzx eax,[ebp-04h] cmp eax,[esi+34h] jc L0001815D L00018173: push SSZ000180FC_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi] pop ecx add eax,00000008h push eax call SUB_L00017282 xor al,al pop esi leave retn ;------------------------------------------------------------------------------ SSZ0001818E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00018196_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001819E_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L000181A6: push ebp mov ebp,esp push ecx push esi push SSZ0001818E_TI_Msg_ mov esi,ecx call jmp_ntoskrnl.exe!DbgPrint and byte ptr [esi+1Ch],00h mov dword ptr [esp],SSZ00018196_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi] pop ecx add eax,00000008h push eax call SUB_L00017282 mov eax,[esi] push FFFFFFFFh add eax,00000014h push eax call SUB_L0001729C mov eax,[esi] push FFFFFFFFh add eax,0000000Ch push eax call SUB_L0001729C mov eax,[esi] push 80000000h add eax,00000008h push eax call SUB_L0001729C and byte ptr [ebp-04h],00h cmp dword ptr [esi+34h],00000000h jbe L0001823B L00018207: push [ebp-04h] mov ecx,esi call SUB_L00017550 push [ebp-04h] mov ecx,esi call SUB_L000177C2 cmp al,A1h jnz L00018221 xor al,al L00018221: test al,al jz L0001822F push [ebp-04h] mov ecx,esi call SUB_L0001801A L0001822F: inc [ebp-04h] movzx eax,[ebp-04h] cmp eax,[esi+34h] jc L00018207 L0001823B: mov eax,[esi] add eax,00000008h push eax call SUB_L00017282 or eax,0000000Fh push eax mov eax,[esi] add eax,00000008h push eax call SUB_L0001729C push SSZ0001819E_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi] pop ecx add eax,00000008h push eax call SUB_L00017282 xor al,al pop esi leave retn ;------------------------------------------------------------------------------ SUB_L00018270: mov eax,[ecx+04h] push [esp+04h] add eax,00000104h push eax call SUB_L0001729C retn 0004h ;------------------------------------------------------------------------------ Align 2 SUB_L00018286: mov eax,[ecx+04h] push [esp+04h] add eax,00000108h push eax call SUB_L0001729C retn 0004h ;------------------------------------------------------------------------------ Align 4 SUB_L0001829C: mov eax,[ecx+04h] push [esp+04h] add eax,0000010Ch push eax call SUB_L0001729C retn 0004h ;------------------------------------------------------------------------------ Align 2 SUB_L000182B2: mov eax,[ecx+04h] push [esp+04h] add eax,00000110h push eax call SUB_L0001729C retn 0004h ;------------------------------------------------------------------------------ Align 4 SUB_L000182C8: mov eax,[ecx+04h] push [esp+04h] add eax,00000114h push eax call SUB_L0001729C retn 0004h ;------------------------------------------------------------------------------ Align 2 SUB_L000182DE: mov eax,[ecx+04h] push [esp+04h] add eax,00000118h push eax call SUB_L0001729C retn 0004h ;------------------------------------------------------------------------------ Align 4 SUB_L000182F4: mov eax,[ecx+04h] push [esp+04h] add eax,00000124h push eax call SUB_L0001729C retn 0004h ;------------------------------------------------------------------------------ Align 2 SUB_L0001830A: mov eax,[ecx+04h] push [esp+04h] add eax,00000128h push eax call SUB_L0001729C retn 0004h ;------------------------------------------------------------------------------ Align 4 SUB_L00018320: mov eax,[ecx+04h] push [esp+04h] add eax,0000012Ch push eax call SUB_L0001729C retn 0004h ;------------------------------------------------------------------------------ Align 2 SUB_L00018336: mov eax,[ecx+04h] push [esp+04h] add eax,00000138h push eax call SUB_L0001729C retn 0004h ;------------------------------------------------------------------------------ Align 4 SUB_L0001834C: movzx eax,[esp+04h] mov ecx,[ecx+04h] lea eax,[ecx+eax*4+00000144h] push eax call SUB_L00017282 retn 0004h ;------------------------------------------------------------------------------ L00018364: mov eax,[esp+04h] mov al,[eax] and al,01h retn 0004h ;------------------------------------------------------------------------------ Align 4 L00018370: mov eax,[esp+04h] mov eax,[eax] test ah,40h jz L0001837F L0001837B: mov al,01h jmp L00018388 L0001837F: test al,al js L0001837B shr eax,08h and al,01h L00018388: retn 0004h ;------------------------------------------------------------------------------ Align 4 L0001838C: mov eax,[esp+04h] mov al,[eax] shr al,03h and al,01h retn 0004h ;------------------------------------------------------------------------------ L0001839A: mov eax,[esp+04h] mov eax,[eax] shr eax,0Bh and al,01h retn 0004h ;------------------------------------------------------------------------------ L000183A8: mov eax,[esp+04h] mov eax,[eax] shr eax,0Ah and al,01h retn 0004h ;------------------------------------------------------------------------------ L000183B6: mov eax,[esp+04h] and dword ptr [eax],00000000h mov al,01h retn 0004h ;------------------------------------------------------------------------------ L000183C2: mov eax,[esp+04h] and dword ptr [eax],FFFFFFF7h mov al,01h retn 0004h ;------------------------------------------------------------------------------ SUB_L000183CE: push ebx push esi push [esp+0Ch] mov esi,ecx call SUB_L0001AFD6 xor ebx,ebx lea eax,[esi+000000B8h] push eax mov ecx,esi mov dword ptr [esi],L0002302C mov word ptr [esi+00000096h],0200h mov [esi+000000A8h],bl mov [esi+2Ch],ebx mov [esi+000000C8h],bl call SUB_L0001A1F4 mov eax,[esi+04h] push ebx add eax,00000118h push eax mov [esi+000000C9h],bl mov byte ptr [esi+18h],03h mov [esi+000000ACh],ebx call SUB_L0001729C mov [esi+000000E8h],ebx mov [esi+000000ECh],bx mov [esi+000000EEh],bx mov eax,esi pop esi pop ebx retn 0004h ;------------------------------------------------------------------------------ Align 4 L00018444: db 80h; '?' db 79h; 'y' db 18h; db 13h; db B8h; 'ñ' dd SSZ0002305C_MULTIMEDIACARD db 74h; 't' db 05h; db B8h; 'ñ' dd SSZ00023054_SDCARD retn ;------------------------------------------------------------------------------ Align 2 L00018456: db 80h; '?' db 79h; 'y' db 18h; db 13h; db B8h; 'ñ' dd SSZ00023070_MMC_ db 74h; 't' db 05h; db B8h; 'ñ' dd L0002306C retn ;------------------------------------------------------------------------------ Align 4 SUB_L00018468: push esi mov esi,ecx mov eax,[esi+04h] push 00000000h add eax,00000118h push eax mov dword ptr [esi],L0002302C call SUB_L0001729C mov ecx,esi pop esi jmp L0001B046 Align 2 SUB_L0001848A: push ebp mov ebp,esp sub esp,00000048h mov al,[ebp+08h] or word ptr [ebp-2Ah],FFFFh or word ptr [ebp-28h],FFFFh and byte ptr [ebp+0Fh],00h shr al,04h mov [ebp-08h],ecx movzx cx,al mov al,[ebp+0Ch] mov dl,al shr dl,04h cmp byte ptr [ebp+10h],00h push ebx movzx bx,dl mov [ebp-04h],ecx mov word ptr [ebp-48h],0001h mov word ptr [ebp-46h],0003h mov word ptr [ebp-44h],0007h mov word ptr [ebp-42h],000Fh mov word ptr [ebp-40h],001Fh mov word ptr [ebp-3Eh],003Fh mov word ptr [ebp-3Ch],007Fh mov word ptr [ebp-3Ah],00FFh mov word ptr [ebp-38h],01FFh mov word ptr [ebp-36h],03FFh mov word ptr [ebp-34h],07FFh mov word ptr [ebp-32h],0FFFh mov word ptr [ebp-30h],1FFFh mov word ptr [ebp-2Eh],3FFFh mov word ptr [ebp-2Ch],7FFFh mov word ptr [ebp-26h],FFFEh mov word ptr [ebp-24h],FFFCh mov word ptr [ebp-22h],FFF8h mov word ptr [ebp-20h],FFF0h mov word ptr [ebp-1Eh],FFE0h mov word ptr [ebp-1Ch],FFC0h mov word ptr [ebp-1Ah],FF80h mov word ptr [ebp-18h],FF00h mov word ptr [ebp-16h],FE00h mov word ptr [ebp-14h],FC00h mov word ptr [ebp-12h],F800h mov word ptr [ebp-10h],F000h mov word ptr [ebp-0Eh],E000h mov word ptr [ebp-0Ch],C000h mov word ptr [ebp-0Ah],8000h jnz L0001857B mov byte ptr [ebp+0Fh],06h L0001857B: cmp [ebp+08h],al jc L00018586 cmp byte ptr [ebp+08h],7Fh jbe L0001858A L00018586: xor eax,eax jmp L000185FE L0001858A: movzx edx,al push esi movzx esi,[ebp+08h] add edx,00000020h cmp esi,edx jle L0001859D xor eax,eax jmp L000185FD L0001859D: add cl,[ebp+0Fh] mov dl,bl push edi shl dl,04h sub al,dl mov [ebp+13h],al push ecx mov ecx,[ebp-08h] call SUB_L0001834C mov cl,[ebp-04h] movzx edi,[ebp+13h] mov esi,eax mov al,[ebp+08h] shl cl,04h sub al,cl movzx eax,al movzx eax,[ebp+eax*2-48h] and esi,eax cmp [ebp-04h],bx jz L000185ED add bl,[ebp+0Fh] mov ecx,[ebp-08h] shl esi,10h push ebx call SUB_L0001834C movzx ecx,[ebp+edi*2-28h] and eax,ecx jmp L000185F6 L000185ED: movzx eax,[ebp+edi*2-28h] and esi,eax mov eax,esi L000185F6: mov ecx,edi or eax,esi shr eax,cl pop edi L000185FD: pop esi L000185FE: pop ebx leave retn 000Ch ;------------------------------------------------------------------------------ Align 4 L00018604: push ebx push esi push [esp+10h] mov esi,ecx push [esp+10h] call SUB_L0001A37E cmp byte ptr [esp+10h],00h mov bl,al jz L00018648 mov eax,[esi+04h] add eax,00000114h push eax call SUB_L00017282 mov ecx,[esi+000000ACh] or ecx,eax mov [esi+000000B0h],ecx push eax mov ecx,esi mov [esi+000000B4h],eax call SUB_L000182C8 L00018648: xor eax,eax mov al,bl pop esi pop ebx or eax,[esp+08h] retn 0008h ;------------------------------------------------------------------------------ Align 2 L00018656: push esi push edi mov esi,ecx call SUB_L0001A3BE cmp byte ptr [esi+22h],00h mov edi,eax jz L000186CE test byte ptr [esi+000000B4h],08h jz L00018690 mov eax,[esi+04h] add eax,00000118h push eax call SUB_L00017282 or eax,00000014h push eax mov ecx,esi call SUB_L000182DE mov byte ptr [esi+000000C8h],01h L00018690: test byte ptr [esi+000000B4h],10h jz L000186A0 and byte ptr [esi+000000C8h],00h L000186A0: test byte ptr [esi+000000B4h],04h jz L000186B0 mov byte ptr [esi+000000C8h],01h L000186B0: mov eax,[esi+000000B0h] mov [esi+000000ACh],eax lea eax,[esi+000000B8h] push eax mov ecx,esi call SUB_L0001A222 and byte ptr [esi+22h],00h L000186CE: mov eax,edi pop edi pop esi retn ;------------------------------------------------------------------------------ Align 4 SUB_L000186D4: push ebx push ebp mov ebp,[ntoskrnl.exe!KeSynchronizeExecution] push esi push edi mov esi,ecx lea edi,[esi+000000ACh] push edi push L00018364 push [esi+08h] xor bl,bl call ebp test al,al jnz L000187AA L000186FB: test bl,bl jnz L00018770 cmp [esi+26h],bl jnz L0001878B push edi push L00018370 push [esi+08h] call ebp test al,al jz L00018737 test dword ptr [edi],00004000h jz L00018722 add bl,2Ah L00018722: test byte ptr [edi],80h jz L00018729 mov bl,20h L00018729: test dword ptr [edi],00000100h jz L00018733 mov bl,21h L00018733: test bl,bl jnz L00018761 L00018737: push FF676980h lea eax,[esi+000000B8h] push eax mov ecx,esi call SUB_L0001A23A cmp byte ptr [esi+26h],00h mov bl,al jnz L0001878B push edi push L00018370 push [esi+08h] call ebp test al,al jnz L0001878F L00018761: push edi push L00018364 push [esi+08h] call ebp test al,al jz L000186FB L00018770: cmp bl,87h jnz L000187AA mov eax,[esi+04h] add eax,00000114h push eax call SUB_L00017282 test al,01h jz L000187AA xor al,al jmp L000187AC L0001878B: mov al,86h jmp L000187AC L0001878F: test dword ptr [edi],00004000h jz L00018799 mov bl,2Ah L00018799: test byte ptr [edi],80h jz L000187A0 mov bl,20h L000187A0: test dword ptr [edi],00000100h jz L000187AA mov bl,21h L000187AA: mov al,bl L000187AC: pop edi pop esi pop ebp pop ebx retn ;------------------------------------------------------------------------------ Align 2 SUB_L000187B2: push ebx push ebp mov ebp,[ntoskrnl.exe!KeSynchronizeExecution] push esi push edi mov esi,ecx lea edi,[esi+000000ACh] push edi push L0001838C push [esi+08h] xor bl,bl call ebp test al,al jnz L0001888E L000187D9: test bl,bl jnz L00018852 cmp [esi+26h],bl jnz L0001886F push edi push L00018370 push [esi+08h] call ebp test al,al jz L00018815 test dword ptr [edi],00004000h jz L00018800 add bl,2Ah L00018800: test byte ptr [edi],80h jz L00018807 mov bl,20h L00018807: test dword ptr [edi],00000100h jz L00018811 mov bl,21h L00018811: test bl,bl jnz L0001883F L00018815: push FECED300h lea eax,[esi+000000B8h] push eax mov ecx,esi call SUB_L0001A23A cmp byte ptr [esi+26h],00h mov bl,al jnz L0001886F push edi push L00018370 push [esi+08h] call ebp test al,al jnz L00018873 L0001883F: push edi push L0001838C push [esi+08h] call ebp test al,al jz L000187D9 test bl,bl jz L00018854 L00018852: mov eax,[edi] L00018854: cmp bl,87h jnz L0001888E mov eax,[esi+04h] add eax,00000114h push eax call SUB_L00017282 test al,08h jz L0001888E xor al,al jmp L00018890 L0001886F: mov al,86h jmp L00018890 L00018873: test dword ptr [edi],00004000h jz L0001887D mov bl,2Ah L0001887D: test byte ptr [edi],80h jz L00018884 mov bl,20h L00018884: test dword ptr [edi],00000100h jz L0001888E mov bl,21h L0001888E: mov al,bl L00018890: pop edi pop esi pop ebp pop ebx retn ;------------------------------------------------------------------------------ Align 2 SUB_L00018896: push ecx and byte ptr [esp+03h],00h push ebx push ebp mov ebp,[ntoskrnl.exe!KeSynchronizeExecution] push esi push edi mov esi,ecx lea edi,[esi+000000ACh] push edi mov ebx,L0001839A push ebx push [esi+08h] call ebp test al,al jnz L0001892F L000188BE: cmp byte ptr [esp+13h],00h jnz L00018923 cmp byte ptr [esi+26h],00h jnz L00018939 push edi push L00018370 push [esi+08h] call ebp test al,al jz L00018905 test dword ptr [edi],00004000h jz L000188E7 mov byte ptr [esp+13h],2Ah L000188E7: test byte ptr [edi],80h jz L000188F1 mov byte ptr [esp+13h],20h L000188F1: test dword ptr [edi],00000100h jz L000188FE mov byte ptr [esp+13h],21h L000188FE: cmp byte ptr [esp+13h],00h jnz L00018918 L00018905: push FFFFD8F0h lea eax,[esi+000000B8h] push eax mov ecx,esi call SUB_L0001A23A L00018918: push edi push ebx push [esi+08h] call ebp test al,al jz L000188BE L00018923: cmp byte ptr [esp+13h],87h jnz L0001892F and byte ptr [esp+13h],00h L0001892F: mov al,[esp+13h] L00018933: pop edi pop esi pop ebp pop ebx pop ecx retn ;------------------------------------------------------------------------------ L00018939: mov al,86h jmp L00018933 Align 2 SUB_L0001893E: push ecx and byte ptr [esp+03h],00h push ebx push ebp mov ebp,[ntoskrnl.exe!KeSynchronizeExecution] push esi push edi mov esi,ecx lea edi,[esi+000000ACh] push edi mov ebx,L000183A8 push ebx push [esi+08h] call ebp test al,al jnz L000189D7 L00018966: cmp byte ptr [esp+13h],00h jnz L000189CB cmp byte ptr [esi+26h],00h jnz L000189E1 push edi push L00018370 push [esi+08h] call ebp test al,al jz L000189AD test dword ptr [edi],00004000h jz L0001898F mov byte ptr [esp+13h],2Ah L0001898F: test byte ptr [edi],80h jz L00018999 mov byte ptr [esp+13h],20h L00018999: test dword ptr [edi],00000100h jz L000189A6 mov byte ptr [esp+13h],21h L000189A6: cmp byte ptr [esp+13h],00h jnz L000189C0 L000189AD: push FFFFD8F0h lea eax,[esi+000000B8h] push eax mov ecx,esi call SUB_L0001A23A L000189C0: push edi push ebx push [esi+08h] call ebp test al,al jz L00018966 L000189CB: cmp byte ptr [esp+13h],87h jnz L000189D7 and byte ptr [esp+13h],00h L000189D7: mov al,[esp+13h] L000189DB: pop edi pop esi pop ebp pop ebx pop ecx retn ;------------------------------------------------------------------------------ L000189E1: mov al,86h jmp L000189DB Align 2 SUB_L000189E6: push ebx push esi mov esi,ecx xor bl,bl cmp [esi+000000C8h],bl jz L00018A21 L000189F4: test bl,bl jnz L00018A1F cmp [esi+26h],bl jnz L00018A3F push FF676980h lea eax,[esi+000000B8h] push eax mov ecx,esi call SUB_L0001A23A cmp byte ptr [esi+000000C8h],00h mov bl,al jnz L000189F4 test bl,bl jz L00018A21 L00018A1F: xor bl,bl L00018A21: mov eax,[esi+04h] add eax,00000118h push eax call SUB_L00017282 and eax,FFFFFFEBh push eax mov ecx,esi call SUB_L000182DE mov al,bl L00018A3C: pop esi pop ebx retn ;------------------------------------------------------------------------------ L00018A3F: mov al,86h jmp L00018A3C Align 4 SUB_L00018A44: push ebp mov ebp,esp push ecx and byte ptr [ebp-01h],00h xor eax,eax mov al,[ebp+08h] push ebx movzx ebx,[ebp+0Eh] push esi push edi mov edi,[ebp+10h] and edi,0000FF80h and eax,0000003Fh mov esi,ecx or edi,eax L00018A68: push ebx mov ecx,esi call SUB_L0001829C movzx eax,[ebp+0Ch] push eax mov ecx,esi call SUB_L00018286 lea eax,[esi+000000ACh] push eax push L000183B6 push [esi+08h] call [ntoskrnl.exe!KeSynchronizeExecution] lea eax,[esi+000000B8h] push eax mov ecx,esi call jmp_ntoskrnl.exe!KeClearEvent push edi mov ecx,esi call SUB_L00018270 mov ecx,esi call SUB_L000186D4 cmp al,20h jnz L00018AC3 mov cl,[ebp-01h] inc [ebp-01h] cmp cl,02h jnc L00018AC3 cmp byte ptr [esi+18h],03h jnz L00018A68 L00018AC3: pop edi pop esi pop ebx leave retn 000Ch ;------------------------------------------------------------------------------ SUB_L00018ACA: push ebx push esi push 00001300h xor ebx,ebx push ebx push 00000005h mov esi,ecx call SUB_L00018A44 test al,al jnz L00018AE7 mov byte ptr [esi+18h],43h jmp L00018B61 L00018AE7: push ebp push edi push 00000003h pop ebp lea edi,[esi+000000B8h] L00018AF2: mov eax,[esi+04h] push 00000080h add eax,00000104h push eax call SUB_L0001729C push FFF0BDC0h push edi mov ecx,esi call SUB_L0001A23A push ebx push ebx push ebx mov ecx,esi call SUB_L00018A44 cmp al,bl jz L00018B29 mov ecx,ebp dec ebp test ecx,ecx jnz L00018AF2 jmp L00018B5F L00018B29: push 00002100h push ebx push 00000037h mov ecx,esi call SUB_L00018A44 movzx ecx,al sub ecx,00000020h jz L00018B4F sub ecx,00000066h jz L00018B5F cmp al,bl jnz L00018B5F mov byte ptr [esi+18h],23h jmp L00018B5D L00018B4F: push ebx push ebx push ebx mov ecx,esi call SUB_L00018A44 mov byte ptr [esi+18h],13h L00018B5D: xor al,al L00018B5F: pop edi pop ebp L00018B61: pop esi pop ebx retn ;------------------------------------------------------------------------------ SUB_L00018B64: push ebp mov ebp,esp sub esp,00000018h push ebx push esi xor ebx,ebx mov esi,ecx cmp byte ptr [esi+18h],23h push edi mov edi,[ntoskrnl.exe!KeQuerySystemTime] setnz al dec al and al,28h inc al mov [ebp-06h],al lea eax,[ebp-18h] push eax mov [ebp-01h],bl mov [ebp-02h],bl call edi L00018B93: cmp [ebp-01h],bl jz L00018BB5 cmp byte ptr [esi+18h],23h jnz L00018BB5 push 00002100h push ebx push 00000037h mov ecx,esi call SUB_L00018A44 cmp al,bl jnz L00018C8C L00018BB5: push 00001300h push 80FC0000h push [ebp-06h] mov ecx,esi mov byte ptr [ebp-01h],01h call SUB_L00018A44 cmp al,20h jz L00018C21 cmp al,bl mov byte ptr [ebp-02h],01h jnz L00018C8C lea eax,[ebp-10h] push eax call edi push ebx push 0000001Fh push 0000001Fh mov ecx,esi call SUB_L0001848A test eax,eax jnz L00018C0D mov ecx,[ebp-10h] sub ecx,[ebp-18h] mov eax,[ebp-0Ch] sbb eax,[ebp-14h] cmp eax,ebx jg L00018C0D jl L00018B93 cmp ecx,00989680h jc L00018B93 L00018C0D: push ebx push 0000001Fh push 0000001Fh mov ecx,esi call SUB_L0001848A test eax,eax jnz L00018C2E mov al,2Dh jmp L00018C8C L00018C21: cmp [ebp-02h],bl jnz L00018C2A mov al,27h jmp L00018C8C L00018C2A: mov al,28h jmp L00018C8C L00018C2E: push 00001200h push ebx push 00000002h mov ecx,esi call SUB_L00018A44 cmp al,bl jnz L00018C8C push 00001600h mov edi,L00020000 push edi push 00000003h mov ecx,esi call SUB_L00018A44 cmp al,bl jnz L00018C8C mov al,[esi+18h] cmp al,13h jz L00018C84 cmp al,23h jz L00018C68 mov al,83h jmp L00018C8C L00018C68: push ebx push ebx push 0000001Fh mov ecx,esi call SUB_L0001848A and eax,FFFF0000h mov [esi+000000A4h],eax jnz L00018C8A mov al,2Ch jmp L00018C8C L00018C84: mov [esi+000000A4h],edi L00018C8A: xor al,al L00018C8C: pop edi pop esi pop ebx leave retn ;------------------------------------------------------------------------------ Align 2 SUB_L00018C92: push ebx push esi push edi mov esi,ecx xor bl,bl mov edi,00002100h L00018C9E: push edi push [esi+000000A4h] mov ecx,esi push 00000037h call SUB_L00018A44 inc bl cmp bl,03h jnc L00018CB9 cmp al,25h jz L00018C9E L00018CB9: test al,al jnz L00018CCD movzx eax,[esp+10h] push edi push eax push 00000017h mov ecx,esi call SUB_L00018A44 L00018CCD: pop edi pop esi pop ebx retn 0004h ;------------------------------------------------------------------------------ Align 4 SUB_L00018CD4: push ebp mov ebp,esp sub esp,0000003Ch push ebx push esi push edi mov edi,00002200h push edi mov esi,ecx push [esi+000000A4h] mov dword ptr [ebp-2Ch],00002710h push 00000009h mov dword ptr [ebp-28h],L000186A0 mov dword ptr [ebp-24h],000F4240h mov dword ptr [ebp-20h],00989680h mov byte ptr [ebp-1Ch],0Ah mov byte ptr [ebp-1Bh],0Ah mov byte ptr [ebp-1Ah],0Ch mov byte ptr [ebp-19h],0Dh mov byte ptr [ebp-18h],0Fh mov byte ptr [ebp-17h],14h mov byte ptr [ebp-16h],19h mov byte ptr [ebp-15h],1Eh mov byte ptr [ebp-14h],23h mov byte ptr [ebp-13h],28h mov byte ptr [ebp-12h],2Dh mov byte ptr [ebp-11h],32h mov byte ptr [ebp-10h],37h mov byte ptr [ebp-0Fh],3Ch mov byte ptr [ebp-0Eh],46h mov byte ptr [ebp-0Dh],50h call SUB_L00018A44 xor ebx,ebx inc ebx cmp al,21h mov [ebp-01h],al jnz L00018DED cmp byte ptr [esi+18h],13h jnz L00018DF3 and byte ptr [ebp-08h],00h lea eax,[ebp-3Ch] mov [ebp-0Ch],eax L00018D70: xor eax,eax mov al,[ebp-08h] add al,0Fh push ebx push [ebp-08h] mov ecx,esi push eax call SUB_L0001848A mov ecx,[ebp-0Ch] add byte ptr [ebp-08h],10h add dword ptr [ebp-0Ch],00000002h cmp byte ptr [ebp-08h],70h mov [ecx],ax jbe L00018D70 push edi push [esi+000000A4h] mov ecx,esi push 00000009h call SUB_L00018A44 cmp al,21h mov [ebp-01h],al jnz L00018DED and byte ptr [ebp-08h],00h mov al,bl lea edi,[ebp-3Ch] L00018DB7: test al,al jz L00018DD7 xor eax,eax mov al,[ebp-08h] add al,0Fh push ebx push [ebp-08h] mov ecx,esi push eax call SUB_L0001848A cmp [edi],ax jnz L00018DD7 mov al,bl jmp L00018DD9 L00018DD7: xor al,al L00018DD9: add byte ptr [ebp-08h],10h inc edi inc edi cmp byte ptr [ebp-08h],70h jbe L00018DB7 test al,al jz L00018DF3 and byte ptr [ebp-01h],00h L00018DED: cmp byte ptr [ebp-01h],00h jz L00018DFB L00018DF3: mov al,[ebp-01h] jmp L00018F3D L00018DFB: push ebx push 0000007Eh push 0000007Fh mov ecx,esi call SUB_L0001848A push ebx push 00000070h push 00000077h mov ecx,esi call SUB_L0001848A push ebx push 00000068h push 0000006Fh mov ecx,esi mov [esi+000000DFh],al call SUB_L0001848A push ebx push 0000001Ah push 0000001Ch mov ecx,esi mov [esi+000000E0h],al call SUB_L0001848A movzx cx,[esi+000000DFh] movzx dx,[esi+000000E0h] mov [esi+000000E1h],al movzx ax,al push ebx push 00000060h add ecx,edx lea ecx,[ecx+ecx*4] shl ecx,1 mov [esi+000000E2h],cx imul eax,ecx push 00000067h mov ecx,esi mov [esi+000000E4h],ax call SUB_L0001848A mov cl,al and cl,07h cmp cl,03h jbe L00018E86 mov ecx,00002710h jmp L00018E8D L00018E86: and ecx,00000003h mov ecx,[ebp+ecx*4-2Ch] L00018E8D: shr eax,03h and eax,0000000Fh movzx edi,[ebp+eax-1Ch] mov eax,[esi+1Ch] imul edi,ecx xor edx,edx div edi lea ecx,[esi+000000A2h] movzx edx,ax imul edx,edi cmp edx,[esi+1Ch] mov [ecx],ax jnc L00018EBA inc eax mov [ecx],ax L00018EBA: cmp word ptr [ecx],0000h jnz L00018EC3 mov [ecx],bx L00018EC3: push ebx push 00000050h push 00000053h mov ecx,esi call SUB_L0001848A mov cl,al mov edx,ebx shl edx,cl push ebx push 00000016h push 00000019h mov ecx,esi mov [esi+00000094h],al mov [esi+00000096h],dx call SUB_L0001848A mov cl,al mov edx,ebx shl edx,cl push ebx push 0000003Eh push 00000049h mov ecx,esi mov [esi+00000098h],al mov [esi+0000009Ah],dx call SUB_L0001848A push ebx push 0000002Fh push 00000031h mov ecx,esi mov [esi+0000009Ch],eax call SUB_L0001848A push ebx push 0000000Dh push 0000000Dh mov ecx,esi mov [esi+000000A0h],al call SUB_L0001848A dec eax neg eax sbb al,al inc al mov [esi+25h],al xor al,al L00018F3D: pop edi pop esi pop ebx leave retn ;------------------------------------------------------------------------------ SSZ00018F42__04X_04X: db '%04X%04X',0 L00018F4B: push ebp mov ebp,esp push ecx push esi push 00002200h mov esi,ecx push [esi+000000A4h] push 0000000Ah call SUB_L00018A44 test al,al jnz L00018FFE push ebx push edi xor bl,bl lea edi,[esi+000000CAh] L00018F76: xor eax,eax mov al,78h sub al,bl push 00000001h mov ecx,esi push eax xor eax,eax mov al,7Fh sub al,bl push eax call SUB_L0001848A add bl,08h mov [edi],al inc edi cmp bl,48h jc L00018F76 push 00000001h mov byte ptr [esi+000000D3h],30h push 00000030h mov byte ptr [esi+000000D4h],30h push 00000037h mov ecx,esi mov byte ptr [esi+000000D5h],30h call SUB_L0001848A push 00000001h push 00000018h push 0000002Fh mov ecx,esi mov [ebp-02h],ax call SUB_L0001848A mov [ebp-04h],ax mov ecx,[ebp-04h] movzx eax,ax push eax movzx eax,[ebp-02h] push eax lea eax,[esi+000000D6h] push SSZ00018F42__04X_04X push eax mov [esi+2Ch],ecx call [ntoskrnl.exe!sprintf] and byte ptr [esi+000000DEh],00h add esp,00000010h pop edi xor al,al pop ebx L00018FFE: pop esi leave retn ;------------------------------------------------------------------------------ Align 2 SUB_L00019002: push esi mov esi,ecx xor ecx,ecx mov cl,[esi+000000A0h] push edi push 00000002h xor eax,eax pop edx inc eax push 00000020h add ecx,edx shl eax,cl mov ecx,[esi+0000009Ch] inc ecx pop edi imul eax,ecx movzx ecx,[esi+00000096h] imul ecx,eax shr ecx,14h cmp cx,dx mov [esi+00000090h],eax mov [esi+30h],cx ja L00019049 mov word ptr [esi+36h],0010h jmp L00019053 L00019049: cmp cx,0010h ja L0001905D mov [esi+36h],di L00019053: cmp cx,0010h mov [esi+34h],dx jbe L0001906C L0001905D: cmp cx,di ja L00019071 mov word ptr [esi+34h],0004h mov [esi+36h],di L0001906C: cmp cx,di jbe L00019082 L00019071: cmp cx,0080h ja L00019089 mov word ptr [esi+34h],0008h mov [esi+36h],di L00019082: cmp cx,0080h jbe L0001909A L00019089: cmp cx,0100h ja L000190A1 mov word ptr [esi+34h],0010h mov [esi+36h],di L0001909A: cmp cx,0100h jbe L000190B4 L000190A1: cmp cx,01F8h ja L000190BB mov word ptr [esi+34h],0010h mov word ptr [esi+36h],003Fh L000190B4: cmp cx,01F8h jbe L000190CC L000190BB: cmp cx,03F0h ja L000190D3 mov [esi+34h],di mov word ptr [esi+36h],003Fh L000190CC: cmp cx,03F0h jbe L000190E6 L000190D3: cmp cx,07E0h ja L000190ED mov word ptr [esi+34h],0040h mov word ptr [esi+36h],003Fh L000190E6: cmp cx,07E0h jbe L00019100 L000190ED: cmp cx,0800h ja L00019107 mov word ptr [esi+34h],0080h mov word ptr [esi+36h],003Fh L00019100: cmp cx,0800h jbe L00019113 L00019107: mov word ptr [esi+34h],0080h mov word ptr [esi+36h],0040h L00019113: movzx edx,[esi+34h] movzx ecx,[esi+36h] imul ecx,edx xor edx,edx div ecx pop edi mov ecx,esi mov [esi+32h],ax pop esi jmp L00018F4B Align 4 SUB_L00019130: push ebp mov ebp,esp push ecx push ecx push ebx push esi push edi push 00002100h mov esi,ecx push [esi+000000A4h] push 0000000Dh call SUB_L00018A44 xor edi,edi push edi push 00000009h push 0000000Ch mov ecx,esi mov bl,al call SUB_L0001848A mov ecx,[ebp+08h] push edi push 00000008h mov [ecx],al push 00000008h mov ecx,esi call SUB_L0001848A cmp byte ptr [esi+18h],13h mov [esi+000000F0h],al jnz L00019192 mov si,[esi+30h] cmp si,0002h jbe L00019192 cmp si,0010h ja L00019192 mov dword ptr [ebp-08h],FFFE7960h jmp L0001919D L00019192: cmp al,01h jz L000191AD mov dword ptr [ebp-08h],FFFFFE0Ch L0001919D: or dword ptr [ebp-04h],FFFFFFFFh lea eax,[ebp-08h] push eax push edi push edi call [ntoskrnl.exe!KeDelayExecutionThread] L000191AD: pop edi pop esi mov al,bl pop ebx leave retn 0008h ;------------------------------------------------------------------------------ SUB_L000191B6: push ebp lea ebp,[esp-70h] sub esp,00000100h xor eax,eax mov edx,00002000h mov ecx,00003000h mov [ebp-00000090h],ax mov [ebp-0000008Eh],ax mov word ptr [ebp-0000008Ch],1000h mov word ptr [ebp-0000008Ah],1000h mov [ebp-00000088h],ax mov [ebp-00000086h],ax mov [ebp-00000084h],ax mov [ebp-00000082h],dx mov [ebp-80h],ax mov [ebp-7Eh],dx mov [ebp-7Ch],dx mov [ebp-7Ah],ax mov [ebp-78h],dx mov [ebp-76h],dx mov [ebp-74h],ax mov [ebp-72h],dx mov [ebp-70h],dx mov [ebp-6Eh],cx mov [ebp-6Ch],cx mov [ebp-6Ah],ax mov [ebp-68h],ax mov [ebp-66h],ax mov [ebp-64h],ax mov [ebp-62h],ax mov [ebp-60h],cx mov [ebp-5Eh],cx mov [ebp-5Ch],ax mov [ebp-5Ah],cx mov [ebp-58h],dx mov [ebp-56h],dx mov [ebp-54h],cx mov [ebp-52h],ax mov [ebp-50h],dx mov [ebp-4Eh],dx mov [ebp-4Ch],ax mov [ebp-4Ah],ax mov [ebp-48h],ax mov [ebp-46h],ax mov [ebp-44h],dx mov [ebp-42h],ax mov [ebp-40h],ax mov [ebp-3Eh],ax mov [ebp-3Ch],cx mov [ebp-3Ah],ax mov [ebp-38h],ax mov [ebp-36h],ax mov [ebp-34h],ax mov [ebp-32h],ax mov [ebp-30h],ax mov [ebp-2Eh],ax mov [ebp-2Ch],ax mov [ebp-2Ah],ax mov [ebp-28h],ax mov [ebp-26h],ax mov [ebp-24h],ax mov [ebp-22h],dx mov [ebp-20h],cx mov [ebp-1Eh],ax mov [ebp-1Ch],ax mov [ebp-1Ah],ax mov [ebp-18h],ax mov [ebp-16h],ax mov [ebp-14h],ax mov [ebp-12h],ax mov [ebp-10h],ax mov [ebp-0Eh],ax mov [ebp-0Ch],ax mov [ebp-0Ah],ax mov [ebp-08h],ax mov [ebp-06h],ax mov [ebp-04h],dx mov [ebp-02h],ax mov [ebp+00h],ax mov [ebp+02h],ax mov [ebp+04h],ax mov [ebp+06h],ax mov [ebp+08h],ax mov [ebp+0Ah],cx cmp byte ptr [ebp+78h],3Fh mov [ebp+0Ch],ax mov [ebp+0Eh],ax mov [ebp+10h],ax mov [ebp+12h],ax mov [ebp+14h],cx mov [ebp+16h],ax mov [ebp+18h],ax mov [ebp+1Ah],ax mov [ebp+1Ch],cx mov [ebp+1Eh],dx mov [ebp+20h],ax mov [ebp+22h],cx mov [ebp+24h],cx mov [ebp+26h],ax mov [ebp+28h],ax mov [ebp+2Ah],ax mov [ebp+2Ch],ax mov [ebp+2Eh],ax mov [ebp+30h],ax mov [ebp+32h],ax mov [ebp+34h],ax mov [ebp+36h],ax mov [ebp+38h],ax mov [ebp+3Ah],ax mov [ebp+3Ch],ax mov [ebp+3Eh],ax mov [ebp+40h],ax mov [ebp+42h],ax mov [ebp+44h],ax mov [ebp+46h],cx mov [ebp+48h],cx mov [ebp+4Ah],cx mov [ebp+4Ch],cx mov [ebp+4Eh],cx mov [ebp+50h],cx mov [ebp+52h],dx mov [ebp+54h],ax mov [ebp+56h],cx mov [ebp+58h],ax mov [ebp+5Ah],ax mov [ebp+5Ch],ax mov [ebp+5Eh],ax mov [ebp+60h],ax mov [ebp+62h],ax mov [ebp+64h],ax mov [ebp+66h],ax mov [ebp+68h],ax mov [ebp+6Ah],ax mov [ebp+6Ch],ax mov [ebp+6Eh],ax jbe L000193F4 xor ax,ax jmp L0001940C L000193F4: cmp [ebp+7Ch],al movzx eax,[ebp+78h] jz L00019404 mov ax,[ebp+eax*2-10h] jmp L0001940C L00019404: mov ax,[ebp+eax*2-00000090h] L0001940C: add ebp,00000070h leave retn 0008h ;------------------------------------------------------------------------------ Align 4 SUB_L00019414: push ecx and byte ptr [esp+03h],00h push ebx push ebp push esi push edi mov edi,[esp+18h] xor eax,eax cmp edi,eax mov esi,ecx jz L00019444 mov [esi+000000E8h],edi mov [esi+000000ECh],ax mov ecx,[edi+08h] shr ecx,09h mov [esi+000000EEh],cx L00019444: cmp [esp+1Ch],eax jz L00019558 mov ebx,[esp+20h] movzx cx,[ebx] add [esi+000000ECh],cx cmp byte ptr [ebx],3Fh jbe L00019469 mov al,C0h jmp L000198FA L00019469: cmp byte ptr [esi+28h],00h jz L00019476 mov al,C3h jmp L000198FA L00019476: mov byte ptr [esi+28h],01h cmp byte ptr [ebx],00h jz L00019583 cmp edi,eax mov [esp+18h],eax mov ebp,00000080h jz L0001951E mov eax,[esi+04h] push 0000FFFFh add eax,00000018h push eax call SUB_L000172AC mov eax,[esi+04h] push 00000001h add eax,00000024h push eax call SUB_L000172AC mov eax,[esi+04h] and byte ptr [esi+27h],00h push 00000005h add eax,00000014h push eax call SUB_L000172AC mov eax,[esi+04h] add eax,00000130h cmp byte ptr [edi+0Dh],00h jz L000194DA push 00008000h jmp L000194E3 L000194DA: mov dword ptr [esp+18h],00008000h push ebp L000194E3: push eax call SUB_L0001729C movzx eax,[esi+000000EEh] dec eax push eax mov ecx,esi call SUB_L00018320 movzx eax,[esi+00000096h] dec eax push eax mov ecx,esi call SUB_L0001830A lea eax,[esi+000000ACh] push eax push L000183C2 push [esi+08h] call [ntoskrnl.exe!KeSynchronizeExecution] L0001951E: mov eax,[esi+04h] push [esp+1Ch] add eax,0000000Ch push eax call SUB_L0001729C mov eax,[esi+04h] add eax,00000010h push eax call SUB_L0001728E xor ecx,ecx mov ch,[ebx] and eax,ebp or eax,ecx or eax,[esp+18h] or eax,00000001h push eax mov eax,[esi+04h] add eax,00000010h push eax call SUB_L000172AC jmp L00019583 L00019558: mov eax,[esi+04h] push 00000000h add eax,00000130h push eax call SUB_L0001729C mov eax,[esi+04h] add eax,00000118h push eax call SUB_L00017282 or eax,00000C00h push eax mov ecx,esi call SUB_L000182DE L00019583: test edi,edi mov ebp,[esp+24h] jz L00019665 cmp byte ptr [edi+0Eh],00h jz L000195A9 push 00002100h push [esi+000000A4h] mov ecx,esi push 00000037h call SUB_L00018A44 L000195A9: movzx eax,[edi+0Ch] dec eax mov ecx,00000600h mov edx,00000900h jz L000195E6 dec eax jz L000195DF dec eax jz L000195D8 dec eax jz L000195E6 dec eax jz L000195D4 dec eax jz L000195D0 dec eax jz L000195D8 xor ebx,ebx jmp L000195EB L000195D0: mov ebx,ecx jmp L000195EB L000195D4: mov ebx,edx jmp L000195EB L000195D8: mov ebx,00000300h jmp L000195EB L000195DF: mov ebx,00000200h jmp L000195EB L000195E6: mov ebx,00000100h L000195EB: mov al,[edi] cmp al,03h jnz L000195F9 cmp byte ptr [edi+0Eh],00h jnz L000195F9 mov ebx,ecx L000195F9: cmp al,07h jnz L00019605 cmp byte ptr [edi+0Eh],00h jnz L00019605 mov ebx,edx L00019605: xor ecx,ecx mov cl,[edi+0Eh] push ecx push eax mov ecx,esi call SUB_L000191B6 or ebx,eax cmp byte ptr [edi+0Dh],00h jz L0001962D mov eax,ebx and ax,3000h cmp ax,3000h jnz L0001962D or ebx,00008000h L0001962D: test ebp,ebp jz L00019651 mov eax,[esi+04h] push 00000000h add eax,0000012Ch push eax call SUB_L0001729C mov eax,[edi+08h] test eax,eax jz L00019651 dec eax push eax mov ecx,esi call SUB_L0001830A L00019651: xor eax,eax mov al,[edi] push ebx push [edi+04h] mov ecx,esi push eax call SUB_L00018A44 mov [esp+13h],al L00019665: cmp dword ptr [esp+1Ch],00000000h jz L00019774 mov ax,[esi+000000ECh] cmp ax,[esi+000000EEh] jc L000196FF cmp byte ptr [esp+13h],00h jnz L00019706 mov eax,[esi+000000E8h] cmp byte ptr [eax+10h],00h jz L000196E4 mov ecx,esi call SUB_L000187B2 mov bl,al test bl,bl jz L000196CC mov eax,[esi+000000ACh] mov eax,[esi+04h] push 0000FFFFh add eax,00000018h push eax call SUB_L000172AC mov eax,[esi+04h] push 00000002h add eax,00000010h push eax call SUB_L000172AC mov al,bl jmp L000198FA L000196CC: push 00002900h push 00000000h push 0000000Ch mov ecx,esi call SUB_L00018A44 test al,al mov [esp+13h],al jnz L00019706 L000196E4: mov eax,[esi+000000E8h] cmp byte ptr [eax+0Dh],00h jnz L000196FF mov ecx,esi call SUB_L000189E6 mov [esp+13h],al test al,al jmp L00019704 L000196FF: cmp byte ptr [esp+13h],00h L00019704: jz L0001972A L00019706: mov eax,[esi+04h] push 0000FFFFh add eax,00000018h push eax call SUB_L000172AC mov eax,[esi+04h] push 00000002h add eax,00000010h push eax call SUB_L000172AC jmp L000198F6 L0001972A: mov ebx,[ntoskrnl.exe!KeSynchronizeExecution] lea ebp,[esi+20h] jmp L00019752 L00019735: push FF676980h lea eax,[esi+48h] push eax mov ecx,esi call SUB_L0001A23A test al,al mov [esp+13h],al jnz L000197B6 cmp [esi+26h],al jnz L000197B6 L00019752: push ebp push L00018364 push [esi+08h] call ebx test al,al jz L00019735 push ebp push L000183B6 push [esi+08h] call ebx and byte ptr [esi+28h],00h mov ebp,[esp+24h] L00019774: test ebp,ebp mov eax,[esi+000000E8h] mov ebx,[eax+08h] jz L000198F6 cmp byte ptr [esp+13h],00h jnz L000198F6 cmp byte ptr [eax+0Fh],00h jz L00019844 cmp byte ptr [eax+0Ch],02h jz L000197A5 test ebx,ebx jz L000197A5 dec ebx L000197A5: mov al,bl shl al,03h dec al test ebx,ebx mov [esp+1Ch],al jz L0001981E jmp L000197F0 L000197B6: mov eax,[esi+04h] push 0000FFFFh add eax,00000018h push eax call SUB_L000172AC mov eax,[esi+04h] push 00000002h add eax,00000010h push eax call SUB_L000172AC and byte ptr [esi+28h],00h cmp byte ptr [esi+26h],00h jz L000198F6 mov al,86h jmp L000198FA L000197EA: xor eax,eax mov al,[esp+1Ch] L000197F0: mov ecx,[esi+000000E8h] cmp byte ptr [ecx+0Ch],02h setz cl sub al,07h push ecx push eax push [esp+24h] mov ecx,esi call SUB_L0001848A mov ecx,[esp+24h] add byte ptr [esp+1Ch],F8h inc [esp+24h] dec ebx mov [ecx],al jnz L000197EA L0001981E: mov esi,[esi+000000E8h] cmp byte ptr [esi+0Ch],02h jz L000198F6 cmp dword ptr [esi+08h],00000000h jz L000198F6 mov eax,[esp+24h] and byte ptr [eax],00h jmp L000198F6 L00019844: cmp byte ptr [edi+0Dh],00h jz L00019877 test ebx,ebx jz L000198DB L00019852: mov ecx,esi call SUB_L0001893E mov eax,[esi+04h] add eax,00000124h push eax call SUB_L00017282 mov [ebp+00h],al inc ebp dec ebx jz L000198DB mov [ebp+00h],ah inc ebp dec ebx jnz L00019852 jmp L000198DB L00019877: mov eax,[esi+04h] add eax,00000118h push eax call SUB_L00017282 or eax,00000014h push eax mov ecx,esi call SUB_L000182DE mov byte ptr [esi+000000C8h],01h jmp L000198BD L00019899: movzx di,[ebp+00h] inc ebp dec ebx jz L000198AB xor eax,eax mov ah,[ebp+00h] or edi,eax inc ebp dec ebx L000198AB: mov ecx,esi call SUB_L00018896 movzx eax,di push eax mov ecx,esi call SUB_L000182F4 L000198BD: test ebx,ebx jnz L00019899 mov eax,[esi+000000E8h] cmp [eax+0Eh],bl jnz L000198DB mov ecx,esi call SUB_L000189E6 test al,al mov [esp+13h],al jnz L000198F6 L000198DB: mov eax,[esi+04h] add eax,00000118h push eax call SUB_L00017282 and eax,FFFFF3FFh push eax mov ecx,esi call SUB_L000182DE L000198F6: mov al,[esp+13h] L000198FA: pop edi pop esi pop ebp pop ebx pop ecx retn 0010h ;------------------------------------------------------------------------------ SUB_L00019902: mov dl,[ecx+000000A7h] mov eax,[esp+04h] mov [eax],dl mov cl,[ecx+000000A6h] mov [eax+01h],cl retn 0004h ;------------------------------------------------------------------------------ L0001991A: push esi mov esi,ecx call SUB_L0001AB1E mov eax,[esi] mov ecx,esi pop esi jmp [eax+1Ch] L0001992A: push esi mov esi,ecx call SUB_L00018468 test byte ptr [esp+08h],01h jz L00019940 push esi call SUB_L00014338 pop ecx L00019940: mov eax,esi pop esi retn 0004h ;------------------------------------------------------------------------------ L00019946: push ebp mov ebp,esp sub esp,00000060h push ebx push esi mov esi,ecx mov eax,[esi+04h] push edi push 00000002h add eax,00000168h push eax mov word ptr [esi+000000A2h],003Ch call SUB_L0001729C movzx eax,[esi+000000A2h] mov edi,00000800h or eax,edi push eax mov ecx,esi call SUB_L000182B2 L00019980: mov eax,[esi+04h] add eax,0000016Ch push eax call SUB_L00017282 test al,01h jz L00019980 mov eax,[esi+04h] xor ebx,ebx push ebx add eax,0000012Ch push eax call SUB_L0001729C movzx eax,[esi+000000A2h] or eax,edi push eax mov ecx,esi call SUB_L000182B2 mov eax,[esi+04h] push 00008000h add eax,00000130h push eax call SUB_L0001729C mov eax,[esi+04h] push 000041E9h add eax,00000118h push eax call SUB_L0001729C mov eax,[esi+04h] add eax,00000138h push eax call SUB_L00017282 or eax,00000020h push eax mov ecx,esi call SUB_L00018336 mov eax,[esi+04h] push 00000040h add eax,0000011Ch push eax call SUB_L0001729C mov eax,[esi+04h] push 00007FFFh add eax,00000120h push eax call SUB_L0001729C mov eax,[esi+04h] push 00000080h add eax,00000104h push eax call SUB_L0001729C movzx eax,[esi+000000A2h] or eax,edi push eax mov ecx,esi call SUB_L000182B2 push FFF0BDC0h lea eax,[esi+000000B8h] push eax mov ecx,esi call SUB_L0001A23A cmp [esi+26h],bl jz L00019A59 mov al,86h jmp L00019CD3 L00019A59: mov ecx,esi call SUB_L00018ACA cmp al,bl jnz L00019CD3 mov al,[esi+18h] cmp al,43h jnz L00019A82 mov eax,[esi+04h] push 00000080h add eax,00000004h push eax call SUB_L000172AC jmp L00019AAB L00019A82: cmp al,23h jnz L00019A8C test byte ptr [esi+0Ch],01h jnz L00019A96 L00019A8C: cmp al,13h jnz L00019AB2 test byte ptr [esi+0Ch],02h jz L00019AB2 L00019A96: mov eax,[esi+04h] push 00000080h add eax,00000004h push eax call SUB_L000172AC mov byte ptr [esi+18h],43h L00019AAB: mov al,2Eh jmp L00019CD3 L00019AB2: mov ecx,esi call SUB_L00018B64 cmp al,bl jnz L00019CD3 mov ecx,esi call SUB_L00018CD4 cmp al,bl jnz L00019CD3 mov eax,[esi+04h] add eax,00000110h push eax call SUB_L00017282 movzx ecx,[esi+000000A2h] and eax,0000FFC0h or eax,ecx push eax mov ecx,esi call SUB_L000182B2 mov ecx,esi call SUB_L00019002 cmp al,bl jnz L00019CD3 push 00002900h push [esi+000000A4h] mov ecx,esi push 00000007h call SUB_L00018A44 cmp al,bl jnz L00019CD3 movzx eax,[esi+00000096h] mov edi,00002100h push edi push eax push 00000010h mov ecx,esi call SUB_L00018A44 cmp al,bl jnz L00019CD3 movzx eax,[esi+00000096h] dec eax push eax mov ecx,esi call SUB_L0001830A cmp byte ptr [esi+18h],23h jnz L00019CA3 cmp [esi+10h],ebx jz L00019B7B mov eax,[esi+04h] add eax,00000004h push eax call SUB_L0001728E or eax,00000100h push eax mov eax,[esi+04h] add eax,00000004h push eax call SUB_L000172AC L00019B7B: push edi push [esi+000000A4h] mov ecx,esi push 00000037h mov dword ptr [esi+1Ch],016E3600h call SUB_L00018A44 cmp al,bl jnz L00019CD3 push edi push ebx push 0000002Ah mov ecx,esi call SUB_L00018A44 cmp al,bl jnz L00019CD3 lea eax,[ebp-60h] push eax lea eax,[ebp-01h] push eax push ebx lea eax,[ebp-20h] push eax mov ecx,esi mov byte ptr [ebp-12h],01h mov [ebp-10h],bl mov byte ptr [ebp-13h],01h mov [ebp-11h],bl mov [ebp-1Ch],ebx mov byte ptr [ebp-20h],0Dh mov dword ptr [ebp-18h],00000040h mov byte ptr [ebp-14h],01h mov [ebp-01h],bl call SUB_L00019414 cmp al,bl jnz L00019CD3 movzx ax,[ebp-5Dh] movzx cx,[ebp-5Ch] shl eax,08h add eax,ecx test ah,FFh jz L00019C07 mov al,27h jmp L00019CD3 L00019C07: lea eax,[ebp-0Ch] push eax lea eax,[ebp-01h] push eax push ebx lea eax,[ebp-20h] push eax mov ecx,esi mov byte ptr [ebp-12h],01h mov [ebp-10h],bl mov byte ptr [ebp-13h],01h mov [ebp-11h],bl mov [ebp-1Ch],ebx mov byte ptr [ebp-20h],33h mov dword ptr [ebp-18h],00000008h mov byte ptr [ebp-14h],01h mov [ebp-01h],bl call SUB_L00019414 cmp al,bl jnz L00019CD3 cmp [esi+10h],ebx jz L00019C89 test byte ptr [ebp-0Bh],04h jz L00019C89 push edi push [esi+000000A4h] mov ecx,esi push 00000037h call SUB_L00018A44 cmp al,bl jnz L00019CD3 push edi push 00000002h push 00000006h mov ecx,esi call SUB_L00018A44 cmp al,bl jnz L00019CD3 movzx eax,[esi+000000A2h] or eax,00008800h push eax mov ecx,esi call SUB_L000182B2 L00019C89: mov eax,[esi+04h] add eax,00000008h push eax call SUB_L0001728E and ax,0200h cmp ax,0200h setz al or [esi+25h],al L00019CA3: xor edi,edi L00019CA5: push ebx lea eax,[ebp-01h] push eax mov ecx,esi call SUB_L00019130 cmp al,bl jnz L00019CCF cmp byte ptr [ebp-01h],04h jnz L00019CC4 cmp byte ptr [esi+000000F0h],01h jz L00019CCF L00019CC4: mov cx,di inc edi cmp cx,2710h jc L00019CA5 L00019CCF: mov byte ptr [esi+24h],01h L00019CD3: pop edi pop esi pop ebx leave retn ;------------------------------------------------------------------------------ L00019CD8: push ebp mov ebp,esp push ecx push ebx mov ebx,[ebp+0Ch] push esi push edi mov edi,[ebp+08h] xor al,al cmp edi,FFFFFFFFh mov esi,ecx jz L00019DE5 cmp edi,[esi+00000090h] jc L00019D01 mov al,82h jmp L00019E4E L00019D01: mov ax,[ebx] test ax,ax jnz L00019D10 xor al,al jmp L00019E4E L00019D10: cmp ax,0800h jbe L00019D1D mov al,2Bh jmp L00019E4E L00019D1D: mov cl,[esi+00000094h] shl edi,cl mov dword ptr [ebp-04h],00000000h L00019D2C: push 00000000h lea eax,[ebp+0Fh] push eax mov ecx,esi call SUB_L00019130 test al,al jnz L00019D5A cmp byte ptr [ebp+0Fh],04h jnz L00019D4C cmp byte ptr [esi+000000F0h],01h jz L00019D60 L00019D4C: mov ecx,[ebp-04h] add dword ptr [ebp-04h],00000001h cmp cx,2710h jc L00019D2C L00019D5A: cmp byte ptr [ebp+0Fh],04h jnz L00019D6C L00019D60: test al,al jnz L00019D6C cmp [esi+000000F0h],al jnz L00019D84 L00019D6C: cmp al,86h jnz L00019D75 jmp L00019E4E L00019D75: mov eax,[esi] mov ecx,esi call [eax+1Ch] test al,al jnz L00019E4E L00019D84: movzx eax,[ebx] dec eax push eax mov ecx,esi call SUB_L00018320 movzx eax,[esi+00000096h] dec eax push eax mov ecx,esi call SUB_L0001830A mov eax,[esi+04h] push 00008000h add eax,00000130h push eax call SUB_L0001729C lea eax,[esi+000000ACh] push eax push L000183C2 push [esi+08h] call [ntoskrnl.exe!KeSynchronizeExecution] cmp word ptr [ebx],0001h push 0000B100h mov ecx,esi push edi jnz L00019DDA push 00000011h jmp L00019DDC L00019DDA: push 00000012h L00019DDC: call SUB_L00018A44 test al,al jnz L00019E4E L00019DE5: mov edi,[ebp+10h] movzx dx,[edi] mov cx,[ebx] cmp cx,dx ja L00019E46 mov ecx,esi call SUB_L000187B2 test al,al jz L00019E07 mov ecx,[esi+000000ACh] jmp L00019E4E L00019E07: cmp word ptr [ebx],0001h jnz L00019E13 cmp dword ptr [ebp+08h],FFFFFFFFh jnz L00019E3C L00019E13: push 00002900h push 00000000h push 0000000Ch mov ecx,esi call SUB_L00018A44 test al,al jz L00019E38 cmp al,86h jz L00019E4E mov eax,[esi] mov ecx,esi call [eax+1Ch] test al,al jz L00019E3C jmp L00019E4E L00019E38: cmp al,86h jz L00019E4E L00019E3C: mov cl,[ebx] sub [edi],cl and word ptr [ebx],0000h jmp L00019E4E L00019E46: sub ecx,edx mov [ebx],cx and byte ptr [edi],00h L00019E4E: pop edi pop esi pop ebx leave retn 0010h ;------------------------------------------------------------------------------ Align 2 L00019E56: push ebp mov ebp,esp push ecx and dword ptr [ebp-04h],00000000h push ebx push esi mov esi,ecx mov ecx,[ebp+08h] xor bl,bl cmp ecx,FFFFFFFFh push edi mov edi,[ebp+0Ch] jz L00019F7A cmp ecx,[esi+00000090h] jc L00019E83 mov al,82h jmp L0001A088 L00019E83: mov ax,[edi] test ax,ax jnz L00019E92 xor al,al jmp L0001A088 L00019E92: cmp ax,0800h jbe L00019E9F mov al,2Bh jmp L0001A088 L00019E9F: mov ebx,ecx mov cl,[esi+00000098h] shl ebx,cl L00019EA9: push 00000000h lea eax,[ebp+0Fh] push eax mov ecx,esi call SUB_L00019130 test al,al jnz L00019ED7 cmp byte ptr [ebp+0Fh],04h jnz L00019EC9 cmp byte ptr [esi+000000F0h],01h jz L00019EDD L00019EC9: mov cx,[ebp-04h] inc [ebp-04h] cmp cx,2710h jc L00019EA9 L00019ED7: cmp byte ptr [ebp+0Fh],04h jnz L00019EE9 L00019EDD: test al,al jnz L00019EE9 cmp [esi+000000F0h],al jnz L00019F00 L00019EE9: cmp al,86h jz L0001A04B mov eax,[esi] mov ecx,esi call [eax+1Ch] test al,al jnz L0001A088 L00019F00: cmp byte ptr [esi+18h],23h jnz L00019F13 xor eax,eax mov ax,[edi] mov ecx,esi push eax call SUB_L00018C92 L00019F13: movzx eax,[edi] dec eax push eax mov ecx,esi call SUB_L00018320 movzx eax,[esi+00000096h] dec eax push eax mov ecx,esi call SUB_L0001830A mov eax,[esi+04h] push 00000080h add eax,00000130h push eax call SUB_L0001729C lea eax,[esi+000000ACh] push eax push L000183C2 push [esi+08h] call [ntoskrnl.exe!KeSynchronizeExecution] cmp word ptr [edi],0001h push 00003100h mov ecx,esi push ebx jnz L00019F69 push 00000018h jmp L00019F6B L00019F69: push 00000019h L00019F6B: call SUB_L00018A44 mov bl,al test bl,bl jnz L0001A086 L00019F7A: mov edx,[ebp+10h] movzx cx,[edx] mov ax,[edi] cmp ax,cx ja L0001A069 mov ecx,esi call SUB_L000187B2 test al,al jz L00019FA3 mov ecx,[esi+000000ACh] jmp L0001A088 L00019FA3: cmp word ptr [edi],0001h jnz L00019FAF cmp dword ptr [ebp+08h],FFFFFFFFh jnz L00019FFD L00019FAF: xor ebx,ebx and [ebp+0Fh],bl L00019FB4: push 00000000h lea eax,[ebp+0Fh] push eax mov ecx,esi call SUB_L00019130 test al,al jnz L0001A088 cmp byte ptr [ebp+0Fh],07h jz L00019FD8 cmp byte ptr [esi+000000F0h],01h jz L00019FE5 L00019FD8: mov cx,bx inc ebx cmp cx,2710h jc L00019FB4 jmp L00019FF5 L00019FE5: push 00002900h push 00000000h push 0000000Ch mov ecx,esi call SUB_L00018A44 L00019FF5: test al,al jnz L0001A088 L00019FFD: and dword ptr [ebp-04h],00000000h and byte ptr [ebp+0Fh],00h L0001A005: push 00000000h lea eax,[ebp+0Fh] push eax mov ecx,esi call SUB_L00019130 mov bl,al test bl,bl jnz L0001A034 cmp byte ptr [ebp+0Fh],04h jnz L0001A027 cmp byte ptr [esi+000000F0h],01h jz L0001A03A L0001A027: mov ax,[ebp-04h] inc [ebp-04h] cmp ax,2710h jc L0001A005 L0001A034: cmp byte ptr [ebp+0Fh],04h jnz L0001A046 L0001A03A: test bl,bl jnz L0001A046 cmp [esi+000000F0h],bl jnz L0001A05C L0001A046: cmp bl,86h jnz L0001A04F L0001A04B: mov al,86h jmp L0001A088 L0001A04F: mov eax,[esi] mov ecx,esi call [eax+1Ch] mov bl,al test bl,bl jnz L0001A086 L0001A05C: mov cl,[edi] mov eax,[ebp+10h] sub [eax],cl and word ptr [edi],0000h jmp L0001A071 L0001A069: sub eax,ecx mov [edi],ax and byte ptr [edx],00h L0001A071: lea eax,[esi+000000ACh] push eax push L000183B6 push [esi+08h] call [ntoskrnl.exe!KeSynchronizeExecution] L0001A086: mov al,bl L0001A088: pop edi pop esi pop ebx leave retn 0010h ;------------------------------------------------------------------------------ Align 4 SUB_L0001A090: movzx eax,[esp+04h] mov ecx,[ecx+04h] lea eax,[ecx+eax+00000200h] push eax call SUB_L00017282 retn 0004h ;------------------------------------------------------------------------------ SUB_L0001A0A8: movzx eax,[esp+04h] mov ecx,[ecx+04h] push [esp+08h] lea eax,[ecx+eax+00000200h] push eax call SUB_L0001729C retn 0008h ;------------------------------------------------------------------------------ SSZ0001A0C4_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001A0CC: push SSZ0001A0C4_TI_Msg_ mov dword ptr [ecx],L00023078 call jmp_ntoskrnl.exe!DbgPrint pop ecx retn ;------------------------------------------------------------------------------ SUB_L0001A0DE: push ebp mov ebp,esp push ebx mov ebx,[ebp+08h] mov eax,ebx and eax,FFFFFFFCh push eax call SUB_L0001A090 and ebx,00000003h mov [ebp+08h],eax mov al,[ebp+ebx+08h] pop ebx pop ebp retn 0004h ;------------------------------------------------------------------------------ Align 4 SUB_L0001A100: push ebp mov ebp,esp push ebx mov ebx,[ebp+08h] push esi push edi mov esi,ebx and esi,0000FFFCh push esi mov edi,ecx call SUB_L0001A090 mov [ebp+08h],eax mov al,[ebp+0Ch] and ebx,00000003h mov [ebp+ebx+08h],al push [ebp+08h] mov ecx,edi push esi call SUB_L0001A0A8 pop edi pop esi pop ebx pop ebp retn 0008h ;------------------------------------------------------------------------------ SUB_L0001A138: push ebp mov ebp,esp push ebx mov ebx,[ebp+08h] mov eax,ebx and eax,0000FFFEh shl eax,1 push eax call SUB_L0001A090 and ebx,00000001h mov [ebp+08h],eax mov ax,[ebp+ebx*2+08h] pop ebx pop ebp retn 0004h ;------------------------------------------------------------------------------ SSZ0001A15E_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001A166: push esi push SSZ0001A15E_TI_Msg_ mov esi,ecx call jmp_ntoskrnl.exe!DbgPrint mov al,[esi+18h] pop ecx pop esi retn ;------------------------------------------------------------------------------ Align 2 SUB_L0001A17A: push ebp mov ebp,esp push ecx push ecx mov eax,[ebp+08h] cdq mov [ebp-08h],eax lea eax,[ebp-08h] push eax push 00000000h push 00000000h mov [ebp-04h],edx call [ntoskrnl.exe!KeDelayExecutionThread] leave retn 0004h ;------------------------------------------------------------------------------ Align 4 SSZ0001A19C_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001A1A4_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001A1AC: push esi push edi mov edi,ecx mov eax,[edi+04h] add eax,00000004h push eax call SUB_L0001728E cmp byte ptr [esp+0Ch],00h mov esi,eax jz L0001A1D4 push SSZ0001A19C_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint or esi,00000040h jmp L0001A1E1 L0001A1D4: push SSZ0001A1A4_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint and esi,FFFFFFBFh L0001A1E1: mov eax,[edi+04h] pop ecx add eax,00000004h push esi push eax call SUB_L000172AC pop edi pop esi retn 0004h ;------------------------------------------------------------------------------ SUB_L0001A1F4: push 00000000h push 00000000h push [esp+0Ch] call [ntoskrnl.exe!KeInitializeEvent] retn 0004h ;------------------------------------------------------------------------------ Align 2 SUB_L0001A206: push esi mov esi,ecx xor eax,eax cmp [esi+26h],al jnz L0001A21C push eax push eax lea eax,[esi+38h] push eax call [ntoskrnl.exe!KeSetEvent] L0001A21C: mov byte ptr [esi+26h],01h pop esi retn ;------------------------------------------------------------------------------ SUB_L0001A222: push 00000000h push 00000000h push [esp+0Ch] call [ntoskrnl.exe!KeSetEvent] retn 0004h ;------------------------------------------------------------------------------ Align 4 jmp_ntoskrnl.exe!KeClearEvent: jmp [ntoskrnl.exe!KeClearEvent] SUB_L0001A23A: push ebp mov ebp,esp sub esp,00000010h mov eax,[ebp+0Ch] add ecx,00000038h cdq push esi mov esi,[ebp+08h] mov [ebp-10h],ecx xor ecx,ecx cmp [ebp+0Ch],ecx mov [ebp-08h],eax push edi mov [ebp-0Ch],esi mov [ebp-04h],edx lea eax,[ebp-08h] jnz L0001A264 xor eax,eax L0001A264: push ecx push eax push ecx push ecx push ecx push 00000001h lea eax,[ebp-10h] push eax push 00000002h call [ntoskrnl.exe!KeWaitForMultipleObjects] push esi mov edi,eax call [ntoskrnl.exe!KeClearEvent] cmp edi,00000102h setnz al dec al pop edi pop esi and eax,00000087h leave retn 0008h ;------------------------------------------------------------------------------ SSZ0001A296_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001A29E: push ebx push esi mov esi,ecx and byte ptr [esi+7Ch],00h cmp word ptr [esi+30h],0010h mov bl,04h jnc L0001A2B2 add bl,04h L0001A2B2: push SSZ0001A296_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint test bl,bl pop ecx jbe L0001A2D4 push edi movzx ecx,bl xor eax,eax shr ecx,1 lea edi,[esi+6Ch] rep stosd adc ecx,ecx rep stosw pop edi L0001A2D4: pop esi pop ebx retn ;------------------------------------------------------------------------------ Align 4 SUB_L0001A2D8: mov al,[ecx+7Ch] cmp al,08h jnc L0001A2EF mov dx,[esp+04h] movzx eax,al mov [ecx+eax*2+6Ch],dx inc [ecx+7Ch] L0001A2EF: retn 0004h ;------------------------------------------------------------------------------ SSZ0001A2F2_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001A2FA_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001A302_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001A30A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001A312_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001A31A: push ebx push esi push SSZ0001A2F2_TI_Msg_ mov esi,ecx call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi] pop ecx mov ecx,esi call [eax+1Ch] push SSZ0001A2FA_TI_Msg_ mov bl,al call jmp_ntoskrnl.exe!DbgPrint test bl,bl pop ecx jz L0001A379 cmp bl,2Eh jz L0001A379 push SSZ0001A302_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi] pop ecx mov ecx,esi call [eax+18h] mov bl,al cmp bl,2Eh jnz L0001A36E push SSZ0001A30A_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov al,bl jmp L0001A37B L0001A36E: push SSZ0001A312_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx L0001A379: mov al,bl L0001A37B: pop esi pop ebx retn ;------------------------------------------------------------------------------ SUB_L0001A37E: mov al,[esp+08h] push ebx mov bl,[esp+08h] test bl,bl push esi mov esi,ecx mov [esi+23h],bl mov [esi+22h],al jz L0001A3B7 mov eax,[esi+04h] add eax,00000020h push eax call SUB_L0001728E mov [esi+20h],ax xor eax,eax mov ax,[esi+20h] push eax mov eax,[esi+04h] add eax,00000020h push eax call SUB_L000172AC L0001A3B7: pop esi mov al,bl pop ebx retn 0008h ;------------------------------------------------------------------------------ SUB_L0001A3BE: push esi push edi mov esi,ecx xor edi,edi cmp byte ptr [esi+23h],00h jz L0001A3F6 test byte ptr [esi+20h],04h jz L0001A3DB mov edi,00000200h mov byte ptr [esi+27h],01h jmp L0001A3E6 L0001A3DB: lea eax,[esi+48h] push eax mov ecx,esi call SUB_L0001A222 L0001A3E6: test byte ptr [esi+20h],01h jz L0001A3F2 or edi,00000100h L0001A3F2: and byte ptr [esi+23h],00h L0001A3F6: mov eax,edi pop edi pop esi retn ;------------------------------------------------------------------------------ Align 4 SUB_L0001A3FC: mov eax,[esp+04h] mov [ecx+00000080h],eax mov eax,[esp+08h] mov [ecx+00000084h],eax mov eax,[esp+0Ch] mov [ecx+00000088h],eax retn 000Ch ;------------------------------------------------------------------------------ Align 2 SSZ0001A41E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001A426_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001A42E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001A436_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001A43E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001A446_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001A44E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001A456_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001A45E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001A466_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001A46E_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001A476: push ebp mov ebp,esp sub esp,00000018h mov eax,[ebp+08h] and byte ptr [ebp-05h],00h cmp eax,FFFFFFFFh push ebx push esi mov esi,ecx mov ecx,[ebp+0Ch] mov dx,[ecx] mov [ebp-10h],dx mov edx,[ebp+10h] push edi mov edi,[ebp+14h] mov [ebp-14h],edx mov dl,[edi] mov [ebp-0Ch],eax mov [ebp-01h],dl jz L0001A4BD mov [esi+64h],eax mov ax,[ecx] push SSZ0001A41E_TI_Msg_ mov [esi+5Eh],ax call jmp_ntoskrnl.exe!DbgPrint pop ecx L0001A4BD: push SSZ0001A426_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint cmp byte ptr [edi],3Fh pop ecx ja L0001A6B1 mov ebx,0000FFFFh L0001A4D6: cmp dword ptr [ebp+08h],FFFFFFFFh jz L0001A4E8 mov eax,[ebp+0Ch] mov ax,[eax] mov [esi+58h],ax jmp L0001A4EC L0001A4E8: mov byte ptr [ebp-05h],01h L0001A4EC: movzx ax,[edi] cmp [esi+58h],ax jnc L0001A4FB mov al,[esi+58h] mov [edi],al L0001A4FB: mov eax,[esi] mov ecx,esi call [eax+04h] test al,al mov [ebp+17h],al mov byte ptr [esi+28h],01h jnz L0001A6B8 cmp word ptr [esi+58h],0000h jz L0001A773 cmp [edi],al jz L0001A773 cmp dword ptr [ebp+08h],FFFFFFFFh jz L0001A562 push SSZ0001A42E_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi+04h] pop ecx push ebx add eax,00000018h push eax call SUB_L000172AC mov eax,[esi+04h] push 00000001h add eax,00000024h push eax call SUB_L000172AC mov eax,[esi+04h] and byte ptr [esi+27h],00h push 00000005h add eax,00000014h push eax call SUB_L000172AC L0001A562: mov eax,[esi+04h] push [ebp+10h] add eax,0000000Ch push eax call SUB_L0001729C xor eax,eax mov ah,[edi] or eax,00000001h push eax mov eax,[esi+04h] add eax,00000010h push eax call SUB_L000172AC mov ax,[esi+58h] mov [ebp-18h],ax L0001A58D: xor ecx,ecx lea eax,[esi+58h] mov cx,[eax] test cx,cx mov [ebp+10h],ecx jz L0001A734 cmp byte ptr [edi],00h jz L0001A734 push [ebp-05h] mov edx,[esi] push edi push eax push [ebp+08h] mov ecx,esi call [edx+20h] test al,al mov [ebp+17h],al jnz L0001A5C9 cmp [esi+27h],al jz L0001A5C9 mov byte ptr [ebp+17h],C2h L0001A5C9: cmp byte ptr [ebp+17h],68h jz L0001A5F2 cmp byte ptr [ebp+17h],00h jnz L0001A6EC cmp dword ptr [ebp+08h],FFFFFFFFh jz L0001A5EC mov eax,[ebp+10h] sub ax,[esi+58h] movzx eax,ax add [ebp+08h],eax L0001A5EC: mov byte ptr [ebp-05h],01h jmp L0001A58D L0001A5F2: push SSZ0001A436_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[ebp-0Ch] mov ecx,[ebp+0Ch] mov [ebp+08h],eax mov ax,[ebp-10h] mov [ecx],ax mov eax,[ebp-14h] mov [ebp+10h],eax mov al,[ebp-01h] mov [edi],al mov dword ptr [esp],SSZ0001A43E_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ0001A446_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ0001A44E_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ0001A456_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[ebp-18h] pop ecx movzx ecx,[esi+5Eh] add ecx,[esi+64h] movzx edx,ax mov [esi+58h],ax mov eax,[esi+04h] push 00000002h add eax,00000010h sub ecx,edx push eax mov [esi+60h],ecx call SUB_L000172AC mov eax,[esi+04h] push ebx add eax,00000018h push eax call SUB_L000172AC mov eax,[esi+04h] push 00000001h add eax,00000024h push eax call SUB_L000172AC mov eax,[esi+04h] push 00000005h add eax,00000014h push eax call SUB_L000172AC and byte ptr [esi+28h],00h and byte ptr [esi+27h],00h push SSZ0001A426_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint cmp byte ptr [edi],3Fh pop ecx jbe L0001A4D6 L0001A6B1: mov al,C0h jmp L0001A779 L0001A6B8: mov eax,[esi+04h] add eax,00000008h push eax call SUB_L0001728E push SSZ0001A45E_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi+04h] pop ecx push ebx add eax,00000018h push eax call SUB_L000172AC mov eax,[esi+04h] push 00000002h add eax,00000010h push eax call SUB_L000172AC jmp L0001A72F L0001A6EC: mov eax,[esi+04h] add eax,00000008h push eax call SUB_L0001728E push SSZ0001A466_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi+04h] pop ecx push ebx add eax,00000018h push eax call SUB_L000172AC mov eax,[esi+04h] push 00000002h add eax,00000010h push eax call SUB_L000172AC cmp byte ptr [ebp+17h],82h jz L0001A72F push SSZ0001A46E_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx L0001A72F: mov al,[ebp+17h] jmp L0001A775 L0001A734: mov edi,[ntoskrnl.exe!KeSynchronizeExecution] mov ebx,L00018364 jmp L0001A757 L0001A741: push FFF0BDC0h lea eax,[esi+48h] push eax mov ecx,esi call SUB_L0001A23A cmp byte ptr [esi+26h],00h jnz L0001A780 L0001A757: lea eax,[esi+20h] push eax push ebx push [esi+08h] call edi test al,al jz L0001A741 lea eax,[esi+20h] push eax push L000183B6 push [esi+08h] call edi L0001A773: xor al,al L0001A775: and byte ptr [esi+28h],00h L0001A779: pop edi pop esi pop ebx leave retn 0010h ;------------------------------------------------------------------------------ L0001A780: mov al,86h jmp L0001A775 SSZ0001A784_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001A78C_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001A794_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001A79C_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001A7A4_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001A7AC_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001A7B4: push ebp mov ebp,esp push ecx push ecx and byte ptr [ebp-05h],00h push esi push SSZ0001A784_TI_Msg_ mov esi,ecx call jmp_ntoskrnl.exe!DbgPrint cmp byte ptr [esi+25h],00h pop ecx mov byte ptr [esi+28h],01h jz L0001A7DC mov al,C1h jmp L0001AA1E L0001A7DC: push ebx mov ebx,[ebp+14h] cmp byte ptr [ebx],3Fh push edi jbe L0001A7ED mov al,C0h jmp L0001AA1C L0001A7ED: mov ecx,[ebp+08h] cmp ecx,FFFFFFFFh jz L0001A80B mov eax,[ebp+0Ch] mov dx,[eax] mov [esi+5Ah],dx mov ax,[eax] mov [esi+5Ch],ax mov [esi+68h],ecx jmp L0001A80F L0001A80B: mov byte ptr [ebp-05h],01h L0001A80F: movzx ax,[ebx] lea edi,[esi+5Ah] cmp [edi],ax jnc L0001A81F mov al,[edi] mov [ebx],al L0001A81F: cmp word ptr [edi],0000h jz L0001AA1A cmp byte ptr [ebx],00h jz L0001AA1A cmp ecx,FFFFFFFFh jz L0001A903 mov eax,[esi+0000008Ch] inc eax cmp ecx,eax jz L0001A84D push SSZ0001A78C_TI_Msg_ jmp L0001A868 L0001A84D: mov ecx,esi call SUB_L0001A166 cmp al,01h jz L0001A863 mov ecx,esi call SUB_L0001A166 cmp al,04h jnz L0001A8BF L0001A863: push SSZ0001A794_TI_Msg_ L0001A868: call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi] pop ecx mov ecx,esi call [eax+04h] test al,al mov [ebp-01h],al mov byte ptr [esi+28h],01h jz L0001A8BF mov eax,[esi+04h] add eax,00000008h push eax call SUB_L0001728E push SSZ0001A79C_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi+04h] add eax,00000018h mov dword ptr [esp],0000FFFFh push eax call SUB_L000172AC mov eax,[esi+04h] push 00000002h add eax,00000010h push eax call SUB_L000172AC L0001A8B7: mov al,[ebp-01h] jmp L0001AA1C L0001A8BF: mov eax,[ebp+0Ch] movzx eax,[eax] mov ecx,[ebp+08h] lea eax,[eax+ecx-01h] mov [esi+0000008Ch],eax mov eax,[esi+04h] push 0000FFFFh add eax,00000018h push eax call SUB_L000172AC mov eax,[esi+04h] push 00000001h add eax,00000024h push eax call SUB_L000172AC mov eax,[esi+04h] and byte ptr [esi+27h],00h push 00000005h add eax,00000014h push eax call SUB_L000172AC L0001A903: mov eax,[esi+04h] push [ebp+10h] add eax,0000000Ch push eax call SUB_L0001729C xor eax,eax mov ah,[ebx] or eax,00008001h push eax mov eax,[esi+04h] add eax,00000010h push eax call SUB_L000172AC mov ecx,esi call SUB_L0001A29E cmp word ptr [edi],0000h jnz L0001A948 L0001A935: mov edi,[ntoskrnl.exe!KeSynchronizeExecution] mov ebx,L00018364 jmp L0001A9FE L0001A945: mov ebx,[ebp+14h] L0001A948: cmp byte ptr [ebx],00h jz L0001A935 push [ebp-05h] mov eax,[esi] push [ebp+14h] mov bx,[edi] push edi push [ebp+08h] mov ecx,esi call [eax+24h] test al,al mov [ebp-01h],al jnz L0001A992 cmp [esi+27h],al jz L0001A971 mov byte ptr [ebp-01h],C2h L0001A971: cmp byte ptr [ebp-01h],00h jnz L0001A992 cmp dword ptr [ebp+08h],FFFFFFFFh jz L0001A986 sub bx,[edi] movzx eax,bx add [ebp+08h],eax L0001A986: cmp word ptr [edi],0000h mov byte ptr [ebp-05h],01h jnz L0001A945 jmp L0001A935 L0001A992: mov eax,[esi+04h] add eax,00000008h push eax call SUB_L0001728E push SSZ0001A7A4_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi+04h] add eax,00000018h mov dword ptr [esp],0000FFFFh push eax call SUB_L000172AC mov eax,[esi+04h] push 00000002h add eax,00000010h push eax call SUB_L000172AC cmp byte ptr [ebp-01h],82h jz L0001A9DF push SSZ0001A7AC_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx jmp L0001A8B7 L0001A9DF: and byte ptr [ebp-01h],00h jmp L0001A8B7 L0001A9E8: push FFF0BDC0h lea eax,[esi+48h] push eax mov ecx,esi call SUB_L0001A23A cmp byte ptr [esi+26h],00h jnz L0001AA27 L0001A9FE: lea eax,[esi+20h] push eax push ebx push [esi+08h] call edi test al,al jz L0001A9E8 lea eax,[esi+20h] push eax push L000183B6 push [esi+08h] call edi L0001AA1A: xor al,al L0001AA1C: pop edi pop ebx L0001AA1E: and byte ptr [esi+28h],00h pop esi leave retn 0010h ;------------------------------------------------------------------------------ L0001AA27: mov al,86h jmp L0001AA1C Align 4 SSZ0001AA2C_TI_Msg_: db 'TI Msg',0Ah,0 L0001AA34: push SSZ0001AA2C_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx xor al,al retn ;------------------------------------------------------------------------------ SSZ0001AA42_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001AA4A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001AA52_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001AA5A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001AA62_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001AA6A: push ebp mov ebp,esp sub esp,00000010h push esi push edi push SSZ0001AA42_TI_Msg_ mov esi,ecx call jmp_ntoskrnl.exe!DbgPrint movzx eax,[esi+32h] mov [ebp-10h],eax movzx eax,[esi+36h] mov [ebp-08h],eax movzx eax,[esi+34h] mov dword ptr [ebp-04h],00000200h mov [ebp-0Ch],eax mov dword ptr [esp],SSZ0001AA4A_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ0001AA52_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ0001AA5A_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ0001AA62_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[ebp+08h] lea esi,[ebp-10h] mov edi,eax movsd movsd movsd pop ecx movsd pop edi pop esi leave retn 0004h ;------------------------------------------------------------------------------ Align 2 SSZ0001AADE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001AAE6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001AAEE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001AAF6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001AAFE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001AB06_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001AB0E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001AB16_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001AB1E: push ebp mov ebp,esp sub esp,00000018h push esi push edi push SSZ0001AADE_TI_Msg_ mov esi,ecx call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi+04h] add eax,00000004h mov dword ptr [esp],00000E00h push eax call SUB_L000172AC push SSZ0001AAE6_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov edi,[ntoskrnl.exe!KeQuerySystemTime] pop ecx lea eax,[ebp-08h] push eax call edi mov eax,[ebp-08h] mov [ebp-10h],eax mov eax,[ebp-04h] mov [ebp-0Ch],eax L0001AB68: lea eax,[ebp-10h] push eax call edi mov eax,[esi+04h] add eax,00000008h push eax call SUB_L0001728E test al,al jns L0001AB9A mov eax,[ebp-10h] sub eax,[ebp-08h] mov ecx,[ebp-0Ch] sbb ecx,[ebp-04h] mov [ebp-14h],ecx js L0001AB68 jg L0001ABA5 cmp eax,00989680h jc L0001AB68 jmp L0001ABA5 L0001AB9A: push SSZ0001AAEE_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx L0001ABA5: push SSZ0001AAF6_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx lea eax,[ebp-08h] push eax mov dword ptr [esi+1Ch],01312D00h call edi mov eax,[ebp-08h] mov [ebp-10h],eax mov eax,[ebp-04h] mov [ebp-0Ch],eax L0001ABC9: lea eax,[ebp-10h] push eax call edi mov eax,[ebp-10h] sub eax,[ebp-08h] mov ecx,[ebp-0Ch] sbb ecx,[ebp-04h] mov [ebp-14h],ecx js L0001ABC9 jg L0001ABE9 cmp eax,002DC6C0h jc L0001ABC9 L0001ABE9: mov eax,[esi+04h] push ebx add eax,00000008h push eax call SUB_L0001728E mov bx,ax push SSZ0001AAFE_TI_Msg_ and bl,07h call jmp_ntoskrnl.exe!DbgPrint pop ecx push 00000001h mov ecx,esi call SUB_L0001A1AC push 00002710h call [HAL.dll!KeStallExecutionProcessor] movzx ax,bl or eax,00000C40h push eax mov eax,[esi+04h] add eax,00000004h push eax call SUB_L000172AC lea eax,[ebp-08h] push eax call edi mov eax,[ebp-08h] mov [ebp-10h],eax mov eax,[ebp-04h] push SSZ0001AB06_TI_Msg_ mov [ebp-0Ch],eax call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi+04h] pop ecx add eax,00000008h push eax call SUB_L0001728E pop ebx jmp L0001AC99 L0001AC5D: mov ecx,[ebp-10h] sub ecx,[ebp-08h] mov eax,[ebp-0Ch] sbb eax,[ebp-04h] test eax,eax jg L0001ACAA jl L0001AC77 cmp ecx,00989680h jnc L0001ACAA L0001AC77: lea eax,[ebp-10h] push eax call edi mov eax,[esi+04h] add eax,00000008h push eax call SUB_L0001728E test al,al js L0001AC9F mov eax,[esi+04h] add eax,00000008h push eax call SUB_L0001728E L0001AC99: test al,al jns L0001AC5D jmp L0001ACAA L0001AC9F: push SSZ0001AB0E_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx L0001ACAA: push SSZ0001AB16_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push 00000000h mov ecx,esi call SUB_L0001A1AC mov eax,[esi+04h] push 00000007h add eax,00000028h push eax call SUB_L000172AC mov eax,[esi+04h] push 00000001h add eax,00000024h push eax call SUB_L000172AC mov eax,[esi+04h] push 0000FFFFh add eax,00000018h push eax call SUB_L000172AC mov eax,[esi+04h] and byte ptr [esi+27h],00h push 00000005h add eax,00000014h push eax call SUB_L000172AC pop edi xor al,al pop esi leave retn ;------------------------------------------------------------------------------ Align 4 SUB_L0001AD04: mov eax,[ecx+04h] add eax,00000008h push eax call SUB_L0001728E and al,08h sub al,08h neg al sbb eax,eax inc eax retn ;------------------------------------------------------------------------------ SSZ0001AD1A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001AD22_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001AD2A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001AD32_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001AD3A: mov eax,[esp+04h] push esi mov esi,ecx push SSZ0001AD1A_TI_Msg_ mov dword ptr [esi],L00023078 mov [esi+04h],eax call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ0001AD22_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov ecx,esi mov dword ptr [esi+1Ch],01312D00h call SUB_L0001AD04 test al,al jz L0001ADB0 push SSZ0001AD2A_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi+04h] pop ecx push 00000007h add eax,00000028h push eax call SUB_L000172AC mov eax,[esi+04h] push 00000001h add eax,00000024h push eax call SUB_L000172AC mov eax,[esi+04h] add eax,00000008h push eax call SUB_L0001728E shr al,04h and al,07h mov [esi+18h],al jmp L0001ADBF L0001ADB0: push SSZ0001AD32_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint and byte ptr [esi+18h],00h pop ecx L0001ADBF: mov eax,esi pop esi retn 0004h ;------------------------------------------------------------------------------ Align 2 L0001ADC6: push esi mov esi,ecx call SUB_L0001A0CC test byte ptr [esp+08h],01h jz L0001ADDC push esi call SUB_L00014338 pop ecx L0001ADDC: mov eax,esi pop esi retn 0004h ;------------------------------------------------------------------------------ SSZ0001ADE2_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001ADEA_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001ADF2_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001ADFA_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001AE02_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001AE0A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001AE12_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001AE1A_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001AE22: push ebp mov ebp,esp sub esp,00000018h push esi push edi push SSZ0001ADE2_TI_Msg_ mov esi,ecx call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi+04h] add eax,00000004h mov dword ptr [esp],00000E00h push eax call SUB_L000172AC push SSZ0001ADEA_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov edi,[ntoskrnl.exe!KeQuerySystemTime] pop ecx lea eax,[ebp-10h] push eax call edi mov eax,[ebp-10h] mov [ebp-08h],eax mov eax,[ebp-0Ch] mov [ebp-04h],eax L0001AE6C: lea eax,[ebp-08h] push eax call edi mov eax,[esi+04h] add eax,00000008h push eax call SUB_L0001728E test al,al jns L0001AE9E mov eax,[ebp-08h] sub eax,[ebp-10h] mov ecx,[ebp-04h] sbb ecx,[ebp-0Ch] mov [ebp-14h],ecx js L0001AE6C jg L0001AEA9 cmp eax,00989680h jc L0001AE6C jmp L0001AEA9 L0001AE9E: push SSZ0001ADF2_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx L0001AEA9: push SSZ0001ADFA_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov ecx,esi mov dword ptr [esi+1Ch],01312D00h call SUB_L0001AD04 test al,al jz L0001AFCD mov eax,[esi+04h] push ebx add eax,00000008h push eax call SUB_L0001728E mov bx,ax push SSZ0001AE02_TI_Msg_ and bl,07h call jmp_ntoskrnl.exe!DbgPrint pop ecx push 00000001h mov ecx,esi call SUB_L0001A1AC push 00002710h call [HAL.dll!KeStallExecutionProcessor] movzx ax,bl or eax,00000C40h push eax mov eax,[esi+04h] add eax,00000004h push eax call SUB_L000172AC lea eax,[ebp-10h] push eax call edi mov eax,[ebp-10h] mov [ebp-08h],eax mov eax,[ebp-0Ch] push SSZ0001AE0A_TI_Msg_ mov [ebp-04h],eax call jmp_ntoskrnl.exe!DbgPrint mov eax,[ebp-04h] pop ecx mov ecx,[ebp-08h] sub ecx,[ebp-10h] pop ebx sbb eax,[ebp-0Ch] test eax,eax jg L0001AF87 jl L0001AF4A cmp ecx,00989680h jnc L0001AF87 L0001AF4A: lea eax,[ebp-08h] push eax call edi mov eax,[esi+04h] add eax,00000008h push eax call SUB_L0001728E test al,al js L0001AF7C mov eax,[ebp-08h] sub eax,[ebp-10h] mov ecx,[ebp-04h] sbb ecx,[ebp-0Ch] mov [ebp-14h],ecx js L0001AF4A jg L0001AF87 cmp eax,00989680h jc L0001AF4A jmp L0001AF87 L0001AF7C: push SSZ0001AE12_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx L0001AF87: push SSZ0001AE1A_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push 00000000h mov ecx,esi call SUB_L0001A1AC mov eax,[esi+04h] push 00000007h add eax,00000028h push eax call SUB_L000172AC mov eax,[esi+04h] push 00000001h add eax,00000024h push eax call SUB_L000172AC mov eax,[esi+04h] add eax,00000008h push eax call SUB_L0001728E shr al,04h and al,07h mov [esi+18h],al jmp L0001AFD1 L0001AFCD: and byte ptr [esi+18h],00h L0001AFD1: pop edi pop esi leave retn ;------------------------------------------------------------------------------ Align 2 SUB_L0001AFD6: push ebx push esi push [esp+0Ch] mov esi,ecx call SUB_L0001AD3A or dword ptr [esi+60h],FFFFFFFFh xor ebx,ebx lea eax,[esi+38h] push eax mov ecx,esi mov dword ptr [esi],L0002307C mov [esi+20h],bx mov [esi+22h],bl mov [esi+23h],bl mov [esi+24h],bl mov byte ptr [esi+25h],01h mov [esi+26h],bl mov [esi+27h],bl mov [esi+28h],bl mov [esi+29h],bl mov [esi+2Ch],ebx mov [esi+5Eh],bx mov [esi+64h],ebx call SUB_L0001A1F4 lea eax,[esi+48h] push eax mov ecx,esi call SUB_L0001A1F4 mov [esi+0000008Ch],ebx mov [esi+30h],bx mov eax,esi pop esi pop ebx retn 0004h ;------------------------------------------------------------------------------ Align 2 SSZ0001B03E_TI_Msg_: db 'TI Msg',0Ah,0 L0001B046: push esi mov esi,ecx push SSZ0001B03E_TI_Msg_ mov dword ptr [esi],L0002307C call jmp_ntoskrnl.exe!DbgPrint pop ecx mov ecx,esi call SUB_L0001A206 mov ecx,esi pop esi jmp SUB_L0001A0CC Align 2 SUB_L0001B06A: mov eax,[ecx+04h] push [esp+04h] add eax,00000184h push eax call SUB_L0001729C retn 0004h ;------------------------------------------------------------------------------ Align 4 SUB_L0001B080: mov eax,[ecx+04h] push [esp+04h] add eax,00000190h push eax call SUB_L0001729C retn 0004h ;------------------------------------------------------------------------------ Align 2 SUB_L0001B096: cmp word ptr [esp+04h],2000h jnc L0001B0B1 movzx eax,[esp+04h] mov dx,[esp+08h] mov [ecx+eax*2+00000136h],dx L0001B0B1: retn 0008h ;------------------------------------------------------------------------------ SUB_L0001B0B4: cmp word ptr [esp+04h],2000h jnc L0001B0CC movzx eax,[esp+04h] mov ax,[ecx+eax*2+00000136h] jmp L0001B0D0 L0001B0CC: or ax,FFFFh L0001B0D0: retn 0004h ;------------------------------------------------------------------------------ Align 4 SUB_L0001B0D4: cmp word ptr [esp+04h],2000h push esi mov esi,ecx jnc L0001B0FF movzx edx,[esp+08h] xor eax,eax mov ecx,edx and ecx,00000007h inc eax shl eax,cl shr edx,03h xor ecx,ecx mov cl,[edx+esi+00004136h] and eax,ecx jmp L0001B101 L0001B0FF: mov al,01h L0001B101: pop esi retn 0004h ;------------------------------------------------------------------------------ Align 2 SUB_L0001B106: cmp word ptr [esp+04h],2000h mov eax,ecx jnc L0001B138 movzx ecx,[esp+04h] mov edx,ecx shr edx,03h lea eax,[edx+eax+00004136h] and ecx,00000007h mov dl,01h shl dl,cl cmp byte ptr [esp+08h],00h jz L0001B134 or [eax],dl jmp L0001B138 L0001B134: not dl and [eax],dl L0001B138: retn 0008h ;------------------------------------------------------------------------------ Align 4 SSZ0001B13C_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001B144: push ebx push esi push edi push [esp+10h] mov esi,ecx call SUB_L0001AFD6 push SSZ0001B13C_TI_Msg_ mov dword ptr [esi],L000230A4 call jmp_ntoskrnl.exe!DbgPrint pop ecx lea eax,[esi+00000094h] push eax mov ecx,esi call SUB_L0001A1F4 mov al,[esp+14h] mov [esi+000000A4h],al mov eax,[esi+04h] xor ebx,ebx mov edi,00000190h push 00008000h add eax,edi push eax mov dword ptr [esi+000000C8h],00004010h mov [esi+000000A6h],bl mov [esi+000000A5h],bl mov [esi+000000CCh],ebx mov [esi+000000D0h],ebx call SUB_L0001729C mov eax,[esi+04h] push 00000A00h add eax,edi push eax call SUB_L0001729C mov eax,[esi+04h] push FFFFFFFFh add eax,0000018Ch push eax mov [esi+00000090h],ebx call SUB_L0001729C pop edi mov eax,esi pop esi pop ebx retn 0008h ;------------------------------------------------------------------------------ L0001B1E2: mov eax,SSZ000230D4_MEMORYSTICK_BASE_CLASS retn ;------------------------------------------------------------------------------ L0001B1E8: mov eax,SSZ000230EC_MSBASE retn ;------------------------------------------------------------------------------ L0001B1EE: db 32h; '2' db C0h; '€' db C2h; '‚' db 0Ch; db 00h; db CCh; 'Œ' SSZ0001B1F4_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001B1FC: push esi mov esi,ecx push SSZ0001B1F4_TI_Msg_ mov dword ptr [esi],L000230A4 call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi+04h] add eax,00000190h mov dword ptr [esp],00000A00h push eax call SUB_L0001729C mov eax,[esi+04h] push FFFFFFFFh add eax,0000018Ch push eax mov dword ptr [esi+00000090h],00000000h call SUB_L0001729C mov ecx,esi pop esi jmp L0001B046 L0001B246: push ebx push esi push [esp+10h] mov esi,ecx push [esp+10h] call SUB_L0001A37E cmp byte ptr [esp+10h],00h mov bl,al jz L0001B28F mov eax,[esi+04h] add eax,0000018Ch push eax call SUB_L00017282 or [esi+00000090h],eax mov eax,[esi+04h] add eax,00000190h push eax call SUB_L00017282 or eax,00000800h push eax mov ecx,esi call SUB_L0001B080 L0001B28F: xor eax,eax mov al,bl pop esi pop ebx or eax,[esp+08h] retn 0008h ;------------------------------------------------------------------------------ L0001B29C: push esi push edi mov esi,ecx call SUB_L0001A3BE cmp byte ptr [esi+22h],00h mov edi,eax jz L0001B2BF lea eax,[esi+00000094h] push eax mov ecx,esi call SUB_L0001A222 and byte ptr [esi+22h],00h L0001B2BF: mov eax,edi pop edi pop esi retn ;------------------------------------------------------------------------------ L0001B2C4: mov eax,[esp+04h] mov eax,[eax] shr eax,0Ch and al,01h retn 0004h ;------------------------------------------------------------------------------ SSZ0001B2D2_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001B2DA_TI_Msg_: db 'TI Msg',0Ah,0 L0001B2E2: mov eax,[esp+04h] mov eax,[eax] test ah,01h jz L0001B2F4 push SSZ0001B2D2_TI_Msg_ jmp L0001B2FE L0001B2F4: test ah,02h jz L0001B308 push SSZ0001B2DA_TI_Msg_ L0001B2FE: call jmp_ntoskrnl.exe!DbgPrint pop ecx xor al,al jmp L0001B30A L0001B308: mov al,01h L0001B30A: retn 0004h ;------------------------------------------------------------------------------ Align 2 L0001B30E: mov eax,[esp+04h] mov eax,[eax] shr eax,0Dh and al,01h retn 0004h ;------------------------------------------------------------------------------ L0001B31C: mov eax,[esp+04h] mov al,[eax] shr al,1 and al,01h retn 0004h ;------------------------------------------------------------------------------ Align 2 SSZ0001B32A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001B332_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001B33A_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001B342: push ecx push ecx push ebx push ebp mov ebp,[ntoskrnl.exe!KeSynchronizeExecution] push esi mov esi,ecx push edi mov dword ptr [esp+14h],00000002h lea ebx,[esi+00000094h] L0001B35E: push FFB3B4C0h push ebx mov ecx,esi call SUB_L0001A23A cmp byte ptr [esi+26h],00h mov [esp+13h],al jnz L0001B3B1 lea edi,[esi+00000090h] push edi push L0001B2E2 push [esi+08h] call ebp test al,al jz L0001B3BF push edi push L0001B2C4 push [esi+08h] call ebp test al,al jnz L0001B3E1 cmp dword ptr [esp+14h],00000000h jz L0001B3CE dec [esp+14h] jnz L0001B35E mov al,[esp+13h] L0001B3AA: pop edi pop esi pop ebp pop ebx pop ecx pop ecx retn ;------------------------------------------------------------------------------ L0001B3B1: push SSZ0001B32A_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov al,86h jmp L0001B3F1 L0001B3BF: push SSZ0001B332_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov al,47h jmp L0001B3AA L0001B3CE: mov eax,[esi+04h] add eax,0000018Ch push eax call SUB_L00017282 test ah,10h jz L0001B3E5 L0001B3E1: xor al,al jmp L0001B3AA L0001B3E5: push SSZ0001B33A_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov al,87h L0001B3F1: pop ecx mov ecx,[esi+00000090h] jmp L0001B3AA L0001B3FA: push esp dec ecx and [ebp+73h],cl or al,[eax] SUB_L0001B402: push ecx push ecx and byte ptr [esp+03h],00h push ebx push ebp push esi mov esi,ecx push edi mov edi,[ntoskrnl.exe!KeSynchronizeExecution] mov dword ptr [esp+14h],00000002h lea ebx,[esi+00000090h] mov ebp,L0001B30E jmp L0001B45D L0001B42A: push FFB3B4C0h lea eax,[esi+00000094h] push eax mov ecx,esi call SUB_L0001A23A cmp byte ptr [esi+26h],00h mov [esp+13h],al jnz L0001B46A push ebx push ebp push [esi+08h] call edi test al,al jnz L0001B481 cmp dword ptr [esp+14h],00000000h jz L0001B46E dec [esp+14h] L0001B45D: push ebx push ebp push [esi+08h] call edi test al,al jz L0001B42A jmp L0001B490 L0001B46A: mov al,86h jmp L0001B494 L0001B46E: mov eax,[esi+04h] add eax,0000018Ch push eax call SUB_L00017282 test ah,20h jz L0001B485 L0001B481: xor al,al jmp L0001B494 L0001B485: push L0001B3FA call jmp_ntoskrnl.exe!DbgPrint pop ecx L0001B490: mov al,[esp+13h] L0001B494: pop edi pop esi pop ebp pop ebx pop ecx pop ecx retn ;------------------------------------------------------------------------------ Align 4 SUB_L0001B49C: push ebx push ebp push esi mov esi,ecx mov eax,[esi+04h] mov ebp,00000190h push edi add eax,ebp push eax call SUB_L00017282 mov edx,[esp+18h] xor ecx,ecx mov edi,eax mov al,[esp+14h] mov cl,al and edx,000003FFh mov ebx,FFFEFFFFh and ecx,0000000Fh shl ecx,0Ch or ecx,edx cmp al,02h mov [esp+14h],ecx jz L0001B4E3 cmp al,0Dh jz L0001B4E3 and edi,ebx jmp L0001B4E9 L0001B4E3: or edi,00010000h L0001B4E9: lea eax,[esi+00000094h] push eax mov ecx,esi call jmp_ntoskrnl.exe!KeClearEvent lea eax,[esi+00000090h] push eax push L000183B6 push [esi+08h] call [ntoskrnl.exe!KeSynchronizeExecution] or edi,00000800h push edi mov ecx,esi call SUB_L0001B080 push [esp+14h] mov ecx,esi call SUB_L0001B06A mov ecx,esi call SUB_L0001B342 mov [esp+14h],al mov eax,[esi+04h] add eax,ebp push eax call SUB_L00017282 and eax,ebx push eax mov ecx,esi call SUB_L0001B080 mov al,[esp+14h] pop edi pop esi pop ebp pop ebx retn 0008h ;------------------------------------------------------------------------------ SUB_L0001B550: push esi mov esi,ecx mov eax,[esi+04h] add eax,00000190h push eax call SUB_L00017282 or eax,00000100h push eax mov ecx,esi call SUB_L0001B080 mov eax,[esi+04h] push [esp+08h] add eax,00000188h push eax call SUB_L0001729C pop esi retn 0004h ;------------------------------------------------------------------------------ SUB_L0001B584: push ebp mov ebp,esp sub esp,00000020h push ebx push esi mov esi,ecx mov eax,[esi+000000C8h] push edi or eax,00002707h push eax call SUB_L0001B080 xor cl,cl L0001B5A2: cmp cl,10h jnz L0001B5CB cmp byte ptr [esi+18h],12h jnz L0001B5CB cmp byte ptr [esi+000000B7h],88h jz L0001B5C5 cmp dword ptr [esi+000000C8h],00000000h jz L0001B5C5 mov byte ptr [ebp-10h],80h jmp L0001B5D9 L0001B5C5: mov byte ptr [ebp-10h],88h jmp L0001B5D9 L0001B5CB: movzx eax,cl mov dl,[eax+esi+000000A7h] mov [ebp+eax-20h],dl L0001B5D9: inc cl cmp cl,20h jc L0001B5A2 push 00000008h lea edi,[ebp-20h] pop ebx L0001B5E6: push [edi] mov ecx,esi call SUB_L0001B550 add edi,00000004h dec ebx jnz L0001B5E6 push 0000001Fh push 0000000Bh mov ecx,esi call SUB_L0001B49C pop edi pop esi pop ebx leave retn ;------------------------------------------------------------------------------ Align 2 SUB_L0001B606: push ebp mov ebp,esp sub esp,00000020h push esi mov esi,ecx mov eax,[esi+000000C8h] or eax,00002607h push eax call SUB_L0001B080 push 0000001Fh push 00000004h mov ecx,esi call SUB_L0001B49C test al,al jnz L0001B65F push ebx push edi push 00000008h lea edi,[ebp-20h] pop ebx L0001B637: mov eax,[esi+04h] add eax,00000188h push eax call SUB_L00017282 mov [edi],eax add edi,00000004h dec ebx jnz L0001B637 push 00000008h lea edi,[esi+000000A7h] pop ecx lea esi,[ebp-20h] rep movsd pop edi xor al,al pop ebx L0001B65F: pop esi leave retn ;------------------------------------------------------------------------------ SSZ0001B662_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001B66A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001B672_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001B67A: push esi push SSZ0001B662_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push 00000020h pop esi L0001B689: push SSZ0001B66A_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint dec esi pop ecx jnz L0001B689 push SSZ0001B672_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx pop esi retn ;------------------------------------------------------------------------------ SSZ0001B6A4_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001B6AC: push ebx xor bl,bl cmp [esp+14h],bl push esi mov esi,ecx jz L0001B6C3 call SUB_L0001B584 mov bl,al test bl,bl jnz L0001B72E L0001B6C3: mov eax,[esi+000000C8h] or eax,00002707h push eax mov ecx,esi call SUB_L0001B080 movzx eax,[esp+0Ch] push eax mov ecx,esi call SUB_L0001B550 push 00000000h mov ecx,esi call SUB_L0001B550 push 00000001h push 0000000Eh mov ecx,esi call SUB_L0001B49C test al,al jz L0001B70A push SSZ0001B6A4_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov al,81h jmp L0001B730 L0001B70A: cmp byte ptr [esp+10h],00h jz L0001B71E mov ecx,esi call SUB_L0001B402 mov bl,al test bl,bl jnz L0001B72E L0001B71E: cmp byte ptr [esp+14h],00h jz L0001B72E mov ecx,esi call SUB_L0001B606 mov bl,al L0001B72E: mov al,bl L0001B730: pop esi pop ebx retn 0010h ;------------------------------------------------------------------------------ Align 2 SUB_L0001B736: push ebx push esi mov esi,ecx mov eax,[esi+000000C8h] push edi or eax,00002607h push eax call SUB_L0001B080 push 00000001h push 00000007h mov ecx,esi call SUB_L0001B49C mov bl,al mov eax,[esi+04h] mov edi,00000188h add eax,edi push eax call SUB_L00017282 mov [esi+000000A8h],al mov eax,[esi+04h] add eax,edi push eax call SUB_L00017282 pop edi pop esi mov al,bl pop ebx retn ;------------------------------------------------------------------------------ SUB_L0001B780: push ecx push ebx push esi mov esi,ecx mov eax,[esi+000000C8h] push edi or eax,00002607h push eax call SUB_L0001B080 push 00000001h push 00000007h mov ecx,esi call SUB_L0001B49C mov bl,al mov eax,[esi+04h] mov edi,00000188h add eax,edi push eax call SUB_L00017282 mov [esi+000000A8h],al mov eax,[esi+04h] add eax,edi push eax call SUB_L00017282 pop edi mov [esp+08h],eax pop esi mov al,bl pop ebx pop ecx retn ;------------------------------------------------------------------------------ SUB_L0001B7D0: push esi mov esi,ecx mov eax,[esi+000000C8h] or eax,00002707h push eax call SUB_L0001B080 push [esp+08h] mov ecx,esi call SUB_L0001B550 push 00000000h mov ecx,esi call SUB_L0001B550 push 00000004h push 00000008h mov ecx,esi call SUB_L0001B49C pop esi retn 0004h ;------------------------------------------------------------------------------ Align 4 L0001B808: mov eax,[esp+04h] cmp eax,FFFFFFFFh push esi push edi mov esi,ecx jz L0001B81B mov [esi+000000CCh],eax L0001B81B: mov edi,[esp+10h] push [esp+18h] mov eax,[esi] xor ecx,ecx mov cx,[edi] push ecx push [esi+000000CCh] mov ecx,esi call [eax+28h] test al,al jnz L0001B84B inc [esi+000000CCh] mov eax,[esp+14h] dec word ptr [edi] dec [eax] xor al,al L0001B84B: pop edi pop esi retn 0010h ;------------------------------------------------------------------------------ L0001B850: mov eax,[esp+04h] cmp eax,FFFFFFFFh push esi push edi mov esi,ecx jz L0001B863 mov [esi+000000D0h],eax L0001B863: mov edi,[esp+10h] push [esp+18h] mov eax,[esi] xor ecx,ecx mov cx,[edi] push ecx push [esi+000000D0h] mov ecx,esi call [eax+2Ch] test al,al jnz L0001B893 inc [esi+000000D0h] mov eax,[esp+14h] dec word ptr [edi] dec [eax] xor al,al L0001B893: pop edi pop esi retn 0010h ;------------------------------------------------------------------------------ SSZ0001B898_TI_Msg_: db 'TI Msg',0Ah,0 L0001B8A0: push esi push 1F001F00h mov esi,ecx call SUB_L0001B7D0 test al,al jnz L0001B8EF mov ecx,esi call SUB_L0001B606 test al,al jnz L0001B8EF test byte ptr [esi+000000ABh],01h mov byte ptr [esi+18h],12h mov byte ptr [esi+19h],12h jz L0001B8ED cmp [esi+000000ADh],al jnz L0001B8ED cmp byte ptr [esi+000000AEh],03h ja L0001B8ED push SSZ0001B898_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov byte ptr [esi+18h],22h L0001B8ED: xor al,al L0001B8EF: pop esi retn ;------------------------------------------------------------------------------ Align 2 SSZ0001B8F2_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001B8FA: push esi push [esp+0Ch] mov esi,ecx push [esp+0Ch] call SUB_L0001B144 push SSZ0001B8F2_TI_Msg_ mov dword ptr [esi],L000230F4 call jmp_ntoskrnl.exe!DbgPrint or word ptr [esi+000000DEh],FFFFh or word ptr [esi+000000E0h],FFFFh or word ptr [esi+00000102h],FFFFh or word ptr [esi+00000108h],FFFFh or word ptr [esi+0000010Ah],FFFFh xor eax,eax mov [esi+00000134h],al mov [esi+00000104h],ax mov [esi+00000106h],ax mov [esi+0000012Ch],ax mov [esi+00000130h],ax mov [esi+00000132h],ax pop ecx mov byte ptr [esi+18h],12h mov byte ptr [esi+19h],12h mov word ptr [esi+0000012Eh],0001h mov eax,esi pop esi retn 0008h ;------------------------------------------------------------------------------ L0001B98A: mov eax,SSZ00023124_MEMORYSTICK retn ;------------------------------------------------------------------------------ L0001B990: mov eax,L00023130 retn ;------------------------------------------------------------------------------ SSZ0001B996_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001B99E: push esi mov esi,ecx push SSZ0001B996_TI_Msg_ mov dword ptr [esi],L000230F4 call jmp_ntoskrnl.exe!DbgPrint pop ecx mov ecx,esi pop esi jmp SUB_L0001B1FC SUB_L0001B9BA: cmp dword ptr [ecx+000000C8h],00000000h setz al lea eax,[00000080h+eax*8] mov [ecx+000000B7h],al mov al,[esp+04h] mov [ecx+000000BBh],al retn 0004h ;------------------------------------------------------------------------------ SUB_L0001B9DE: mov ax,[esp+04h] and byte ptr [ecx+000000B8h],00h mov [ecx+000000BAh],al mov al,[esp+08h] mov [ecx+000000B9h],ah mov [ecx+000000BCh],al retn 0008h ;------------------------------------------------------------------------------ Align 4 SSZ0001BA04_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001BA0C_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001BA14_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001BA1C_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001BA24_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001BA2C_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001BA34_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001BA3C_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001BA44_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001BA4C_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001BA54_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001BA5C_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001BA64_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001BA6C_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001BA74_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001BA7C_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001BA84_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001BA8C_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001BA94_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001BA9C_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001BAA4: push ecx mov dl,[esp+10h] test dl,20h push ebx push ebp push esi push edi mov esi,ecx jz L0001BABB push 00000020h call SUB_L0001B9BA L0001BABB: xor edi,edi test dl,01h jz L0001BACA push edi mov ecx,esi call SUB_L0001B9BA L0001BACA: test dl,04h mov ebp,00002707h mov ecx,esi jnz L0001BB6F push [esp+1Ch] push [esp+1Ch] call SUB_L0001B9DE cmp byte ptr [esi+29h],00h jz L0001BB05 call SUB_L0001B780 test al,al jnz L0001BF0C push SSZ0001BA04_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx L0001BB05: mov ecx,esi call SUB_L0001B584 test al,al jnz L0001BB59 mov eax,[esi+000000C8h] or eax,ebp push eax mov ecx,esi call SUB_L0001B080 push 000000AAh mov ecx,esi call SUB_L0001B550 push edi mov ecx,esi call SUB_L0001B550 push 00000001h push 0000000Eh mov ecx,esi call SUB_L0001B49C test al,al jz L0001BB52 push SSZ0001B6A4_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov bl,81h jmp L0001BB5F L0001BB52: mov ecx,esi call SUB_L0001B402 L0001BB59: mov bl,al test bl,bl jz L0001BB81 L0001BB5F: push SSZ0001BA0C_TI_Msg_ L0001BB64: call jmp_ntoskrnl.exe!DbgPrint pop ecx jmp L0001BE41 L0001BB6F: call SUB_L0001B402 mov bl,al test bl,bl jz L0001BB81 push SSZ0001BA14_TI_Msg_ jmp L0001BB64 L0001BB81: mov ecx,esi call SUB_L0001B780 mov bl,al test bl,bl jz L0001BB95 push SSZ0001BA1C_TI_Msg_ jmp L0001BB64 L0001BB95: mov al,[esi+000000A8h] test al,01h mov [esp+12h],al jz L0001BBB1 push SSZ0001BA24_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov bl,49h jmp L0001BBDA L0001BBB1: test al,al js L0001BBCA test byte ptr [esp+20h],05h jnz L0001BBCA push SSZ0001BA2C_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov bl,4Fh jmp L0001BBDA L0001BBCA: test al,20h jnz L0001BBE7 push SSZ0001BA34_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov bl,4Eh L0001BBDA: pop ecx mov ecx,esi call SUB_L0001B67A jmp L0001BE41 L0001BBE7: mov cl,[esp+20h] and cl,08h mov [esp+13h],cl jz L0001BC26 movzx edx,[esp+1Ch] movzx ecx,[esi+000000DCh] inc edx cmp edx,ecx jz L0001BC26 push edi push edi push 00000001h push 00000033h mov ecx,esi call SUB_L0001B6AC mov bl,al test bl,bl jz L0001BC22 push SSZ0001BA3C_TI_Msg_ jmp L0001BB64 L0001BC22: mov al,[esp+12h] L0001BC26: test al,40h jz L0001BDD0 push SSZ0001BA44_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov ecx,esi call SUB_L0001B606 mov bl,al test bl,bl jnz L0001BE41 mov ecx,esi call SUB_L0001B67A mov al,[esi+000000AAh] test al,10h jz L0001BDA4 push SSZ0001BA4C_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov bl,[esi+000000BDh] not bl or bl,3Fh mov dword ptr [esp],SSZ0001BA54_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint test byte ptr [esp+24h],05h pop ecx jz L0001BC95 push edi push edi push 00000001h push 00000033h mov ecx,esi call SUB_L0001B6AC L0001BC95: cmp bl,FFh jz L0001BD9D push [esp+1Ch] mov ecx,esi push [esp+1Ch] mov [esi+000000BDh],bl call SUB_L0001B9DE mov edi,00000080h push edi call SUB_L0001B9BA call SUB_L0001B584 test al,al mov ebx,SSZ0001B6A4_TI_Msg_ jnz L0001BD18 mov eax,[esi+000000C8h] or eax,ebp push eax mov ecx,esi call SUB_L0001B080 push 00000055h mov ecx,esi call SUB_L0001B550 push 00000000h mov ecx,esi call SUB_L0001B550 push 00000001h push 0000000Eh mov ecx,esi call SUB_L0001B49C test al,al jz L0001BD06 push ebx call jmp_ntoskrnl.exe!DbgPrint pop ecx jmp L0001BD18 L0001BD06: mov ecx,esi call SUB_L0001B402 test al,al jnz L0001BD18 mov ecx,esi call SUB_L0001B606 L0001BD18: push SSZ0001BA5C_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push 00000000h push [esp+1Ch] mov ecx,esi mov byte ptr [esi+000000BDh],7Fh call SUB_L0001B9DE push edi call SUB_L0001B9BA call SUB_L0001B584 test al,al jnz L0001BD92 mov eax,[esi+000000C8h] or eax,ebp push eax mov ecx,esi call SUB_L0001B080 push 00000055h mov ecx,esi call SUB_L0001B550 push 00000000h mov ecx,esi call SUB_L0001B550 push 00000001h push 0000000Eh mov ecx,esi call SUB_L0001B49C test al,al jz L0001BD80 push ebx call jmp_ntoskrnl.exe!DbgPrint pop ecx jmp L0001BD92 L0001BD80: mov ecx,esi call SUB_L0001B402 test al,al jnz L0001BD92 mov ecx,esi call SUB_L0001B606 L0001BD92: push SSZ0001BA64_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx L0001BD9D: mov al,43h jmp L0001BF0C L0001BDA4: test al,04h jz L0001BDAF push SSZ0001BA6C_TI_Msg_ jmp L0001BDC3 L0001BDAF: test al,01h jz L0001BDBA push SSZ0001BA74_TI_Msg_ jmp L0001BDC3 L0001BDBA: test al,08h jz L0001BDD0 push SSZ0001BA7C_TI_Msg_ L0001BDC3: call jmp_ntoskrnl.exe!DbgPrint pop ecx mov al,40h jmp L0001BF0C L0001BDD0: cmp byte ptr [esp+24h],00h jz L0001BE3A push 00000200h push 00000002h mov ecx,esi call SUB_L0001B49C mov bl,al test bl,bl jz L0001BDF5 push SSZ0001BA84_TI_Msg_ jmp L0001BB64 L0001BDF5: cmp byte ptr [esp+13h],00h jz L0001BE3A L0001BDFC: mov ecx,esi call SUB_L0001B780 mov bl,al test bl,bl jnz L0001BE2E test byte ptr [esi+000000A8h],80h jnz L0001BE38 mov ax,di inc edi cmp ax,03E8h jc L0001BDFC push SSZ0001BA8C_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov al,4Fh jmp L0001BF0C L0001BE2E: push SSZ0001BA94_TI_Msg_ jmp L0001BB64 L0001BE38: xor edi,edi L0001BE3A: test byte ptr [esp+20h],05h jz L0001BE48 L0001BE41: mov al,bl jmp L0001BF0C L0001BE48: mov ecx,esi call SUB_L0001B606 test al,al jnz L0001BF0C mov al,[esi+000000BDh] mov cl,al and cl,60h cmp cl,60h jz L0001BF0A test byte ptr [esp+20h],02h jz L0001BE7A cmp al,C0h jz L0001BF0A L0001BE7A: cmp word ptr [esp+18h],0002h jbe L0001BF0A push SSZ0001BA9C_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push edi push [esp+1Ch] mov ecx,esi mov byte ptr [esi+000000BDh],7Fh call SUB_L0001B9DE push 00000080h call SUB_L0001B9BA call SUB_L0001B584 test al,al jnz L0001BF06 mov eax,[esi+000000C8h] or eax,ebp push eax mov ecx,esi call SUB_L0001B080 push 00000055h mov ecx,esi call SUB_L0001B550 push edi mov ecx,esi call SUB_L0001B550 push 00000001h push 0000000Eh mov ecx,esi call SUB_L0001B49C test al,al jz L0001BEF4 push SSZ0001B6A4_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx jmp L0001BF06 L0001BEF4: mov ecx,esi call SUB_L0001B402 test al,al jnz L0001BF06 mov ecx,esi call SUB_L0001B606 L0001BF06: mov al,42h jmp L0001BF0C L0001BF0A: xor al,al L0001BF0C: pop edi pop esi pop ebp pop ebx pop ecx retn 0010h ;------------------------------------------------------------------------------ SSZ0001BF14_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001BF1C_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001BF24_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001BF2C_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001BF34_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001BF3C_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001BF44: push ebp mov ebp,esp push ecx push ebx push esi push edi push SSZ0001BF14_TI_Msg_ mov esi,ecx call jmp_ntoskrnl.exe!DbgPrint and byte ptr [ebp-01h],00h and byte ptr [ebp-02h],00h pop ecx L0001BF60: push SSZ0001BF1C_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi+04h] pop ecx push 00000001h add eax,00000024h push eax call SUB_L000172AC mov eax,[esi+04h] push 00000100h add eax,00000010h push eax call SUB_L000172AC movzx bx,[ebp-02h] push 00000001h push 00000022h xor edi,edi push edi mov ecx,esi push ebx call SUB_L0001BAA4 test al,al mov [ebp-03h],al jz L0001C018 push SSZ0001BF24_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov ecx,esi call SUB_L0001B584 test al,al jnz L0001C002 mov eax,[esi+000000C8h] or eax,00002707h push eax mov ecx,esi call SUB_L0001B080 push 0000003Ch mov ecx,esi call SUB_L0001B550 push edi mov ecx,esi call SUB_L0001B550 push 00000001h push 0000000Eh mov ecx,esi call SUB_L0001B49C test al,al jz L0001BFFB push SSZ0001B6A4_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx jmp L0001C002 L0001BFFB: mov ecx,esi call SUB_L0001B606 L0001C002: push 1F001F00h mov ecx,esi mov dword ptr [esi+000000C8h],00004010h call SUB_L0001B7D0 L0001C018: push SSZ0001BF2C_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint cmp byte ptr [ebp-03h],00h pop ecx jnz L0001C06C mov ecx,esi call SUB_L0001B606 test al,al jnz L0001C06C test byte ptr [esi+000000BEh],40h jz L0001C077 push edi mov ecx,esi call SUB_L0001A090 mov edi,eax push SSZ0001BF34_TI_Msg_ shr edi,10h call jmp_ntoskrnl.exe!DbgPrint cmp di,0001h pop ecx jnz L0001C077 movzx eax,[ebp-01h] inc [ebp-01h] mov [esi+eax*2+000000DEh],bx jmp L0001C077 L0001C06C: push SSZ0001BF3C_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx L0001C077: inc [ebp-02h] cmp byte ptr [ebp-01h],02h jnc L0001C08A cmp byte ptr [ebp-02h],0Ah jc L0001BF60 L0001C08A: cmp byte ptr [ebp-01h],00h pop edi pop esi pop ebx jz L0001C099 cmp byte ptr [ebp-03h],00h jz L0001C09D L0001C099: or byte ptr [ebp-03h],FFh L0001C09D: mov al,[ebp-03h] leave retn ;------------------------------------------------------------------------------ SSZ0001C0A2_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001C0AA: push esi push SSZ0001C0A2_TI_Msg_ mov esi,ecx call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi+04h] pop ecx push 00000001h add eax,00000024h push eax call SUB_L000172AC mov eax,[esi+04h] push 00000100h add eax,00000010h push eax call SUB_L000172AC xor eax,eax mov ax,[esi+000000DEh] push 00000001h push 00000022h push 00000000h mov ecx,esi push eax call SUB_L0001BAA4 test al,al jnz L0001C230 mov ecx,esi call SUB_L0001B606 test al,al jnz L0001C230 push 000001A3h mov ecx,esi call SUB_L0001A0DE shl al,1 push 000001A4h mov ecx,esi mov [esi+000000DCh],al call SUB_L0001A0DE xor ecx,ecx mov ch,al push 000001A5h mov [esi+000000D6h],cx mov ecx,esi call SUB_L0001A0DE movzx ax,al add [esi+000000D6h],ax push 000001A6h mov ecx,esi call SUB_L0001A0DE xor ecx,ecx mov ch,al push 000001A7h mov [esi+000000DAh],cx mov ecx,esi call SUB_L0001A0DE mov cx,[esi+000000D6h] movzx ax,al add [esi+000000DAh],ax xor eax,eax mov ax,[esi+000000DAh] add eax,FFFFFFFCh mov [esi+000000D8h],ax movzx eax,cx cmp eax,00000200h jz L0001C1D5 cmp eax,00000400h jz L0001C1CD cmp eax,00000800h jz L0001C1C5 cmp eax,00001000h jz L0001C1BD cmp eax,00002000h jnz L0001C1DB mov word ptr [esi+30h],0040h jmp L0001C1DB L0001C1BD: mov word ptr [esi+30h],0020h jmp L0001C1DB L0001C1C5: mov word ptr [esi+30h],0010h jmp L0001C1DB L0001C1CD: mov word ptr [esi+30h],0008h jmp L0001C1DB L0001C1D5: mov word ptr [esi+30h],0004h L0001C1DB: cmp byte ptr [esi+000000DCh],20h jnz L0001C1E8 shl word ptr [esi+30h],1 L0001C1E8: shr cx,09h push edi mov [esi+000000D4h],cl push 000001B5h mov ecx,esi call SUB_L0001A0DE movzx edi,al push 000001B6h mov ecx,esi shl edi,08h call SUB_L0001A0DE movzx eax,al add edi,eax push 000001B7h mov ecx,esi shl edi,08h call SUB_L0001A0DE movzx eax,al add edi,eax mov [esi+2Ch],edi xor al,al pop edi L0001C230: pop esi retn ;------------------------------------------------------------------------------ SSZ0001C232_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001C23A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001C242_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001C24A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001C252_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001C25A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001C262_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001C26A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001C272_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001C27A_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001C282: push SSZ0001C232_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ0001C23A_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ0001C242_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ0001C24A_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ0001C252_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ0001C25A_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ0001C262_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ0001C26A_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ0001C272_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ0001C27A_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx retn ;------------------------------------------------------------------------------ SSZ0001C2FA_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001C302_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001C30A_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001C312: push esi push 00000000h push [esp+0Ch] mov esi,ecx call SUB_L0001B9DE push 00000020h call SUB_L0001B9BA call SUB_L0001B584 test al,al jnz L0001C38A mov eax,[esi+000000C8h] or eax,00002707h push eax mov ecx,esi call SUB_L0001B080 push 00000099h mov ecx,esi call SUB_L0001B550 push 00000000h mov ecx,esi call SUB_L0001B550 push 00000001h push 0000000Eh mov ecx,esi call SUB_L0001B49C test al,al jz L0001C374 push SSZ0001B6A4_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx jmp L0001C38A L0001C374: mov ecx,esi call SUB_L0001B402 test al,al jnz L0001C38A mov ecx,esi call SUB_L0001B606 test al,al jz L0001C391 L0001C38A: push SSZ0001C2FA_TI_Msg_ jmp L0001C3AB L0001C391: mov al,[esi+000000A8h] test al,01h jz L0001C3A2 push SSZ0001C302_TI_Msg_ jmp L0001C3AB L0001C3A2: test al,al js L0001C3B5 push SSZ0001C30A_TI_Msg_ L0001C3AB: call jmp_ntoskrnl.exe!DbgPrint pop ecx mov al,81h jmp L0001C3C4 L0001C3B5: push 00000000h push [esp+0Ch] mov ecx,esi call SUB_L0001B106 xor al,al L0001C3C4: pop esi retn 0004h ;------------------------------------------------------------------------------ SUB_L0001C3C8: push ebp mov ebp,esp push ecx push ecx movzx eax,[ebp+0Ch] push ebx push edi movzx di,[ebp+0Ch] lea eax,[ecx+eax*2+000000E2h] mov bx,[eax] mov [ebp-04h],ecx mov [ebp-08h],eax shl edi,09h cmp bx,FFFFh jnz L0001C3F6 mov al,84h jmp L0001C44E L0001C3F6: push esi lea esi,[ebx+01h] movzx eax,di movzx edx,si add eax,00000200h cmp edx,eax mov [ebp+0Ch],eax jl L0001C423 mov esi,edi jmp L0001C423 L0001C410: cmp si,bx jz L0001C432 inc esi movzx eax,si cmp eax,[ebp+0Ch] jl L0001C420 mov esi,edi L0001C420: mov ecx,[ebp-04h] L0001C423: push esi call SUB_L0001B0D4 test al,al jnz L0001C410 cmp si,bx jnz L0001C436 L0001C432: mov al,84h jmp L0001C44D L0001C436: mov eax,[ebp-08h] mov ecx,[ebp-04h] push esi mov [eax],si call SUB_L0001C312 mov eax,[ebp+08h] mov [eax],si xor al,al L0001C44D: pop esi L0001C44E: pop edi pop ebx leave retn 0008h ;------------------------------------------------------------------------------ SUB_L0001C454: push ebp mov ebp,esp push ecx push ebx mov bl,[ebp+0Ch] push esi push edi mov edi,[ebp+08h] mov esi,ecx mov [ebp-04h],bl L0001C466: push [ebp-04h] mov ecx,esi push edi call SUB_L0001C3C8 cmp al,84h jnz L0001C49A inc bl cmp bl,[esi+000000D4h] mov [ebp-04h],bl jc L0001C487 xor bl,bl mov [ebp-04h],bl L0001C487: cmp bl,[ebp+0Ch] movzx ecx,bl mov cx,[esi+ecx*2+000000E2h] mov [edi],cx jnz L0001C466 L0001C49A: pop edi pop esi pop ebx leave retn 0008h ;------------------------------------------------------------------------------ Align 2 SUB_L0001C4A2: push ebp mov ebp,esp push ebx mov bx,[ebp+08h] push esi mov esi,ecx cmp bx,[esi+00000102h] push edi jnz L0001C504 xor edi,edi push edi lea eax,[ebp+0Ah] push eax call SUB_L0001C454 test al,al jnz L0001C506 cmp [esi+000000D8h],di mov ax,[ebp+0Ah] mov [esi+00000102h],ax jbe L0001C504 L0001C4DB: push edi mov ecx,esi call SUB_L0001B0B4 cmp ax,bx jnz L0001C4FA xor eax,eax mov ax,[esi+00000102h] mov ecx,esi push eax push edi call SUB_L0001B096 L0001C4FA: inc edi cmp di,[esi+000000D8h] jc L0001C4DB L0001C504: xor al,al L0001C506: pop edi pop esi pop ebx pop ebp retn 0004h ;------------------------------------------------------------------------------ Align 2 SSZ0001C50E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001C516_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001C51E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001C526_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001C52E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001C536_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001C53E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001C546_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001C54E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001C556_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001C55E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001C566_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001C56E: push ebp mov ebp,esp mov edx,[ebp+0Ch] push ebx push esi mov esi,ecx cmp dx,[esi+000000DEh] push edi jz L0001C79A cmp dx,[esi+000000E0h] jz L0001C79A mov bl,[ebp+14h] mov [ebp+0Fh],bl and byte ptr [ebp+0Fh],20h jz L0001C5A6 push 00000020h call SUB_L0001B9BA L0001C5A6: test bl,01h jz L0001C5B4 push 00000000h mov ecx,esi call SUB_L0001B9BA L0001C5B4: test bl,04h mov ecx,esi jnz L0001C669 push [ebp+10h] mov ax,[ebp+08h] or byte ptr [esi+000000BDh],FFh or byte ptr [esi+000000BEh],FFh push edx mov [esi+000000BFh],ah mov [esi+000000C0h],al call SUB_L0001B9DE cmp byte ptr [esi+29h],00h jz L0001C604 call SUB_L0001B780 test al,al jnz L0001C7A7 push SSZ0001C50E_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx L0001C604: mov ecx,esi call SUB_L0001B584 test al,al jnz L0001C659 mov eax,[esi+000000C8h] or eax,00002707h push eax mov ecx,esi call SUB_L0001B080 push 00000055h mov ecx,esi call SUB_L0001B550 push 00000000h mov ecx,esi call SUB_L0001B550 push 00000001h push 0000000Eh mov ecx,esi call SUB_L0001B49C test al,al jz L0001C652 push SSZ0001B6A4_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov bl,81h jmp L0001C65F L0001C652: mov ecx,esi call SUB_L0001B402 L0001C659: mov bl,al test bl,bl jz L0001C67E L0001C65F: push SSZ0001C516_TI_Msg_ jmp L0001C78D L0001C669: call SUB_L0001B402 mov bl,al test bl,bl jz L0001C67E push SSZ0001C51E_TI_Msg_ jmp L0001C78D L0001C67E: mov ecx,esi call SUB_L0001B780 mov bl,al test bl,bl jz L0001C695 push SSZ0001C526_TI_Msg_ jmp L0001C78D L0001C695: mov al,[esi+000000A8h] test al,01h jz L0001C6B0 push SSZ0001C52E_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov al,49h jmp L0001C7A6 L0001C6B0: test al,40h jz L0001C6C5 push SSZ0001C536_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov al,44h jmp L0001C7A6 L0001C6C5: cmp byte ptr [ebp+18h],00h jz L0001C796 mov eax,[esi+04h] add eax,00000190h push eax call SUB_L00017282 and eax,FFFFEFFFh or eax,00010100h push eax mov ecx,esi call SUB_L0001B080 push 00000200h push 0000000Dh mov ecx,esi call SUB_L0001B49C test al,al jz L0001C712 push SSZ0001C53E_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov al,81h jmp L0001C7A6 L0001C712: mov al,[ebp+14h] and al,08h mov [ebp+17h],al jnz L0001C722 cmp byte ptr [ebp+0Fh],00h jz L0001C796 L0001C722: mov ecx,esi call SUB_L0001B402 mov bl,al test bl,bl jz L0001C736 push SSZ0001C546_TI_Msg_ jmp L0001C78D L0001C736: cmp byte ptr [ebp+17h],00h jz L0001C758 push 00000000h push 00000000h push 00000001h push 00000033h mov ecx,esi call SUB_L0001B6AC mov bl,al test bl,bl jz L0001C758 push SSZ0001C54E_TI_Msg_ jmp L0001C78D L0001C758: xor edi,edi L0001C75A: mov ecx,esi call SUB_L0001B780 mov bl,al test bl,bl jnz L0001C788 test byte ptr [esi+000000A8h],80h jnz L0001C796 mov ax,di inc edi cmp ax,03E8h jc L0001C75A push SSZ0001C556_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov al,4Fh jmp L0001C7A6 L0001C788: push SSZ0001C55E_TI_Msg_ L0001C78D: call jmp_ntoskrnl.exe!DbgPrint mov al,bl jmp L0001C7A6 L0001C796: xor al,al jmp L0001C7A7 L0001C79A: push SSZ0001C566_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov al,85h L0001C7A6: pop ecx L0001C7A7: pop edi pop esi pop ebx pop ebp retn 0014h ;------------------------------------------------------------------------------ SSZ0001C7AE_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001C7B6: push ebp mov ebp,esp push ecx push ebx push esi mov esi,ecx mov cl,[ebp+14h] xor al,al and [ebp+17h],al mov [ebp-04h],cl L0001C7C9: mov cl,[ebp-04h] cmp cl,[ebp+18h] jnc L0001C817 push 00000000h push 00000020h push [ebp-04h] mov ecx,esi push [ebp+10h] call SUB_L0001BAA4 mov bl,al test bl,bl jz L0001C7FC push SSZ0001C7AE_TI_Msg_ mov byte ptr [ebp+17h],01h call jmp_ntoskrnl.exe!DbgPrint cmp bl,81h pop ecx jz L0001C824 L0001C7FC: push 00000000h push 00000020h push [ebp-04h] mov ecx,esi push [ebp+0Ch] push [ebp+08h] call SUB_L0001C56E inc [ebp-04h] test al,al jz L0001C7C9 L0001C817: test al,al jnz L0001C828 cmp [ebp+17h],al jz L0001C82A add al,45h jmp L0001C82A L0001C824: mov al,81h jmp L0001C82A L0001C828: mov al,46h L0001C82A: pop esi pop ebx leave retn 0014h ;------------------------------------------------------------------------------ SSZ0001C830_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001C838: push ebp mov ebp,esp sub esp,0000000Ch mov eax,[ebp+0Ch] and byte ptr [ebp-01h],00h push ebx xor ebx,ebx mov bx,[eax] push esi mov esi,ecx cmp byte ptr [esi+000000A5h],00h push edi mov [ebp-0Ch],ebx jnz L0001C97A cmp bx,[esi+00000108h] mov ax,[ebp+08h] mov [esi+00000106h],ax mov ax,[esi+00000102h] lea edi,[esi+00000104h] mov [edi],bx mov [ebp-08h],ax jz L0001C8A8 xor ecx,ecx lea eax,[esi+000000DCh] cmp [eax],cl jbe L0001C8A8 L0001C893: movzx edx,cx and byte ptr [edx+esi+0000010Ch],00h movzx dx,[eax] inc ecx cmp cx,dx jc L0001C893 L0001C8A8: or word ptr [esi+00000108h],FFFFh cmp bx,[ebp-08h] jz L0001C8CD movzx eax,[ebp+10h] cmp byte ptr [eax+esi+0000010Ch],00h jz L0001C8CD mov [edi],bx jmp L0001C967 L0001C8CD: and byte ptr [ebp-08h],00h lea eax,[esi+000000D4h] cmp byte ptr [eax],00h mov byte ptr [esi+000000A5h],01h mov ecx,000001EDh jbe L0001C916 L0001C8E8: cmp [ebp+08h],cx jbe L0001C900 inc [ebp-08h] mov dl,[ebp-08h] add ecx,000001F0h cmp dl,[eax] jc L0001C8E8 jmp L0001C916 L0001C900: push [ebp-08h] mov ecx,esi push edi call SUB_L0001C454 test al,al mov [ebp-01h],al jnz L0001CC24 L0001C916: xor eax,eax mov ax,[edi] push 00000001h mov ecx,esi push eax call SUB_L0001B106 xor ecx,ecx lea eax,[esi+000000DCh] cmp [eax],cl jbe L0001C946 L0001C931: movzx edx,cx mov byte ptr [edx+esi+0000010Ch],01h movzx dx,[eax] inc ecx cmp cx,dx jc L0001C931 L0001C946: lea ebx,[esi+0000010Ah] xor eax,eax mov ax,[ebx] cmp ax,FFFFh jz L0001C95F push eax mov ecx,esi call SUB_L0001C312 L0001C95F: or word ptr [ebx],FFFFh mov ebx,[ebp-0Ch] L0001C967: mov ax,[edi] mov ecx,[ebp+0Ch] mov [ecx],ax mov ax,[edi] mov [esi+00000108h],ax L0001C97A: cmp byte ptr [esi+000000A5h],01h jnz L0001CA29 movzx ax,[esi+000000DCh] movzx di,[ebp+10h] mov [esi+0000012Eh],ax xor eax,eax mov [esi+0000012Ch],di mov al,[esi+0000012Ch] mov ecx,esi mov [esi+0000010Ah],bx push eax xor eax,eax mov ax,[esi+00000104h] push 00000000h push ebx push eax push [ebp+08h] call SUB_L0001C7B6 test di,di mov [ebp-01h],al jbe L0001C9EC movzx ecx,di lea edx,[esi+0000010Ch] mov edi,edx mov edx,ecx shr ecx,02h xor eax,eax rep stosd mov ecx,edx and ecx,00000003h rep stosb L0001C9EC: mov ax,[esi+0000012Ch] add ax,[ebp+14h] movzx cx,[esi+000000DCh] cmp ax,cx mov [esi+0000012Eh],ax jbe L0001CA12 mov [esi+0000012Eh],cx L0001CA12: cmp byte ptr [ebp-01h],45h jz L0001CA1E cmp byte ptr [ebp-01h],00h jnz L0001CA29 L0001CA1E: and byte ptr [ebp-01h],00h mov byte ptr [esi+000000A5h],02h L0001CA29: cmp byte ptr [esi+000000A5h],03h jnz L0001CA88 cmp bx,[esi+00000108h] jnz L0001CB4F movzx eax,[esi+00000130h] movzx ecx,[ebp+10h] inc eax cmp ecx,eax jnz L0001CB4F movzx ax,[ebp+10h] mov ecx,[ebp+14h] movzx dx,[esi+000000DCh] mov [esi+0000012Ch],ax add eax,ecx cmp ax,dx lea ecx,[esi+0000012Eh] mov [ecx],ax jbe L0001CA7D mov [ecx],dx L0001CA7D: and byte ptr [ebp+18h],00h mov byte ptr [esi+000000A5h],02h L0001CA88: cmp byte ptr [esi+000000A5h],02h jnz L0001CB5D cmp byte ptr [ebp+18h],00h jz L0001CAA5 cmp byte ptr [ebp+10h],00h mov byte ptr [ebp+0Ch],04h jnz L0001CAA9 L0001CAA5: mov byte ptr [ebp+0Ch],01h L0001CAA9: movzx eax,[esi+000000DCh] movzx edi,[ebp+10h] dec eax cmp edi,eax jz L0001CAC0 cmp word ptr [ebp+14h],0001h jnz L0001CAC4 L0001CAC0: or byte ptr [ebp+0Ch],08h L0001CAC4: movzx eax,[esi+0000012Eh] lea ebx,[edi+01h] cmp ebx,eax jl L0001CAD6 or byte ptr [ebp+0Ch],08h L0001CAD6: cmp byte ptr [ebp+18h],00h jnz L0001CAE7 cmp word ptr [ebp+14h],0001h jnz L0001CAE7 mov byte ptr [ebp+0Ch],20h L0001CAE7: push 00000001h push [ebp+0Ch] xor eax,eax mov ax,[esi+00000104h] push [ebp+10h] mov ecx,esi push eax push [ebp+08h] call SUB_L0001C56E and byte ptr [edi+esi+0000010Ch],00h test al,al mov [ebp-01h],al jnz L0001CB5D mov ax,[esi+0000012Eh] movzx ecx,ax cmp ebx,ecx jl L0001CB5D cmp word ptr [esi+0000010Ah],FFFFh movzx cx,[ebp+10h] mov [esi+00000130h],cx jz L0001CB56 movzx cx,[esi+000000DCh] cmp ax,cx sbb al,al add eax,00000004h mov [esi+000000A5h],al jmp L0001CB5D L0001CB4F: mov al,52h jmp L0001CC2B L0001CB56: and byte ptr [esi+000000A5h],00h L0001CB5D: cmp byte ptr [esi+000000A5h],04h jnz L0001CBF9 xor eax,eax mov al,[esi+000000DCh] mov ecx,esi push eax xor eax,eax mov al,[esi+0000012Eh] push eax xor eax,eax mov ax,[esi+0000010Ah] push eax xor eax,eax mov ax,[esi+00000104h] push eax xor eax,eax mov ax,[esi+00000106h] push eax call SUB_L0001C7B6 mov [ebp-01h],al xor eax,eax mov ax,[esi+0000012Eh] jmp L0001CBBB L0001CBAF: movzx ecx,ax and byte ptr [ecx+esi+0000010Ch],00h inc eax L0001CBBB: movzx cx,[esi+000000DCh] cmp ax,cx jc L0001CBAF and byte ptr [esi+000000A5h],00h cmp byte ptr [ebp-01h],45h jz L0001CBDB cmp byte ptr [ebp-01h],00h jnz L0001CBF0 L0001CBDB: xor eax,eax mov ax,[esi+0000010Ah] mov ecx,esi push eax call SUB_L0001C312 and byte ptr [ebp-01h],00h L0001CBF0: or word ptr [esi+0000010Ah],FFFFh L0001CBF9: cmp byte ptr [ebp-01h],00h jz L0001CC29 push SSZ0001C830_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint xor eax,eax mov ax,[esi+00000104h] pop ecx mov ecx,esi push eax call SUB_L0001C312 or word ptr [esi+0000010Ah],FFFFh L0001CC24: mov al,[ebp-01h] jmp L0001CC2B L0001CC29: xor al,al L0001CC2B: pop edi pop esi pop ebx leave retn 0014h ;------------------------------------------------------------------------------ L0001CC32: push ecx push esi mov esi,ecx lea eax,[esi+000000A5h] cmp byte ptr [eax],03h jnz L0001CC5F push ebx xor ebx,ebx push ebx push ebx mov byte ptr [eax],04h push ebx lea eax,[esp+14h] push eax push ebx mov byte ptr [esi+28h],01h call SUB_L0001C838 mov [esi+28h],bl pop ebx jmp L0001CC65 L0001CC5F: and byte ptr [esi+28h],00h xor al,al L0001CC65: pop esi pop ecx retn ;------------------------------------------------------------------------------ SSZ0001CC68_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001CC70_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001CC78_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001CC80_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001CC88: push ebp mov ebp,esp push ecx push ecx push esi mov esi,ecx mov ax,[esi+00000132h] cmp ax,[esi+000000D6h] jc L0001CCAE mov byte ptr [esi+00000134h],01h xor al,al jmp L0001CFC3 L0001CCAE: test al,al jnz L0001CCBD push SSZ0001CC68_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx L0001CCBD: xor eax,eax mov ax,[esi+00000132h] push ebx push edi mov ecx,esi push eax call SUB_L0001B0D4 test al,al jnz L0001CECD mov eax,[esi+04h] push 00000001h add eax,00000024h push eax call SUB_L000172AC mov eax,[esi+04h] push 00000100h add eax,00000010h push eax call SUB_L000172AC xor eax,eax mov ax,[esi+00000132h] push 00000001h push 00000020h xor edi,edi push edi mov ecx,esi push eax call SUB_L0001BAA4 cmp byte ptr [esi+26h],00h mov [ebp-01h],al jz L0001CD1F mov al,86h jmp L0001CFC1 L0001CD1F: test al,al jz L0001CD9E push SSZ0001CC70_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov ecx,esi call SUB_L0001B584 test al,al jnz L0001CD80 mov eax,[esi+000000C8h] or eax,00002707h push eax mov ecx,esi call SUB_L0001B080 push 0000003Ch mov ecx,esi call SUB_L0001B550 push edi mov ecx,esi call SUB_L0001B550 push 00000001h push 0000000Eh mov ecx,esi call SUB_L0001B49C test al,al jz L0001CD79 push SSZ0001B6A4_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx jmp L0001CD80 L0001CD79: mov ecx,esi call SUB_L0001B606 L0001CD80: push 1F001F00h mov ecx,esi mov dword ptr [esi+000000C8h],00004010h call SUB_L0001B7D0 mov bl,[ebp-02h] jmp L0001CE2D L0001CD9E: mov ecx,esi call SUB_L0001B606 mov al,[esi+000000BDh] mov bl,al mov cl,al shr bl,05h shr cl,07h or al,1Fh and bl,03h cmp al,FFh mov [ebp-02h],cl jz L0001CE2D mov ecx,esi call SUB_L0001B584 test al,al jnz L0001CE13 mov eax,[esi+000000C8h] or eax,00002707h push eax mov ecx,esi call SUB_L0001B080 push 0000003Ch mov ecx,esi call SUB_L0001B550 push edi mov ecx,esi call SUB_L0001B550 push 00000001h push 0000000Eh mov ecx,esi call SUB_L0001B49C test al,al jz L0001CE0C push SSZ0001B6A4_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx jmp L0001CE13 L0001CE0C: mov ecx,esi call SUB_L0001B606 L0001CE13: push 1F001F00h mov ecx,esi mov dword ptr [esi+000000C8h],00004010h call SUB_L0001B7D0 or byte ptr [ebp-01h],FFh L0001CE2D: cmp byte ptr [ebp-02h],00h jz L0001CEBA cmp bl,03h jnz L0001CEBA cmp byte ptr [ebp-01h],00h jnz L0001CEBA mov al,[esi+000000BFh] mov [ebp-07h],al mov al,[esi+000000C0h] mov [ebp-08h],al cmp word ptr [ebp-08h],FFFFh jz L0001CF2A mov edi,[ebp-08h] push edi mov ecx,esi call SUB_L0001B0B4 mov ecx,esi mov ebx,eax xor eax,eax cmp bx,FFFFh mov ax,[esi+00000132h] jz L0001CF21 test byte ptr [esi+000000BDh],10h jz L0001CEA3 cmp ax,bx ja L0001CEA3 push ebx push edi call SUB_L0001B096 xor ebx,ebx mov bx,[esi+00000132h] jmp L0001CEAA L0001CEA3: push eax push edi call SUB_L0001B096 L0001CEAA: push ebx mov ecx,esi call SUB_L0001C312 test al,al jnz L0001CFC1 L0001CEBA: xor eax,eax mov ax,[esi+00000132h] push 00000001h mov ecx,esi push eax call SUB_L0001B106 L0001CECD: inc word ptr [esi+00000132h] mov ax,[esi+00000132h] cmp ax,[esi+000000D6h] jnz L0001CFBF xor al,al L0001CEEA: movzx ecx,al mov cx,[esi+ecx*2+000000E2h] inc al cmp cx,FFFFh mov [esi+00000102h],cx jnz L0001CF51 cmp al,[esi+000000D4h] jc L0001CEEA cmp cx,cx jnz L0001CF51 cmp al,[esi+000000D4h] jnz L0001CF51 mov al,84h jmp L0001CFC1 L0001CF21: push eax push edi call SUB_L0001B096 jmp L0001CEBA L0001CF2A: mov cx,[esi+00000132h] mov ax,cx shr ax,09h movzx eax,al lea eax,[esi+eax*2+000000E2h] cmp word ptr [eax],FFFFh jnz L0001CECD mov [eax],cx jmp L0001CECD L0001CF51: xor ebx,ebx cmp [esi+000000D8h],bx jbe L0001CF86 L0001CF5C: push ebx mov ecx,esi call SUB_L0001B0B4 cmp ax,FFFFh jnz L0001CF7C xor eax,eax mov ax,[esi+00000102h] mov ecx,esi push eax push ebx call SUB_L0001B096 L0001CF7C: inc ebx cmp bx,[esi+000000D8h] jc L0001CF5C L0001CF86: xor eax,eax mov ax,[esi+00000102h] push 00000001h mov ecx,esi push eax call SUB_L0001B106 push SSZ0001CC78_TI_Msg_ mov byte ptr [esi+00000134h],01h call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ0001CC80_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint and word ptr [esi+00000132h],0000h pop ecx L0001CFBF: xor al,al L0001CFC1: pop edi pop ebx L0001CFC3: pop esi leave retn ;------------------------------------------------------------------------------ SSZ0001CFC6_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001CFCE: push ebx push esi push SSZ0001CFC6_TI_Msg_ mov esi,ecx call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi+04h] pop ecx push 00000001h add eax,00000024h push eax call SUB_L000172AC mov eax,[esi+04h] push 00000100h add eax,00000010h push eax call SUB_L000172AC xor eax,eax mov ax,[esi+000000DEh] push 00000001h push 00000022h push 00000002h mov ecx,esi push eax call SUB_L0001BAA4 mov ecx,esi mov bl,al call SUB_L0001B606 test bl,bl jz L0001D024 mov al,bl jmp L0001D072 L0001D024: push edi push 00000083h mov ecx,esi call SUB_L0001A138 movzx ax,al push 00000086h mov ecx,esi mov [esi+34h],ax call SUB_L0001A138 movzx edx,[esi+000000D8h] movzx edi,[esi+34h] movzx cx,al movzx eax,[esi+000000DCh] mov [esi+36h],cx imul eax,edx movzx ecx,cx imul edi,ecx cdq idiv edi pop edi mov [esi+32h],ax xor al,al L0001D072: pop esi pop ebx retn ;------------------------------------------------------------------------------ Align 2 SSZ0001D076_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001D07E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001D086_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001D08E: push ebp mov ebp,esp push ecx push ecx push ebx push esi push edi push SSZ0001D076_TI_Msg_ mov esi,ecx call jmp_ntoskrnl.exe!DbgPrint pop ecx or eax,FFFFFFFFh lea edi,[esi+00000136h] mov ecx,00001000h rep stosd xor eax,eax mov ebx,00000100h push 00000008h lea edi,[esi+00004136h] mov ecx,ebx rep stosd pop ecx or eax,FFFFFFFFh lea edi,[esi+000000E2h] rep stosd mov eax,[esi+04h] and byte ptr [esi+00000134h],00h xor edi,edi inc edi push edi add eax,00000024h push eax call SUB_L000172AC mov eax,[esi+04h] push ebx add eax,00000010h push eax call SUB_L000172AC xor eax,eax mov ax,[esi+000000DEh] push edi push 00000022h push edi mov ecx,esi push eax call SUB_L0001BAA4 test al,al jnz L0001D11A mov ecx,esi call SUB_L0001B606 test al,al jz L0001D121 L0001D11A: or al,FFh jmp L0001D1A7 L0001D121: push SSZ0001D07E_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint and dword ptr [ebp-04h],00000000h pop ecx L0001D130: push [ebp-04h] mov ecx,esi call SUB_L0001A138 inc [ebp-04h] mov [ebp-08h],ah mov [ebp-07h],al mov bx,[ebp-08h] cmp bx,[esi+000000D6h] ja L0001D166 push SSZ0001D086_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push edi push [ebp-08h] mov ecx,esi call SUB_L0001B106 L0001D166: cmp bx,FFFFh jz L0001D175 cmp word ptr [ebp-04h],0200h jc L0001D130 L0001D175: xor eax,eax mov ax,[esi+000000DEh] cmp ax,FFFFh jz L0001D18D push edi push eax mov ecx,esi call SUB_L0001B106 L0001D18D: xor eax,eax mov ax,[esi+000000E0h] cmp ax,FFFFh jz L0001D1A5 push edi push eax mov ecx,esi call SUB_L0001B106 L0001D1A5: xor al,al L0001D1A7: pop edi pop esi pop ebx leave retn ;------------------------------------------------------------------------------ SSZ0001D1AC_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001D1B4_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001D1BC_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001D1C4_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001D1CC_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001D1D4: push ebx push esi push edi push SSZ0001D1AC_TI_Msg_ mov esi,ecx call jmp_ntoskrnl.exe!DbgPrint pop ecx lea edi,[esi+000000B7h] mov ecx,esi mov dword ptr [esi+000000C8h],00004010h mov byte ptr [edi],88h call SUB_L0001B584 push SSZ0001D1B4_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov ecx,esi mov byte ptr [edi],88h call SUB_L0001B584 push SSZ0001D1BC_TI_Msg_ mov bl,al call jmp_ntoskrnl.exe!DbgPrint test bl,bl pop ecx jz L0001D25A push SSZ0001D1C4_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi+04h] pop ecx add eax,00000004h push eax call SUB_L0001728E or eax,00000100h push eax mov eax,[esi+04h] add eax,00000004h push eax call SUB_L000172AC and dword ptr [esi+000000C8h],00000000h mov byte ptr [esi+19h],80h jmp L0001D273 L0001D25A: push SSZ0001D1CC_TI_Msg_ mov dword ptr [esi+000000C8h],00004010h mov byte ptr [esi+19h],12h call jmp_ntoskrnl.exe!DbgPrint pop ecx L0001D273: pop edi pop esi xor al,al pop ebx retn ;------------------------------------------------------------------------------ Align 2 SSZ0001D27A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001D282_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001D28A_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001D292_TI_Msg_: db 'TI Msg',0Ah,0 L0001D29A: push ebp mov ebp,esp push ecx push ebx push esi push SSZ0001D27A_TI_Msg_ mov esi,ecx call jmp_ntoskrnl.exe!DbgPrint or word ptr [esi+000000DEh],FFFFh or word ptr [esi+000000E0h],FFFFh or word ptr [esi+00000102h],FFFFh xor ebx,ebx mov [esi+00000134h],bl mov [esi+24h],bl mov dword ptr [esp],SSZ0001D282_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push ebx push ebx push ebx push 0000003Ch mov ecx,esi call SUB_L0001B6AC cmp al,bl jz L0001D303 push ebx push ebx push ebx push 0000003Ch mov ecx,esi call SUB_L0001B6AC cmp al,bl jnz L0001D3AE L0001D303: push 1F001F00h mov ecx,esi call SUB_L0001B7D0 cmp al,bl jnz L0001D3AE mov ecx,esi call SUB_L0001BF44 cmp al,bl jnz L0001D3AE mov ecx,esi call SUB_L0001C0AA cmp al,bl jnz L0001D3AE mov ecx,esi call SUB_L0001CFCE cmp al,bl jnz L0001D3AE mov ecx,esi call SUB_L0001C282 mov ecx,esi call SUB_L0001D08E cmp al,bl jnz L0001D3AE mov ecx,esi call SUB_L0001B606 cmp al,bl jnz L0001D3AE mov al,[esi+000000A9h] and al,01h push SSZ0001D28A_TI_Msg_ mov [esi+25h],al call jmp_ntoskrnl.exe!DbgPrint pop ecx L0001D36F: mov ecx,esi call SUB_L0001CC88 cmp [esi+00000134h],bl mov [ebp-01h],al jnz L0001D385 cmp al,bl jz L0001D36F L0001D385: cmp al,bl jz L0001D399 push SSZ0001D292_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov al,[ebp-01h] pop ecx jmp L0001D3AE L0001D399: cmp [esi+000000A4h],bl jz L0001D3A8 mov ecx,esi call SUB_L0001D1D4 L0001D3A8: mov byte ptr [esi+24h],01h xor al,al L0001D3AE: pop esi pop ebx leave retn ;------------------------------------------------------------------------------ SSZ0001D3B2_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001D3BA_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001D3C2_TI_Msg_: db 'TI Msg',0Ah,0 L0001D3CA: push ebp mov ebp,esp push ecx push ebx push esi push edi mov esi,ecx call SUB_L0001AB1E mov eax,[esi+04h] mov edi,00000190h push 00008000h add eax,edi push eax call SUB_L0001729C mov eax,[esi+04h] push 00000A00h add eax,edi push eax call SUB_L0001729C mov eax,[esi+04h] push FFFFFFFFh add eax,0000018Ch xor ebx,ebx push eax mov [esi+00000090h],ebx call SUB_L0001729C push SSZ0001D3B2_TI_Msg_ mov dword ptr [esi+000000C8h],00004010h call jmp_ntoskrnl.exe!DbgPrint pop ecx push ebx push ebx push ebx push 0000003Ch mov ecx,esi call SUB_L0001B6AC cmp al,bl jz L0001D454 push ebx push ebx push ebx push 0000003Ch mov ecx,esi call SUB_L0001B6AC cmp al,bl mov [ebp-01h],al jz L0001D454 push SSZ0001D3BA_TI_Msg_ jmp L0001D46C L0001D454: push 1F001F00h mov ecx,esi call SUB_L0001B7D0 cmp al,bl mov [ebp-01h],al jz L0001D474 push SSZ0001D3C2_TI_Msg_ L0001D46C: call jmp_ntoskrnl.exe!DbgPrint pop ecx jmp L0001D486 L0001D474: cmp [esi+000000A4h],bl jz L0001D486 mov ecx,esi call SUB_L0001D1D4 mov [ebp-01h],al L0001D486: mov al,[ebp-01h] pop edi pop esi pop ebx leave retn ;------------------------------------------------------------------------------ SUB_L0001D48E: push esi push [esp+0Ch] mov esi,ecx push [esp+0Ch] call SUB_L0001B144 and dword ptr [esi+000000D4h],00000000h mov dword ptr [esi],L00023134 mov byte ptr [esi+18h],22h mov eax,esi pop esi retn 0008h ;------------------------------------------------------------------------------ Align 2 L0001D4B6: mov eax,SSZ00023164_MEMORYSTICK_PRO retn ;------------------------------------------------------------------------------ L0001D4BC: mov eax,SSZ00023174_MSPRO retn ;------------------------------------------------------------------------------ SSZ0001D4C2_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001D4CA: push esi mov esi,ecx push SSZ0001D4C2_TI_Msg_ mov dword ptr [esi],L00023134 call jmp_ntoskrnl.exe!DbgPrint pop ecx mov ecx,esi pop esi jmp SUB_L0001B1FC SSZ0001D4E6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001D4EE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001D4F6_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001D4FE: mov eax,[esp+0Ch] push ebx push esi push edi mov edi,ecx mov esi,eax mov ecx,eax shr ecx,10h and esi,00FF0000h or esi,ecx mov ecx,eax shl eax,10h mov ebx,0000FF00h and ecx,ebx or ecx,eax mov eax,[edi+000000C8h] shl ecx,08h shr esi,08h or eax,00002707h or esi,ecx push eax mov ecx,edi call SUB_L0001B080 movzx eax,[esp+14h] mov ecx,eax and ecx,000000FFh mov edx,esi shl edx,08h or ecx,edx shl ecx,10h and eax,ebx or ecx,eax movzx eax,[esp+10h] or ecx,eax push ecx mov ecx,edi call SUB_L0001B550 shr esi,08h push esi mov ecx,edi call SUB_L0001B550 push 00000007h push 00000009h mov ecx,edi call SUB_L0001B49C test al,al jz L0001D58F push SSZ0001D4E6_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint jmp L0001D5D0 L0001D58F: mov ecx,edi call SUB_L0001B402 mov bl,al test bl,bl jz L0001D5AB push SSZ0001D4EE_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov al,bl jmp L0001D5D7 L0001D5AB: lea esi,[edi+00000090h] push esi push L00018364 push [edi+08h] call [ntoskrnl.exe!KeSynchronizeExecution] test al,al jz L0001D5D5 push SSZ0001D4F6_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi] L0001D5D0: pop ecx mov al,81h jmp L0001D5D7 L0001D5D5: xor al,al L0001D5D7: pop edi pop esi pop ebx retn 000Ch ;------------------------------------------------------------------------------ Align 2 SSZ0001D5DE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001D5E6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001D5EE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001D5F6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001D5FE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001D606_TI_Msg_: db 'TI Msg',0Ah,0 L0001D60E: db 80h; '?' db 7Ch; '|' db 24h; '$' db 0Ch; db 00h; db 53h; 'S' db 56h; 'V' db 8Bh; '<' db F1h; 'á' db 75h; 'u' db 6Dh; 'm' db 68h; 'h' dd SSZ0001D5DE_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push [esp+0Ch] mov ecx,esi push [esp+14h] push 00000020h call SUB_L0001D4FE test al,al jnz L0001D70B cmp byte ptr [esi+000000A4h],00h push edi mov edi,[ntoskrnl.exe!KeSynchronizeExecution] jz L0001D6A8 lea eax,[esi+00000090h] push eax push L0001B31C push [esi+08h] call edi test al,al jnz L0001D6D4 mov eax,[esi+04h] add eax,0000018Ch push eax call SUB_L00017282 test al,02h jnz L0001D6D4 push SSZ0001D5E6_TI_Msg_ L0001D679: call jmp_ntoskrnl.exe!DbgPrint pop ecx mov al,4Eh jmp L0001D70A db 8Bh; '<' db CEh; 'Ž' db E8h; '¨' db 75h; 'u' db DDh; '' db FFh; 'ï' db FFh; 'ï' db 8Ah; '?' db D8h; '˜' db 84h; '"' db DBh; '›' db 74h; 't' db AAh; 'ò' db 68h; 'h' dd SSZ0001D5EE_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi+00000090h] pop ecx mov al,bl jmp L0001D70B L0001D6A8: mov ecx,esi call SUB_L0001B736 mov bl,al test bl,bl jz L0001D6C4 push SSZ0001D5F6_TI_Msg_ L0001D6BA: call jmp_ntoskrnl.exe!DbgPrint pop ecx mov al,bl jmp L0001D70A L0001D6C4: test byte ptr [esi+000000A8h],20h jnz L0001D6D4 push SSZ0001D5FE_TI_Msg_ jmp L0001D679 L0001D6D4: lea eax,[esi+00000090h] push eax push L0001E91A push [esi+08h] call edi test al,al jz L0001D6ED mov al,51h jmp L0001D70A L0001D6ED: push 00000200h push 00000002h mov ecx,esi call SUB_L0001B49C mov bl,al test bl,bl jz L0001D708 push SSZ0001D606_TI_Msg_ jmp L0001D6BA L0001D708: xor al,al L0001D70A: pop edi L0001D70B: pop esi pop ebx retn 000Ch ;------------------------------------------------------------------------------ SSZ0001D710_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001D718_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001D720_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001D728_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001D730_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001D738_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001D740_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001D748_TI_Msg_: db 'TI Msg',0Ah,0 L0001D750: push ebp mov ebp,esp cmp byte ptr [ebp+10h],00h push ebx push esi push edi mov edi,[ebp+08h] mov esi,ecx jnz L0001D836 cmp byte ptr [esi+000000A5h],03h jnz L0001D78E mov eax,[esi+000000D4h] inc eax cmp edi,eax jnz L0001D78E call SUB_L0001B402 mov bl,al test bl,bl jz L0001D7B4 push SSZ0001D710_TI_Msg_ jmp L0001D84C L0001D78E: mov eax,[esi] mov ecx,esi call [eax+04h] push SSZ0001D718_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push edi push 00000000h push 00000021h mov ecx,esi call SUB_L0001D4FE test al,al jnz L0001D8FB L0001D7B4: cmp byte ptr [esi+000000A4h],00h mov ebx,[ntoskrnl.exe!KeSynchronizeExecution] mov [esi+000000D4h],edi jz L0001D859 lea edi,[esi+00000090h] push edi push L0001B31C push [esi+08h] call ebx test al,al jnz L0001D8C0 mov eax,[esi+04h] add eax,0000018Ch push eax call SUB_L00017282 test al,02h jnz L0001D8C0 push SSZ0001D720_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ0001D728_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi+04h] pop ecx add eax,00000190h push eax call SUB_L00017282 mov eax,[esi+04h] add eax,00000188h push eax call SUB_L00017282 mov eax,[edi] jmp L0001D8BC L0001D836: mov ecx,esi call SUB_L0001B402 mov bl,al test bl,bl jz L0001D7B4 push SSZ0001D730_TI_Msg_ L0001D84C: call jmp_ntoskrnl.exe!DbgPrint pop ecx mov al,bl jmp L0001D8FB L0001D859: mov ecx,esi call SUB_L0001B736 test al,al mov [ebp+13h],al jz L0001D87A push SSZ0001D738_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov al,[ebp+13h] pop ecx jmp L0001D8FB L0001D87A: test byte ptr [esi+000000A8h],20h jnz L0001D8C0 push SSZ0001D740_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ0001D748_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi+04h] pop ecx add eax,00000190h push eax call SUB_L00017282 mov eax,[esi+04h] add eax,00000188h push eax call SUB_L00017282 mov eax,[esi+00000090h] L0001D8BC: mov al,4Eh jmp L0001D8FB L0001D8C0: lea eax,[esi+00000090h] push eax push L0001E91A push [esi+08h] call ebx test al,al jz L0001D8D9 mov al,51h jmp L0001D8FB L0001D8D9: push 00000200h push 0000000Dh mov ecx,esi call SUB_L0001B49C test al,al jnz L0001D8FB cmp word ptr [ebp+0Ch],0001h jnz L0001D8F9 mov byte ptr [esi+000000A5h],03h L0001D8F9: xor al,al L0001D8FB: pop edi pop esi pop ebx pop ebp retn 000Ch ;------------------------------------------------------------------------------ SSZ0001D902_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001D90A_TI_Msg_: db 'TI Msg',0Ah,0 L0001D912: push ebx push esi mov esi,ecx cmp byte ptr [esi+000000A5h],03h jnz L0001D96C mov byte ptr [esi+28h],01h call SUB_L0001B402 test al,al jz L0001D932 and byte ptr [esi+28h],00h jmp L0001D972 L0001D932: push SSZ0001D902_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push 00000000h push 00000000h push 00000001h push 00000025h mov ecx,esi call SUB_L0001B6AC mov bl,al test bl,bl jz L0001D965 push SSZ0001D90A_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint and byte ptr [esi+28h],00h pop ecx mov al,bl jmp L0001D972 L0001D965: and byte ptr [esi+000000A5h],00h L0001D96C: and byte ptr [esi+28h],00h xor al,al L0001D972: pop esi pop ebx retn ;------------------------------------------------------------------------------ Align 2 SSZ0001D976_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001D97E: push esi push SSZ0001D976_TI_Msg_ mov esi,ecx call jmp_ntoskrnl.exe!DbgPrint mov eax,[esp+0Ch] pop ecx xor ecx,ecx mov ch,[eax] mov cl,[eax+01h] mov [esi+32h],cx xor ecx,ecx mov ch,[eax+08h] mov cl,[eax+09h] mov [esi+36h],cx xor ecx,ecx mov ch,[eax+02h] mov cl,[eax+03h] xor al,al mov [esi+34h],cx pop esi retn 0004h ;------------------------------------------------------------------------------ Align 2 SSZ0001D9BA_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001D9C2_TI_Msg_: db 'TI Msg',0Ah,0 L0001D9CA: push esp dec ecx and [ebp+73h],cl or al,[eax] SUB_L0001D9D2: push ebx push esi push SSZ0001D9BA_TI_Msg_ mov esi,ecx call jmp_ntoskrnl.exe!DbgPrint pop ecx mov dword ptr [esi+000000C8h],00004010h xor bl,bl L0001D9ED: and byte ptr [esi+000000B7h],00h mov ecx,esi call SUB_L0001B584 inc bl test al,al jz L0001DA14 cmp bl,02h jc L0001D9ED push SSZ0001D9C2_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov al,4Ch jmp L0001DA27 L0001DA14: push L0001D9CA call jmp_ntoskrnl.exe!DbgPrint and dword ptr [esi+000000C8h],00000000h xor al,al L0001DA27: pop ecx pop esi pop ebx retn ;------------------------------------------------------------------------------ Align 4 SSZ0001DA2C_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001DA34: push ebp mov ebp,esp push ecx push ecx push ebx push esi push edi push SSZ0001DA2C_TI_Msg_ mov [ebp-04h],ecx call jmp_ntoskrnl.exe!DbgPrint mov eax,[ntoskrnl.exe!KeTickCount] pop ecx mov [ebp-08h],eax jmp L0001DA56 L0001DA54: pause ; SSE2 L0001DA56: mov eax,[ebp-08h] mov esi,[eax+04h] mov eax,[ebp-08h] mov edi,[eax] mov eax,[ebp-08h] cmp esi,[eax+08h] jnz L0001DA54 jmp L0001DAAE L0001DA6B: mov eax,[ebp-04h] mov dl,[eax+000000A8h] mov eax,[ntoskrnl.exe!KeTickCount] mov [ebp-08h],eax jmp L0001DA80 L0001DA7E: pause ; SSE2 L0001DA80: mov eax,[ebp-08h] mov ecx,[ebp-08h] mov eax,[eax+04h] mov ebx,[ebp-08h] cmp eax,[ebx+08h] mov ecx,[ecx] jnz L0001DA7E test dl,dl jns L0001DA9C test dl,40h jz L0001DAC0 L0001DA9C: sub ecx,edi sbb eax,esi test eax,eax jg L0001DABC jl L0001DAAE cmp ecx,000F4240h jnc L0001DABC L0001DAAE: mov ecx,[ebp-04h] call SUB_L0001B736 test al,al jz L0001DA6B jmp L0001DAC2 L0001DABC: mov al,4Dh jmp L0001DAC2 L0001DAC0: xor al,al L0001DAC2: pop edi pop esi pop ebx leave retn ;------------------------------------------------------------------------------ Align 4 SSZ0001DAC8_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001DAD0_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001DAD8_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001DAE0_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001DAE8_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001DAF0_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001DAF8_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001DB00_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001DB08_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001DB10: push ebx push esi push SSZ0001DAC8_TI_Msg_ mov esi,ecx call jmp_ntoskrnl.exe!DbgPrint cmp byte ptr [esp+10h],00h pop ecx setz al mov ecx,esi mov [esi+000000B9h],al mov byte ptr [esi+000000B8h],01h call SUB_L0001B584 mov bl,al test bl,bl jz L0001DB53 push SSZ0001DAD0_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov al,bl jmp L0001DCFA L0001DB53: push ebp push edi xor ebp,ebp push ebp xor edi,edi inc edi push edi push ebp push 00000010h mov ecx,esi call SUB_L0001B6AC L0001DB66: mov ecx,esi call SUB_L0001B402 mov bl,al test bl,bl jnz L0001DCCA mov eax,[esi+04h] add eax,0000018Ch push eax call SUB_L00017282 push SSZ0001DAD8_TI_Msg_ mov [esp+18h],eax call jmp_ntoskrnl.exe!DbgPrint pop ecx lea ebx,[esi+00000090h] push ebx push L00018364 push [esi+08h] call [ntoskrnl.exe!KeSynchronizeExecution] test al,al jnz L0001DCD9 push ebx push L00018364 push [esi+08h] call [ntoskrnl.exe!KeSynchronizeExecution] test al,al jnz L0001DCE8 mov eax,[esp+14h] and eax,00000008h mov [esp+14h],eax jnz L0001DC99 mov eax,[esi+04h] push 00000001h add eax,00000024h push eax call SUB_L000172AC mov eax,[esi+04h] push 00000100h add eax,00000010h push eax call SUB_L000172AC push 00000200h push 00000002h mov ecx,esi call SUB_L0001B49C mov bl,al test bl,bl jnz L0001DCEF push 00000000h mov ecx,esi call SUB_L0001A0DE movzx edi,al push 00000001h mov ecx,esi shl edi,08h call SUB_L0001A0DE movzx eax,al add edi,eax push 00000002h mov ecx,esi shl edi,08h call SUB_L0001A0DE movzx eax,al add edi,eax push 00000003h mov ecx,esi shl edi,08h call SUB_L0001A0DE movzx eax,al push 00000004h mov ecx,esi add edi,eax call SUB_L0001A0DE movzx ebp,al push 00000005h mov ecx,esi shl ebp,08h call SUB_L0001A0DE movzx eax,al add ebp,eax push 00000006h mov ecx,esi shl ebp,08h call SUB_L0001A0DE movzx eax,al add ebp,eax push 00000007h mov ecx,esi shl ebp,08h call SUB_L0001A0DE movzx eax,al push SSZ0001DAE0_TI_Msg_ add ebp,eax call jmp_ntoskrnl.exe!DbgPrint pop ecx L0001DC99: cmp ebp,edi jnz L0001DB66 xor eax,eax cmp [esp+14h],eax jnz L0001DB66 push eax push eax push 00000001h push 000000CCh mov ecx,esi call SUB_L0001B6AC mov bl,al test bl,bl jz L0001DCF6 push SSZ0001DAE8_TI_Msg_ jmp L0001DCCF L0001DCCA: push SSZ0001DAF0_TI_Msg_ L0001DCCF: call jmp_ntoskrnl.exe!DbgPrint pop ecx mov al,bl jmp L0001DCF8 L0001DCD9: push SSZ0001DAF8_TI_Msg_ L0001DCDE: call jmp_ntoskrnl.exe!DbgPrint pop ecx mov al,81h jmp L0001DCF8 L0001DCE8: push SSZ0001DB00_TI_Msg_ jmp L0001DCDE L0001DCEF: push SSZ0001DB08_TI_Msg_ jmp L0001DCCF L0001DCF6: xor al,al L0001DCF8: pop edi pop ebp L0001DCFA: pop esi pop ebx retn 0004h ;------------------------------------------------------------------------------ Align 4 SSZ0001DD00_TI_Msg_: db 'TI Msg',0Ah,0 L0001DD08: push ebp mov ebp,esp push ecx push ecx push ebx push esi push edi mov esi,ecx call SUB_L0001AB1E mov bl,al mov eax,[esi+04h] mov edi,00000190h push 00008000h add eax,edi push eax call SUB_L0001729C mov eax,[esi+04h] push 00000A00h add eax,edi push eax call SUB_L0001729C mov eax,[esi+04h] push FFFFFFFFh add eax,0000018Ch xor edi,edi push eax mov [esi+00000090h],edi call SUB_L0001729C or dword ptr [ebp-04h],FFFFFFFFh lea eax,[ebp-08h] push eax push edi push edi mov dword ptr [ebp-08h],FFF0BDC0h call [ntoskrnl.exe!KeDelayExecutionThread] push SSZ0001DD00_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi] pop ecx mov ecx,esi mov dword ptr [esi+000000C8h],00004010h call [eax+1Ch] pop edi pop esi mov al,bl pop ebx leave retn ;------------------------------------------------------------------------------ L0001DD90: push esi mov esi,ecx call SUB_L0001B1FC test byte ptr [esp+08h],01h jz L0001DDA6 push esi call SUB_L00014338 pop ecx L0001DDA6: mov eax,esi pop esi retn 0004h ;------------------------------------------------------------------------------ L0001DDAC: push esi mov esi,ecx call SUB_L0001B99E test byte ptr [esp+08h],01h jz L0001DDC2 push esi call SUB_L00014338 pop ecx L0001DDC2: mov eax,esi pop esi retn 0004h ;------------------------------------------------------------------------------ SSZ0001DDC8_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001DDD0_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001DDD8_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001DDE0_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001DDE8_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001DDF0_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001DDF8_TI_Msg_: db 'TI Msg',0Ah,0 L0001DE00: push ebp mov ebp,esp push ecx push ecx push ebx push esi mov esi,ecx mov cl,[esi+000000DCh] cmp cl,10h push edi jnz L0001DE1D mov ebx,[ebp+08h] shr ebx,04h jmp L0001DE36 L0001DE1D: cmp cl,20h jnz L0001DE2A mov ebx,[ebp+08h] shr ebx,05h jmp L0001DE36 L0001DE2A: mov eax,[ebp+08h] movzx edi,cl xor edx,edx div edi mov ebx,eax L0001DE36: movzx eax,[ebp+08h] movzx edi,cl cdq idiv edi cmp bx,[esi+000000D8h] mov [ebp-08h],dl jc L0001DE5E push SSZ0001DDC8_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov al,82h jmp L0001DFD8 L0001DE5E: push ebx mov ecx,esi call SUB_L0001B0B4 cmp byte ptr [ebp+10h],00h mov [ebp-04h],eax jz L0001DE79 cmp byte ptr [ebp-08h],00h mov byte ptr [ebp+08h],04h jnz L0001DE7D L0001DE79: mov byte ptr [ebp+08h],01h L0001DE7D: movzx eax,[ebp-08h] dec edi cmp eax,edi jz L0001DE8C cmp byte ptr [ebp+0Ch],01h jnz L0001DE90 L0001DE8C: or byte ptr [ebp+08h],08h L0001DE90: cmp byte ptr [ebp+10h],00h jnz L0001DEA0 cmp byte ptr [ebp+0Ch],01h jnz L0001DEA0 mov byte ptr [ebp+08h],20h L0001DEA0: cmp byte ptr [esi+00000134h],00h jnz L0001DEF2 push SSZ0001DDD0_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov byte ptr [ebp+08h],20h xor edi,edi jmp L0001DEDE L0001DEBC: cmp word ptr [ebp-04h],FFFFh jnz L0001DEE7 mov ecx,esi call SUB_L0001CC88 push ebx mov ecx,esi call SUB_L0001B0B4 inc edi cmp di,0800h mov [ebp-04h],eax jnc L0001DF10 L0001DEDE: cmp byte ptr [esi+00000134h],00h jz L0001DEBC L0001DEE7: push SSZ0001DDD8_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx L0001DEF2: push 00000001h push [ebp+08h] mov ecx,esi push [ebp-08h] push [ebp-04h] call SUB_L0001BAA4 test al,al mov [ebp+13h],al jnz L0001DF22 jmp L0001DFD8 L0001DF10: push SSZ0001DDE0_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov al,4Ah jmp L0001DFD8 L0001DF22: push SSZ0001DDE8_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esp],SSZ0001DDF0_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov ecx,esi call SUB_L0001B584 test al,al jnz L0001DF8C mov eax,[esi+000000C8h] or eax,00002707h push eax mov ecx,esi call SUB_L0001B080 push 0000003Ch mov ecx,esi call SUB_L0001B550 push 00000000h mov ecx,esi call SUB_L0001B550 push 00000001h push 0000000Eh mov ecx,esi call SUB_L0001B49C test al,al jz L0001DF85 push SSZ0001B6A4_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx jmp L0001DF8C L0001DF85: mov ecx,esi call SUB_L0001B606 L0001DF8C: push 1F001F00h mov ecx,esi mov dword ptr [esi+000000C8h],00004010h call SUB_L0001B7D0 cmp byte ptr [ebp+13h],43h jz L0001DFAE cmp byte ptr [ebp+13h],40h jnz L0001DFD5 L0001DFAE: push SSZ0001DDF8_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push [ebp-04h] mov ecx,esi call SUB_L0001C4A2 xor eax,eax mov ax,[esi+00000102h] mov ecx,esi push eax push ebx call SUB_L0001B096 L0001DFD5: mov al,[ebp+13h] L0001DFD8: pop edi pop esi pop ebx leave retn 000Ch ;------------------------------------------------------------------------------ Align 4 SSZ0001DFE0_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001DFE8_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001DFF0_TI_Msg_: db 'TI Msg',0Ah,0 L0001DFF8: push ebp mov ebp,esp push ecx push ecx push esi mov esi,ecx mov cl,[esi+000000DCh] cmp cl,10h push edi jnz L0001E014 mov edi,[ebp+08h] shr edi,04h jmp L0001E02D L0001E014: cmp cl,20h jnz L0001E021 mov edi,[ebp+08h] shr edi,05h jmp L0001E02D L0001E021: mov eax,[ebp+08h] movzx edi,cl xor edx,edx div edi mov edi,eax L0001E02D: movzx eax,[ebp+08h] movzx ecx,cl cdq idiv ecx cmp di,[esi+000000D8h] mov [ebp-04h],dl jc L0001E055 push SSZ0001DFE0_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov al,82h jmp L0001E16C L0001E055: push edi mov ecx,esi call SUB_L0001B0B4 mov [ebp-08h],eax jmp L0001E077 L0001E062: cmp ax,FFFFh jnz L0001E083 mov ecx,esi call SUB_L0001CC88 push edi mov ecx,esi call SUB_L0001B0B4 L0001E077: cmp byte ptr [esi+00000134h],00h mov [ebp+08h],eax jz L0001E062 L0001E083: push ebx push [ebp+10h] lea eax,[ebp+08h] push [ebp+0Ch] mov ecx,esi push [ebp-04h] push eax push edi call SUB_L0001C838 mov bl,al cmp bl,52h jnz L0001E0C4 mov eax,[esi] mov ecx,esi call [eax+04h] mov bl,al test bl,bl jnz L0001E0E1 push [ebp+10h] lea eax,[ebp+08h] push [ebp+0Ch] mov ecx,esi push [ebp-04h] push eax push edi call SUB_L0001C838 mov bl,al L0001E0C4: test bl,bl jnz L0001E0E1 mov eax,[ebp+08h] cmp [ebp-08h],ax jz L0001E0DA push eax push edi mov ecx,esi call SUB_L0001B096 L0001E0DA: xor al,al jmp L0001E16B L0001E0E1: push SSZ0001DFE8_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint cmp bl,81h pop ecx jnz L0001E169 push SSZ0001DFF0_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx mov ecx,esi call SUB_L0001B584 test al,al jnz L0001E14F mov eax,[esi+000000C8h] or eax,00002707h push eax mov ecx,esi call SUB_L0001B080 push 0000003Ch mov ecx,esi call SUB_L0001B550 push 00000000h mov ecx,esi call SUB_L0001B550 push 00000001h push 0000000Eh mov ecx,esi call SUB_L0001B49C test al,al jz L0001E148 push SSZ0001B6A4_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx jmp L0001E14F L0001E148: mov ecx,esi call SUB_L0001B606 L0001E14F: push 1F001F00h mov ecx,esi mov dword ptr [esi+000000C8h],00004010h call SUB_L0001B7D0 mov al,81h jmp L0001E16B L0001E169: mov al,bl L0001E16B: pop ebx L0001E16C: pop edi pop esi leave retn 000Ch ;------------------------------------------------------------------------------ L0001E172: push esi mov esi,ecx call SUB_L0001D4CA test byte ptr [esp+08h],01h jz L0001E188 push esi call SUB_L00014338 pop ecx L0001E188: mov eax,esi pop esi retn 0004h ;------------------------------------------------------------------------------ SSZ0001E18E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001E196_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001E19E_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001E1A6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001E1AE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001E1B6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001E1BE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001E1C6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001E1CE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001E1D6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001E1DE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001E1E6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001E1EE_TI_Msg_: db 'TI Msg',0Ah,0 SUB_L0001E1F6: push ebp mov ebp,esp sub esp,0000040Ch push ebx push esi push edi push SSZ0001E18E_TI_Msg_ mov edi,ecx call jmp_ntoskrnl.exe!DbgPrint and dword ptr [ebp-08h],00000000h pop ecx L0001E213: mov eax,[edi+04h] push 00000001h add eax,00000024h push eax call SUB_L000172AC mov eax,[edi+04h] push 00000100h add eax,00000010h push eax call SUB_L000172AC movzx eax,[ebp-08h] shr eax,09h push eax push 00000001h push 00000024h mov ecx,edi call SUB_L0001D4FE test al,al jnz L0001E47D cmp [edi+000000A4h],al jz L0001E278 lea eax,[edi+00000090h] push eax push L0001B31C push [edi+08h] call [ntoskrnl.exe!KeSynchronizeExecution] test al,al jnz L0001E296 push SSZ0001E196_TI_Msg_ jmp L0001E3C8 L0001E278: mov ecx,edi call SUB_L0001B736 mov bl,al test bl,bl jnz L0001E3B2 test byte ptr [edi+000000A8h],20h jz L0001E3C3 L0001E296: lea eax,[edi+00000090h] push eax push L0001E91A push [edi+08h] call [ntoskrnl.exe!KeSynchronizeExecution] test al,al jnz L0001E3D4 mov ebx,00000200h push ebx push 00000002h mov ecx,edi call SUB_L0001B49C test al,al mov [ebp-01h],al jnz L0001E47D xor esi,esi L0001E2CF: cmp word ptr [ebp-08h],0400h jnc L0001E2FF push esi mov ecx,edi call SUB_L0001A0DE movzx ecx,[ebp-08h] inc [ebp-08h] inc esi cmp si,bx mov [ebp+ecx-0000040Ch],al jc L0001E2CF cmp word ptr [ebp-08h],0400h jc L0001E213 L0001E2FF: mov al,[ebp-00000408h] cmp al,01h mov [ebp-02h],al jc L0001E470 cmp al,0Ch ja L0001E470 mov dword ptr [ebp-08h],00000010h L0001E31F: movzx esi,[ebp-08h] movzx bx,[ebp+esi-0000040Ah] movzx ax,[ebp+esi-00000409h] movzx cx,[ebp+esi-00000405h] shl ebx,08h push SSZ0001E19E_TI_Msg_ add ebx,eax movzx ax,[ebp+esi-00000406h] shl eax,08h add eax,ecx mov [ebp-0Ch],eax call jmp_ntoskrnl.exe!DbgPrint cmp bx,01A0h pop ecx jc L0001E458 cmp word ptr [ebp-0Ch],0000h jz L0001E458 movzx eax,[ebp-0Ch] movzx ebx,bx add eax,ebx cmp eax,0000F800h jge L0001E458 movzx eax,[ebp+esi-00000404h] sub eax,00000010h jz L0001E40F sub eax,00000010h jz L0001E408 dec eax jz L0001E401 sub eax,0000000Fh jz L0001E3E2 sub eax,00000010h jz L0001E3DB push SSZ0001E1A6_TI_Msg_ jmp L0001E452 L0001E3B2: push SSZ0001E1AE_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov al,bl jmp L0001E47C L0001E3C3: push SSZ0001E1B6_TI_Msg_ L0001E3C8: call jmp_ntoskrnl.exe!DbgPrint mov al,4Eh jmp L0001E47C L0001E3D4: mov al,51h jmp L0001E47D L0001E3DB: push SSZ0001E1BE_TI_Msg_ jmp L0001E452 L0001E3E2: push SSZ0001E1C6_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx lea eax,[ebp+ebx-0000040Ch] push eax mov ecx,edi call SUB_L0001D97E mov [ebp-01h],al jmp L0001E458 L0001E401: push SSZ0001E1CE_TI_Msg_ jmp L0001E452 L0001E408: push SSZ0001E1D6_TI_Msg_ jmp L0001E452 L0001E40F: push SSZ0001E1DE_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint movzx eax,[ebp+ebx-000003F8h] movzx ecx,[ebp+ebx-000003F7h] shl eax,08h add eax,ecx movzx ecx,[ebp+ebx-000003F6h] shl eax,08h add eax,ecx movzx ecx,[ebp+ebx-000003F5h] shl eax,08h add eax,ecx mov [edi+2Ch],eax mov dword ptr [esp],SSZ0001E1E6_TI_Msg_ L0001E452: call jmp_ntoskrnl.exe!DbgPrint pop ecx L0001E458: add dword ptr [ebp-08h],0000000Ch dec [ebp-02h] jz L0001E46B cmp byte ptr [ebp-01h],00h jz L0001E31F L0001E46B: mov al,[ebp-01h] jmp L0001E47D L0001E470: push SSZ0001E1EE_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov al,50h L0001E47C: pop ecx L0001E47D: pop edi pop esi pop ebx leave retn ;------------------------------------------------------------------------------ SSZ0001E482_TI_Msg_: db 'TI Msg',0Ah,0 SSZ0001E48A_TI_Msg_: db 'TI Msg',0Ah,0 L0001E492: push esi push SSZ0001E482_TI_Msg_ mov esi,ecx call jmp_ntoskrnl.exe!DbgPrint and byte ptr [esi+24h],00h mov ecx,esi mov dword ptr [esp],1F001F00h call SUB_L0001B7D0 test al,al jnz L0001E53B mov ecx,esi call SUB_L0001B606 test al,al jnz L0001E53B push SSZ0001E48A_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint cmp byte ptr [esi+000000A4h],00h pop ecx jz L0001E4E3 mov ecx,esi call SUB_L0001D9D2 test al,al jnz L0001E53B L0001E4E3: mov ecx,esi call SUB_L0001DA34 test al,al jnz L0001E53B cmp [esi+000000A4h],al jz L0001E514 mov eax,[esi+04h] add eax,00000004h push eax call SUB_L0001728E or eax,00000100h push eax mov eax,[esi+04h] add eax,00000004h push eax call SUB_L000172AC L0001E514: mov ecx,esi call SUB_L0001E1F6 test al,al jnz L0001E53B mov ecx,esi call SUB_L0001B606 test al,al jnz L0001E53B mov al,[esi+000000A9h] and al,01h mov [esi+25h],al mov byte ptr [esi+24h],01h xor al,al L0001E53B: pop esi retn ;------------------------------------------------------------------------------ Align 2 SUB_L0001E53E: mov eax,[ecx+04h] push [esp+04h] add eax,00000090h push eax call SUB_L0001729C retn 0004h ;------------------------------------------------------------------------------ Align 4 SUB_L0001E554: mov eax,[ecx+04h] push [esp+04h] add eax,00000094h push eax call SUB_L0001729C retn 0004h ;------------------------------------------------------------------------------ Align 2 SUB_L0001E56A: mov eax,[ecx+04h] push [esp+04h] add eax,0000009Ch push eax call SUB_L0001729C retn 0004h ;------------------------------------------------------------------------------ Align 4 SUB_L0001E580: mov eax,[ecx+04h] push [esp+04h] add eax,000000A0h push eax call SUB_L0001729C retn 0004h ;------------------------------------------------------------------------------ Align 2 SUB_L0001E596: mov eax,[ecx+04h] push [esp+04h] add eax,000000A4h push eax call SUB_L0001729C retn 0004h ;------------------------------------------------------------------------------ Align 4 SUB_L0001E5AC: movzx eax,[esp+04h] mov ecx,[ecx+04h] lea eax,[ecx+eax*4+000000B0h] push eax call SUB_L00017282 retn 0004h ;------------------------------------------------------------------------------ SUB_L0001E5C4: movzx eax,[esp+04h] mov ecx,[ecx+04h] push [esp+08h] lea eax,[ecx+eax*4+000000B0h] push eax call SUB_L0001729C retn 0008h ;------------------------------------------------------------------------------ SUB_L0001E5E0: mov eax,[ecx+04h] push [esp+04h] add eax,000000C0h push eax call SUB_L0001729C retn 0004h ;------------------------------------------------------------------------------ Align 2 SUB_L0001E5F6: mov dl,[esp+04h] cmp dl,[ecx+000000ACh] jnc L0001E62F mov ax,[ecx+000000B0h] cmp [esp+08h],ax jnc L0001E62F mov ecx,[ecx+00000100h] movzx edx,dl movzx eax,ax imul eax,edx movzx edx,[esp+08h] add eax,edx mov dx,[esp+0Ch] mov [ecx+eax*2],dx L0001E62F: retn 000Ch ;------------------------------------------------------------------------------ SUB_L0001E632: mov dl,[esp+04h] cmp dl,[ecx+000000ACh] jnc L0001E668 mov ax,[ecx+000000B0h] cmp [esp+08h],ax jnc L0001E668 mov ecx,[ecx+00000100h] movzx eax,ax movzx edx,dl imul eax,edx movzx edx,[esp+08h] add eax,edx mov ax,[ecx+eax*2] jmp L0001E66C L0001E668: or ax,FFFFh L0001E66C: retn 0008h ;------------------------------------------------------------------------------ Align 4 SUB_L0001E670: push ebx mov bl,[esp+08h] mov eax,ecx cmp bl,[eax+000000ACh] jnc L0001E6BD mov dx,[eax+000000AEh] cmp [esp+0Ch],dx jnc L0001E6BD movzx ecx,[esp+0Ch] mov eax,[eax+00000104h] movzx edx,dx push esi shr edx,03h movzx esi,bl imul edx,esi mov esi,ecx shr esi,03h add edx,esi movzx eax,[edx+eax] xor edx,edx and ecx,00000007h inc edx shl edx,cl pop esi and eax,edx jmp L0001E6BF L0001E6BD: mov al,01h L0001E6BF: pop ebx retn 0008h ;------------------------------------------------------------------------------ Align 4 SUB_L0001E6C4: push ebp mov ebp,esp push ebx mov bl,[ebp+08h] mov eax,ecx cmp bl,[eax+000000ACh] jnc L0001E718 mov dx,[eax+000000AEh] cmp [ebp+0Ch],dx jnc L0001E718 movzx ecx,[ebp+0Ch] mov eax,[eax+00000104h] movzx edx,dx push esi shr edx,03h movzx esi,bl imul edx,esi mov esi,ecx shr esi,03h add edx,esi add eax,edx and ecx,00000007h mov dl,01h shl dl,cl cmp byte ptr [ebp+10h],00h jz L0001E713 or [eax],dl jmp L0001E717 L0001E713: not dl and [eax],dl L0001E717: pop esi L0001E718: pop ebx pop ebp retn 000Ch ;------------------------------------------------------------------------------ Align 2 SUB_L0001E71E: mov cl,[esp+04h] xor al,al test cl,cl jz L0001E733 L0001E728: mov dl,cl and dl,01h add al,dl shr cl,1 jnz L0001E728 L0001E733: retn 0004h ;------------------------------------------------------------------------------ SUB_L0001E736: push ebx push esi push [esp+0Ch] mov esi,ecx call SUB_L0001AFD6 lea eax,[esi+0000009Ch] push eax mov ecx,esi mov dword ptr [esi],L0002317C call SUB_L0001A1F4 mov eax,[esi+04h] xor ebx,ebx push FFFFFFFFh add eax,00000090h mov [esi+00000090h],ebx mov [esi+00000094h],ebx push eax mov [esi+00000098h],ebx call SUB_L0001729C or byte ptr [esi+000000C2h],FFh or byte ptr [esi+000000CBh],FFh or byte ptr [esi+000000DEh],FFh mov eax,0000FFFFh mov [esi+000000C4h],ax mov [esi+000000C6h],ax mov [esi+000000C8h],ax mov [esi+000000CCh],ax mov [esi+000000CEh],ax mov [esi+000000D0h],ax mov [esi+000000DCh],ax mov [esi+000000CAh],bl mov [esi+00000100h],ebx mov [esi+00000104h],ebx mov [esi+000000B8h],ebx mov [esi+000000BCh],ebx mov [esi+0000010Eh],bl mov [esi+0000010Fh],bl mov [esi+7Ch],bl mov [esi+00000110h],bl mov [esi+00000111h],bl mov byte ptr [esi+000000D2h],20h mov eax,esi pop esi pop ebx retn 0004h ;------------------------------------------------------------------------------ Align 2 L0001E80E: mov eax,SSZ000231A4_SMARTMEDIA_BASE_CLASS retn ;------------------------------------------------------------------------------ L0001E814: mov eax,SSZ000231BC_SMBASE retn ;------------------------------------------------------------------------------ SUB_L0001E81A: xor eax,eax push esi mov esi,ecx mov [esi+00000090h],eax mov [esi+00000094h],eax mov [esi+00000098h],eax mov eax,[esi+04h] push FFFFFFFFh add eax,00000090h push eax mov dword ptr [esi],L0002317C call SUB_L0001729C push [esi+00000100h] call SUB_L00014338 push [esi+00000104h] call SUB_L00014338 push [esi+000000B8h] call SUB_L00014338 push [esi+000000BCh] call SUB_L00014338 add esp,00000010h mov ecx,esi pop esi jmp L0001B046 L0001E87E: push ebx push esi push [esp+10h] mov esi,ecx push [esp+10h] call SUB_L0001A37E cmp byte ptr [esp+10h],00h mov bl,al jz L0001E8D9 mov eax,[esi+04h] push edi add eax,00000098h push eax call SUB_L00017282 mov ecx,[esi+00000090h] or ecx,eax mov eax,[esi+04h] add eax,00000090h mov [esi+00000094h],ecx push eax lea edi,[esi+00000098h] call SUB_L00017282 mov ecx,[edi] or eax,ecx mov [edi],eax push [edi] mov ecx,esi call SUB_L0001E53E pop edi L0001E8D9: xor eax,eax mov al,bl pop esi pop ebx or eax,[esp+08h] retn 0008h ;------------------------------------------------------------------------------ L0001E8E6: push esi push edi mov esi,ecx call SUB_L0001A3BE cmp byte ptr [esi+22h],00h mov edi,eax jz L0001E915 mov eax,[esi+00000094h] mov [esi+00000090h],eax lea eax,[esi+0000009Ch] push eax mov ecx,esi call SUB_L0001A222 and byte ptr [esi+22h],00h L0001E915: mov eax,edi pop edi pop esi retn ;------------------------------------------------------------------------------ L0001E91A: mov eax,[esp+04h] mov al,[eax] shr al,02h and al,01h retn 0004h ;------------------------------------------------------------------------------ L0001E928: mov eax,[esp+04h] test word ptr [eax+02h],0380h jnz L0001E938 xor al,al jmp L0001E93A L0001E938: mov al,01h L0001E93A: retn 0004h ;------------------------------------------------------------------------------ Align 2 L0001E93E: mov eax,[esp+04h] mov eax,[eax] shr eax,16h and al,01h retn 0004h ;------------------------------------------------------------------------------ L0001E94C: mov eax,[esp+04h] mov eax,[eax] shr eax,14h and al,01h retn 0004h ;------------------------------------------------------------------------------ L0001E95A: mov eax,[esp+04h] mov eax,[eax] shr eax,13h and al,01h retn 0004h ;------------------------------------------------------------------------------ L0001E968: mov eax,[esp+04h] mov eax,[eax] shr eax,10h and al,01h retn 0004h ;------------------------------------------------------------------------------ SUB_L0001E976: push esi mov esi,ecx push FD050F80h lea eax,[esi+0000009Ch] push eax call SUB_L0001A23A test al,al jnz L0001E9D2 cmp [esi+26h],al jz L0001E99D mov eax,[esi+00000090h] mov al,86h pop esi retn ;------------------------------------------------------------------------------ L0001E99D: push ebx mov ebx,[ntoskrnl.exe!KeSynchronizeExecution] push edi lea edi,[esi+00000090h] push edi push L0001E91A push [esi+08h] call ebx test al,al jz L0001E9BE mov al,6Ah jmp L0001E9D0 L0001E9BE: push edi push L0001B31C push [esi+08h] call ebx neg al sbb al,al and eax,00000062h L0001E9D0: pop edi pop ebx L0001E9D2: pop esi retn ;------------------------------------------------------------------------------ SUB_L0001E9D4: mov ecx,[ecx+00000088h] mov dl,[esp+04h] shr ecx,0Ah shl cl,1 mov al,01h jmp L0001E9EB L0001E9E7: sub dl,cl inc al L0001E9EB: cmp dl,cl ja L0001E9E7 retn 0004h ;------------------------------------------------------------------------------ SUB_L0001E9F2: push esi mov esi,ecx lea eax,[esi+00000090h] push eax push L000183B6 push [esi+08h] call [ntoskrnl.exe!KeSynchronizeExecution] xor eax,eax mov al,[esp+08h] xor ecx,ecx mov ch,[esp+0Ch] and eax,0000000Fh or eax,ecx push eax mov ecx,esi call SUB_L0001E554 cmp byte ptr [esp+10h],00h jz L0001EA33 mov ecx,esi call SUB_L0001E976 jmp L0001EA35 L0001EA33: xor al,al L0001EA35: pop esi retn 000Ch ;------------------------------------------------------------------------------ Align 2 SUB_L0001EA3A: push ebx push esi push edi mov esi,ecx xor edi,edi L0001EA41: push 00000001h push 00000000h push 00000002h mov ecx,esi call SUB_L0001E9F2 mov bl,al mov eax,[esi+04h] add eax,000000A8h push eax call SUB_L00017282 cmp bl,6Ah jnz L0001EA65 xor bl,bl L0001EA65: test al,40h jnz L0001EA77 test bl,bl jnz L0001EA77 mov ax,di inc edi cmp ax,0100h jc L0001EA41 L0001EA77: pop edi pop esi pop ebx retn ;------------------------------------------------------------------------------ Align 4 SUB_L0001EA7C: push ebx push esi push 00000001h push 00000000h push 00000007h mov esi,ecx call SUB_L0001E9F2 test al,al jnz L0001EACF mov eax,[esi+04h] push edi mov edi,000000A8h add eax,edi push eax call SUB_L00017282 mov ebx,eax mov eax,[esi+04h] add eax,edi push eax shr ebx,08h call SUB_L00017282 cmp bl,B5h pop edi jnz L0001EABE mov byte ptr [esi+18h],04h L0001EABA: xor al,al jmp L0001EACF L0001EABE: cmp dword ptr [esi+14h],00000000h jz L0001EACD test bl,bl jz L0001EABA cmp bl,FFh jz L0001EABA L0001EACD: mov al,67h L0001EACF: pop esi pop ebx retn ;------------------------------------------------------------------------------ SUB_L0001EAD2: push esi push 00000001h push 00000000h push 00000001h mov esi,ecx call SUB_L0001E9F2 test al,al jnz L0001EBC6 mov eax,[esi+04h] push ebx push edi mov edi,000000A8h add eax,edi push eax call SUB_L00017282 mov ebx,eax mov eax,[esi+04h] add eax,edi push eax shr ebx,18h call SUB_L00017282 movzx eax,bl mov ecx,000000D3h cmp eax,ecx pop edi pop ebx jg L0001EB79 jz L0001EB71 cmp eax,00000073h jg L0001EB4C jz L0001EB44 cmp eax,00000064h jz CASE_0001EBD5_PROC0005 cmp eax,0000006Bh jz CASE_0001EBD5_PROC0002 cmp eax,0000006Eh jz CASE_0001EBD5_PROC0004 cmp eax,00000071h jnz CASE_0001EBD5_PROC0006 mov word ptr [esi+30h],0100h jmp L0001EBC6 L0001EB44: mov word ptr [esi+30h],0010h jmp L0001EBC6 L0001EB4C: sub eax,00000075h jz L0001EB69 dec eax jz L0001EB61 sub eax,00000003h jnz CASE_0001EBD5_PROC0006 mov word ptr [esi+30h],0080h jmp L0001EBC6 L0001EB61: mov word ptr [esi+30h],0040h jmp L0001EBC6 L0001EB69: mov word ptr [esi+30h],0020h jmp L0001EBC6 L0001EB71: mov word ptr [esi+30h],0400h jmp L0001EBC6 L0001EB79: sub eax,000000D5h cmp eax,00000017h ja CASE_0001EBD5_PROC0006 movzx eax,[eax+CASE_0001EBF1] jmp [CASE_PROCTABLE_0001EBD5+eax*4] CASE_0001EBD5_PROC0004: mov word ptr [esi+30h],0001h jmp L0001EBC6 CASE_0001EBD5_PROC0005: mov word ptr [esi+30h],0002h jmp L0001EBC6 CASE_0001EBD5_PROC0002: mov word ptr [esi+30h],0004h jmp L0001EBC6 CASE_0001EBD5_PROC0003: mov word ptr [esi+30h],0008h jmp L0001EBC6 CASE_0001EBD5_PROC0001: mov word ptr [esi+30h],0200h jmp L0001EBC6 CASE_0001EBD5_PROC0000: mov word ptr [esi+30h],0800h jmp L0001EBC6 CASE_0001EBD5_PROC0006: and word ptr [esi+30h],0000h L0001EBC6: cmp word ptr [esi+30h],0000h pop esi setnz al dec al and eax,00000067h retn ;------------------------------------------------------------------------------ CASE_PROCTABLE_0001EBD5: dd CASE_0001EBD5_PROC0000 dd CASE_0001EBD5_PROC0001 dd CASE_0001EBD5_PROC0002 dd CASE_0001EBD5_PROC0003 dd CASE_0001EBD5_PROC0004 dd CASE_0001EBD5_PROC0005 dd CASE_0001EBD5_PROC0006 CASE_0001EBF1: db 00h, 06h, 06h, 06h, 06h, 06h, 06h, 01h, 06h, 06h, 06h, 06h, 06h, 06h, 02h, 06h db 02h, 03h, 06h, 04h, 06h, 05h, 06h, 04h Align 2 SUB_L0001EC0A: push esi mov esi,ecx movzx eax,[esi+30h] cmp eax,00000040h push edi jg L0001ED04 jz L0001ECFB dec eax jz L0001ECE7 dec eax jz L0001ECB0 dec eax dec eax jz L0001EC81 sub eax,00000004h jz L0001EC64 sub eax,00000008h jz L0001EC55 sub eax,00000010h jnz L0001ED29 xor edi,edi inc edi mov byte ptr [esi+000000ACh],02h jmp L0001ED76 L0001EC55: xor edi,edi inc edi mov byte ptr [esi+000000ACh],01h jmp L0001ED76 L0001EC64: xor edi,edi inc edi mov byte ptr [esi+000000ACh],01h mov byte ptr [esi+000000B2h],10h mov byte ptr [esi+000000B3h],10h jmp L0001ED84 L0001EC81: xor edi,edi inc edi mov byte ptr [esi+000000ACh],01h mov word ptr [esi+000000AEh],0200h mov word ptr [esi+000000B0h],01F4h mov byte ptr [esi+000000B2h],10h mov byte ptr [esi+000000B3h],10h jmp L0001ED96 L0001ECB0: mov word ptr [esi+000000AEh],0200h mov word ptr [esi+000000B0h],01F4h L0001ECC2: xor edi,edi mov byte ptr [esi+000000ACh],01h mov byte ptr [esi+000000B2h],10h mov byte ptr [esi+000000B3h],08h mov word ptr [esi+000000B4h],0108h jmp L0001ED9F L0001ECE7: mov word ptr [esi+000000AEh],0100h mov word ptr [esi+000000B0h],00FAh jmp L0001ECC2 L0001ECFB: mov byte ptr [esi+000000ACh],04h jmp L0001ED73 L0001ED04: cmp eax,00000080h jz L0001ED6C cmp eax,00000100h jz L0001ED63 cmp eax,00000200h jz L0001ED5A mov ecx,00000400h cmp eax,ecx jz L0001ED39 cmp eax,00000800h jz L0001ED30 L0001ED29: mov al,67h jmp L0001EDCB L0001ED30: mov byte ptr [esi+000000ACh],80h jmp L0001ED40 L0001ED39: mov byte ptr [esi+000000ACh],40h L0001ED40: push 00000003h pop edi mov [esi+000000AEh],cx mov byte ptr [esi+000000B2h],20h mov byte ptr [esi+000000B3h],20h jmp L0001ED8D L0001ED5A: mov byte ptr [esi+000000ACh],20h jmp L0001ED73 L0001ED63: mov byte ptr [esi+000000ACh],10h jmp L0001ED73 L0001ED6C: mov byte ptr [esi+000000ACh],08h L0001ED73: push 00000003h pop edi L0001ED76: mov byte ptr [esi+000000B2h],20h mov byte ptr [esi+000000B3h],20h L0001ED84: mov word ptr [esi+000000AEh],0400h L0001ED8D: mov word ptr [esi+000000B0h],03E8h L0001ED96: mov word ptr [esi+000000B4h],0210h L0001ED9F: mov eax,[esi+04h] push ebx mov ebx,0000009Ch add eax,ebx push eax call SUB_L00017282 and eax,FFFFFFFCh or eax,edi push eax mov ecx,esi call SUB_L0001E56A mov eax,[esi+04h] add eax,ebx push eax call SUB_L00017282 xor al,al pop ebx L0001EDCB: pop edi pop esi retn ;------------------------------------------------------------------------------ SUB_L0001EDCE: cmp byte ptr [ecx+18h],04h movzx eax,[ecx+30h] mov [ecx+2Ch],eax jnz L0001EDDF inc eax mov [ecx+2Ch],eax L0001EDDF: xor al,al retn ;------------------------------------------------------------------------------ SUB_L0001EDE2: push ebp mov ebp,esp push ecx movzx eax,[ebp+08h] push ebx push edi mov edi,ecx mov ecx,[edi+000000B8h] lea eax,[ecx+eax*2] mov bx,[eax] cmp bx,FFFFh mov [ebp-04h],eax jnz L0001EE08 mov al,84h jmp L0001EE4A L0001EE08: push esi lea esi,[ebx+01h] jmp L0001EE14 L0001EE0E: cmp si,bx jz L0001EE33 inc esi L0001EE14: cmp si,[edi+000000AEh] jc L0001EE1F xor esi,esi L0001EE1F: push esi push [ebp+08h] mov ecx,edi call SUB_L0001E670 test al,al jnz L0001EE0E cmp si,bx jnz L0001EE3B L0001EE33: mov byte ptr [edi+25h],01h mov al,84h jmp L0001EE49 L0001EE3B: mov eax,[ebp-04h] mov [eax],si mov eax,[ebp+0Ch] mov [eax],si xor al,al L0001EE49: pop esi L0001EE4A: pop edi pop ebx leave retn 0008h ;------------------------------------------------------------------------------ SUB_L0001EE50: movzx eax,[ecx+000000AEh] movzx edx,[esp+04h] imul eax,edx movzx edx,[esp+08h] add eax,edx movzx edx,[ecx+000000B2h] imul eax,edx movzx edx,[esp+0Ch] add eax,edx push eax call SUB_L0001E580 retn 000Ch ;------------------------------------------------------------------------------ SUB_L0001EE80: push esi mov esi,ecx cmp word ptr [esi+000000B4h],0200h jnc L0001EE92 shl dword ptr [esp+10h],1 L0001EE92: push [esp+10h] mov ecx,esi push [esp+10h] push [esp+10h] call SUB_L0001EE50 push 00000001h push 00000001h push 00000009h mov ecx,esi call SUB_L0001E9F2 pop esi retn 000Ch ;------------------------------------------------------------------------------ SUB_L0001EEB6: push esi mov esi,ecx cmp word ptr [esi+000000B4h],0200h jnc L0001EEC8 shl dword ptr [esp+10h],1 L0001EEC8: push [esp+10h] mov ecx,esi push [esp+10h] push [esp+10h] call SUB_L0001EE50 push 00000001h push 00000001h push 0000000Dh mov ecx,esi call SUB_L0001E9F2 pop esi retn 000Ch ;------------------------------------------------------------------------------ SUB_L0001EEEC: push esi push edi push 00000000h push [esp+14h] mov edi,ecx push [esp+14h] call SUB_L0001EE80 test al,al mov esi,00000098h jz L0001EF13 mov eax,[edi+04h] add eax,esi push eax call SUB_L00017282 L0001EF13: mov eax,[edi+04h] add eax,esi push eax call SUB_L00017282 mov ecx,eax mov eax,00200000h and ecx,eax cmp ecx,eax pop edi setz al pop esi retn 0008h ;------------------------------------------------------------------------------ Align 2 SUB_L0001EF32: mov ax,[esp+04h] xor cl,cl test ax,ax jz L0001EF4A L0001EF3E: mov dl,al and dl,01h add cl,dl shr ax,1 jnz L0001EF3E L0001EF4A: movzx eax,cl cdq push 00000002h pop ecx idiv ecx test edx,edx setnz al retn 0004h ;------------------------------------------------------------------------------ Align 4 SUB_L0001EF5C: push ebp mov ebp,esp push ecx push ecx push ebx push esi push edi push 00000001h mov esi,ecx call SUB_L0001E5AC push 00000003h mov ecx,esi mov [ebp-04h],eax call SUB_L0001E5AC mov ebx,eax push 00000002h mov ecx,esi shr ebx,18h call SUB_L0001E5AC mov bh,al mov ecx,esi mov [ebp-08h],ebx mov bl,[ebp-04h] shr word ptr [ebp-04h],1 push [ebp-04h] and bl,01h call SUB_L0001EF32 cmp al,bl mov edi,000003FFh jnz L0001EFC1 mov eax,[ebp-04h] mov ecx,[ebp+08h] and eax,edi mov [ecx],ax cmp ax,[esi+000000AEh] jnc L0001EFC1 xor al,al jmp L0001EFF7 L0001EFC1: mov bl,[ebp-08h] shr word ptr [ebp-08h],1 push [ebp-08h] mov ecx,esi and bl,01h call SUB_L0001EF32 cmp al,bl jnz L0001EFF5 mov eax,[ebp-08h] mov ecx,[ebp+08h] and eax,edi mov [ecx],ax cmp ax,[esi+000000AEh] setc al dec al and eax,00000066h jmp L0001EFF7 L0001EFF5: mov al,66h L0001EFF7: pop edi pop esi pop ebx leave retn 0004h ;------------------------------------------------------------------------------ SUB_L0001EFFE: push ebp mov ebp,esp push ecx push ebx push esi push edi movzx edi,[ebp+08h] mov esi,ecx mov eax,[esi+000000BCh] mov cx,[ebp+0Ch] shl edi,1 cmp cx,[edi+eax] jnz L0001F079 lea eax,[ebp-04h] push eax push [ebp+08h] mov ecx,esi call SUB_L0001EDE2 xor ebx,ebx cmp al,bl jnz L0001F07B mov eax,[esi+000000BCh] mov cx,[ebp-04h] mov [edi+eax],cx cmp [esi+000000B0h],bx jbe L0001F079 L0001F048: push ebx push [ebp+08h] mov ecx,esi call SUB_L0001E632 cmp ax,[ebp+0Ch] jnz L0001F06F mov eax,[esi+000000BCh] movzx eax,[eax+edi] push eax push ebx push [ebp+08h] mov ecx,esi call SUB_L0001E5F6 L0001F06F: inc ebx cmp bx,[esi+000000B0h] jc L0001F048 L0001F079: xor al,al L0001F07B: pop edi pop esi pop ebx leave retn 0008h ;------------------------------------------------------------------------------ SUB_L0001F082: push esi mov esi,ecx mov eax,[esi+04h] push FFFFFFFFh add eax,000000B0h push eax call SUB_L0001729C mov eax,[esi+04h] push FFFFFFFFh add eax,000000B4h push eax call SUB_L0001729C mov eax,[esi+04h] push FFFFFFFFh add eax,000000B8h push eax call SUB_L0001729C mov eax,[esi+04h] push FFFFFFFFh add eax,000000BCh push eax call SUB_L0001729C pop esi retn ;------------------------------------------------------------------------------ Align 4 SUB_L0001F0C8: push esi push 00000000h mov esi,ecx call SUB_L0001E5AC push 00000001h mov ecx,esi call SUB_L0001E5AC push 00000002h mov ecx,esi call SUB_L0001E5AC push 00000003h mov ecx,esi call SUB_L0001E5AC pop esi retn ;------------------------------------------------------------------------------ Align 4 SUB_L0001F0F0: push ebx push ebp push esi push edi xor edi,edi xor ebp,ebp mov esi,ecx xor bl,bl L0001F0FC: test bl,bl jnz L0001F128 push edi push 00000000h mov ecx,esi call SUB_L0001EEEC test al,al jnz L0001F117 cmp [esi+26h],al jnz L0001F12D mov ebp,edi inc bl L0001F117: cmp byte ptr [esi+26h],00h jnz L0001F12D inc edi cmp di,0017h jc L0001F0FC test bl,bl jz L0001F12D L0001F128: mov ax,bp jmp L0001F131 L0001F12D: mov ax,0018h L0001F131: pop edi pop esi pop ebp pop ebx retn ;------------------------------------------------------------------------------ SUB_L0001F136: push ebx push esi mov esi,ecx movzx ecx,[esi+30h] xor al,al cmp ecx,00000040h jg L0001F195 jz L0001F191 dec ecx jz L0001F188 dec ecx jz L0001F183 dec ecx dec ecx jz L0001F178 sub ecx,00000004h jz L0001F16D push 00000008h pop ebx sub ecx,ebx jz L0001F164 sub ecx,00000010h jnz L0001F1BD jmp L0001F166 L0001F164: mov bl,04h L0001F166: mov cl,10h jmp L0001F1EE L0001F16D: mov edx,000000FAh mov bl,04h mov cl,10h jmp L0001F1F3 L0001F178: mov edx,000000FAh L0001F17D: mov bl,04h mov cl,08h jmp L0001F1F3 L0001F183: push 0000007Dh pop edx jmp L0001F17D L0001F188: push 0000007Dh mov bl,04h pop edx mov cl,bl jmp L0001F1F3 L0001F191: mov bl,08h jmp L0001F1EC L0001F195: cmp ecx,00000080h jz L0001F1EA cmp ecx,00000100h jz L0001F1DF cmp ecx,00000200h jz L0001F1D6 cmp ecx,00000400h jz L0001F1D2 cmp ecx,00000800h jz L0001F1C7 L0001F1BD: xor edx,edx xor bl,bl xor cl,cl mov al,83h jmp L0001F1F3 L0001F1C7: mov bl,42h L0001F1C9: mov edx,000003D9h L0001F1CE: mov cl,3Fh jmp L0001F1F3 L0001F1D2: mov bl,21h jmp L0001F1C9 L0001F1D6: mov edx,000003F7h mov bl,10h jmp L0001F1CE L0001F1DF: mov edx,000003E8h mov bl,10h mov cl,20h jmp L0001F1F3 L0001F1EA: mov bl,10h L0001F1EC: mov cl,20h L0001F1EE: mov edx,000001F4h L0001F1F3: mov [esi+32h],dx movzx dx,bl movzx cx,cl mov [esi+34h],dx mov [esi+36h],cx pop esi pop ebx retn ;------------------------------------------------------------------------------ SUB_L0001F20A: push esi mov esi,ecx movzx eax,[esi+000000B0h] movzx ecx,[esi+000000ACh] imul eax,ecx shl eax,1 push eax call SUB_L00014304 test eax,eax pop ecx mov [esi+00000100h],eax jz L0001F28A movzx eax,[esi+000000AEh] movzx ecx,[esi+000000ACh] imul eax,ecx sar eax,03h push eax call SUB_L00014304 test eax,eax pop ecx mov [esi+00000104h],eax jz L0001F28A movzx eax,[esi+000000ACh] shl eax,1 push eax call SUB_L00014304 test eax,eax pop ecx mov [esi+000000B8h],eax jz L0001F28A movzx eax,[esi+000000ACh] shl eax,1 push eax call SUB_L00014304 test eax,eax pop ecx mov [esi+000000BCh],eax jnz L0001F28E L0001F28A: mov al,6Ch pop esi retn ;------------------------------------------------------------------------------ L0001F28E: xor dl,dl cmp [esi+000000ACh],dl jbe L0001F316 push ebx push edi L0001F29A: xor eax,eax cmp [esi+000000B0h],ax jbe L0001F2CD movzx ecx,dl L0001F2A8: movzx edi,[esi+000000B0h] imul edi,ecx movzx ebx,ax add edi,ebx mov ebx,[esi+00000100h] or word ptr [ebx+edi*2],FFFFh inc eax cmp ax,[esi+000000B0h] jc L0001F2A8 L0001F2CD: xor eax,eax test word ptr [esi+000000AEh],FFF8h jbe L0001F30A movzx ecx,dl L0001F2DD: movzx edi,[esi+000000AEh] shr edi,03h imul edi,ecx movzx ebx,ax add edi,ebx mov ebx,[esi+00000104h] and byte ptr [edi+ebx],00h mov di,[esi+000000AEh] inc eax shr di,03h cmp ax,di jc L0001F2DD L0001F30A: inc dl cmp dl,[esi+000000ACh] jc L0001F29A pop edi pop ebx L0001F316: xor al,al pop esi retn ;------------------------------------------------------------------------------ L0001F31A: push esi mov esi,ecx call SUB_L0001AB1E test al,al jnz L0001F32E mov eax,[esi] mov ecx,esi pop esi jmp [eax+1Ch] L0001F32E: pop esi retn ;------------------------------------------------------------------------------ SUB_L0001F330: push ebp mov ebp,esp push ecx push ecx push ebx push esi mov [ebp-08h],ecx mov ecx,[ebp+08h] push edi mov eax,80000000h mov edi,ecx and edi,eax xor bl,bl xor dl,dl xor esi,esi cmp edi,eax mov byte ptr [ebp-01h],01h jz L0001F3AF test ch,ch js L0001F3AF test ch,40h jz L0001F368 mov ebx,ecx shr ebx,08h and bl,07h jmp L0001F380 L0001F368: test ecx,40000000h jz L0001F382 mov ebx,ecx shr ebx,18h and bl,07h shr ecx,10h mov esi,00000100h L0001F380: mov dl,cl L0001F382: mov ecx,[ebp-08h] movzx ax,dl add esi,eax push esi call SUB_L0001A0DE movzx ecx,bl test ecx,ecx jle L0001F39E L0001F398: shl dword ptr [ebp-01h],1 dec ecx jnz L0001F398 L0001F39E: xor al,[ebp-01h] mov ecx,[ebp-08h] push eax push esi call SUB_L0001A100 xor al,al jmp L0001F3B1 L0001F3AF: mov al,69h L0001F3B1: pop edi pop esi pop ebx leave retn 0004h ;------------------------------------------------------------------------------ L0001F3B8: push esi mov esi,ecx call SUB_L0001E81A test byte ptr [esp+08h],01h jz L0001F3CE push esi call SUB_L00014338 pop ecx L0001F3CE: mov eax,esi pop esi retn 0004h ;------------------------------------------------------------------------------ SUB_L0001F3D4: push esi push 00000000h push [esp+10h] mov esi,ecx push [esp+10h] call SUB_L0001EE80 test al,al jz L0001F40C mov eax,[esi+04h] add eax,00000098h push eax call SUB_L00017282 test eax,00200000h jz L0001F40C mov ecx,esi call SUB_L0001F0C8 inc [esi+00000108h] L0001F40C: push 00000001h mov ecx,esi call SUB_L0001E5AC mov ecx,eax mov eax,000017FFh and ecx,eax xor edx,edx cmp ecx,eax setnz dl mov al,dl pop esi retn 0008h ;------------------------------------------------------------------------------ Align 4 SUB_L0001F42C: push ecx and dword ptr [esp+00h],00000000h push ebx push ebp push esi mov esi,ecx cmp word ptr [esi+000000B4h],0200h push edi jnc L0001F447 shl dword ptr [esp+20h],1 L0001F447: mov eax,[esi+04h] mov edi,0000009Ch add eax,edi push eax call SUB_L00017282 and eax,FFFFFFDFh push eax mov ecx,esi call SUB_L0001E56A mov eax,[esi+04h] add eax,edi push eax call SUB_L00017282 or eax,00000010h push eax mov ecx,esi call SUB_L0001E56A cmp byte ptr [esp+24h],00h mov ebp,00000080h mov ebx,00000100h jz L0001F56A mov eax,[esi+04h] add eax,edi push eax call SUB_L00017282 and eax,FFFFFFEFh push eax mov ecx,esi call SUB_L0001E56A mov eax,[esi+04h] add eax,edi push eax call SUB_L00017282 or eax,ebp push eax mov ecx,esi call SUB_L0001E56A mov eax,[esi+04h] add eax,edi push eax call SUB_L00017282 and eax,FFFFFF7Fh push eax mov ecx,esi call SUB_L0001E56A mov eax,[esi+04h] push 00000001h add eax,00000024h push eax call SUB_L000172AC mov eax,[esi+04h] push ebx add eax,00000010h push eax call SUB_L000172AC push [esp+20h] mov ecx,esi push [esp+20h] push [esp+20h] call SUB_L0001EE50 push 00000000h push 00000001h push 00000008h mov ecx,esi call SUB_L0001E9F2 and dword ptr [esp+24h],00000000h jmp L0001F525 L0001F512: push FFFFFF9Ch mov ecx,esi call SUB_L0001A17A cmp byte ptr [esi+26h],00h jnz L0001F760 L0001F525: mov eax,[esi+04h] add eax,00000098h push eax call SUB_L00017282 test ah,02h jnz L0001F512 mov eax,[esi+04h] add eax,000000A4h push eax call SUB_L00017282 push eax mov eax,[esp+28h] shl eax,02h push eax mov ecx,esi call SUB_L0001A0A8 inc [esp+24h] cmp [esp+24h],bp jc L0001F525 mov ecx,esi call SUB_L0001E976 jmp L0001F58A L0001F56A: push [esp+20h] mov ecx,esi push [esp+20h] push [esp+20h] call SUB_L0001EE50 push 00000001h push 00000001h push 00000008h mov ecx,esi call SUB_L0001E9F2 L0001F58A: mov [esp+24h],al mov al,87h cmp [esp+24h],al jz L0001F793 cmp byte ptr [esp+24h],62h jnz L0001F78F cmp byte ptr [esi+0000010Ch],00h jnz L0001F60E lea eax,[esi+00000090h] push eax push L0001E928 push [esi+08h] call [ntoskrnl.exe!KeSynchronizeExecution] test al,al jz L0001F5F1 mov eax,[esi+04h] add eax,00000098h push eax call SUB_L00017282 lea eax,[esp+10h] push eax mov ecx,esi call SUB_L0001EF5C test al,al jz L0001F5EC mov al,66h jmp L0001F793 L0001F5EC: and byte ptr [esp+24h],00h L0001F5F1: lea eax,[esi+00000090h] push eax push L0001E95A push [esi+08h] call [ntoskrnl.exe!KeSynchronizeExecution] test al,al jnz L0001F78B L0001F60E: lea eax,[esi+00000090h] push eax push L0001E94C push [esi+08h] call [ntoskrnl.exe!KeSynchronizeExecution] test al,al jz L0001F764 mov eax,[esi+04h] add eax,000000ACh push eax call SUB_L00017282 mov [esp+24h],eax mov eax,[esi+04h] push 0000FFFFh add eax,00000018h push eax call SUB_L000172AC mov eax,[esi+04h] push 00000002h add eax,00000010h push eax call SUB_L000172AC mov eax,[esi+04h] add eax,edi push eax call SUB_L00017282 and eax,FFFFFFEFh push eax mov ecx,esi call SUB_L0001E56A mov eax,[esi+04h] add eax,edi push eax call SUB_L00017282 or eax,ebp push eax mov ecx,esi call SUB_L0001E56A mov eax,[esi+04h] add eax,edi push eax call SUB_L00017282 and eax,FFFFFF7Fh push eax mov ecx,esi call SUB_L0001E56A mov eax,[esi+04h] push 00000001h add eax,00000024h push eax call SUB_L000172AC mov eax,[esi+04h] push ebx add eax,00000010h push eax call SUB_L000172AC push 00000001h xor edi,edi push edi push edi mov ecx,esi call SUB_L0001E9F2 push [esp+20h] mov ecx,esi push [esp+20h] push [esp+20h] call SUB_L0001EE50 push edi push 00000001h push 00000008h mov ecx,esi call SUB_L0001E9F2 test al,al jnz L0001F793 L0001F6EE: mov eax,[esi+04h] add eax,00000098h push eax call SUB_L00017282 mov ebx,00000200h jmp L0001F720 L0001F703: push FFFFFF9Ch mov ecx,esi call SUB_L0001A17A cmp byte ptr [esi+26h],00h jnz L0001F760 mov eax,[esi+04h] add eax,00000098h push eax call SUB_L00017282 L0001F720: test ebx,eax jnz L0001F703 mov eax,[esi+04h] add eax,000000A4h push eax call SUB_L00017282 push eax mov eax,edi shl eax,02h push eax mov ecx,esi call SUB_L0001A0A8 inc edi cmp di,bp jc L0001F6EE mov ecx,esi call SUB_L0001E976 push [esp+24h] mov ecx,esi call SUB_L0001F330 test al,al jnz L0001F793 add al,68h jmp L0001F793 L0001F760: mov al,86h jmp L0001F793 L0001F764: lea eax,[esi+00000090h] push eax push L0001E93E push [esi+08h] call [ntoskrnl.exe!KeSynchronizeExecution] test al,al jz L0001F78F mov eax,[esi+04h] add eax,00000098h push eax call SUB_L00017282 L0001F78B: mov al,69h jmp L0001F793 L0001F78F: mov al,[esp+24h] L0001F793: pop edi pop esi pop ebp pop ebx pop ecx retn 0010h ;------------------------------------------------------------------------------ Align 4 SUB_L0001F79C: push ebp mov ebp,esp push ecx push ecx mov al,[ebp+10h] neg al push esi mov esi,ecx sbb eax,eax and eax,00F00000h add eax,FF00FFFFh and byte ptr [ebp-04h],00h mov [ebp-08h],eax L0001F7BC: push 00000001h push 00000000h push 00000000h mov ecx,esi call SUB_L0001E9F2 push [ebp-04h] mov ecx,esi push [ebp+0Ch] push [ebp+08h] call SUB_L0001EE80 mov eax,[esi+04h] add eax,0000009Ch push eax call SUB_L00017282 or eax,00000020h push eax mov ecx,esi call SUB_L0001E56A push 00000001h mov ecx,esi call SUB_L0001E5AC and eax,[ebp-08h] mov ecx,esi push eax push 00000001h call SUB_L0001E5C4 push 00000001h mov ecx,esi call SUB_L0001E5AC push [ebp-04h] mov ecx,esi push [ebp+0Ch] push [ebp+08h] call SUB_L0001EEB6 cmp byte ptr [esi+26h],00h mov [ebp+13h],al jnz L0001F84D inc [ebp-04h] mov al,[ebp-04h] cmp al,[esi+000000B3h] jc L0001F7BC push [ebp+0Ch] mov ecx,esi push [ebp+08h] call SUB_L0001EFFE mov al,[ebp+13h] L0001F848: pop esi leave retn 000Ch ;------------------------------------------------------------------------------ L0001F84D: mov al,86h jmp L0001F848 Align 2 SUB_L0001F852: push ebp mov ebp,esp sub esp,0000002Ch and byte ptr [ebp-05h],00h push ebx push esi mov esi,ecx mov eax,[esi+04h] push edi mov di,[esi+000000C0h] mov ebx,0000009Ch add eax,ebx push eax mov dword ptr [ebp-14h],01D90301h mov dword ptr [ebp-10h],DF0218FFh mov dword ptr [ebp-0Ch],00002001h call SUB_L00017282 and eax,FF7FFFFFh push eax mov ecx,esi call SUB_L0001E56A mov eax,[esi+04h] add eax,ebx push eax call SUB_L00017282 L0001F8A5: push 00000001h push [ebp-05h] mov ecx,esi push edi push 00000000h call SUB_L0001F42C cmp al,68h jz L0001F8D2 cmp al,86h jz L0001F9BD inc [ebp-05h] test al,al jz L0001F8DE mov cl,[ebp-05h] cmp cl,[esi+000000B3h] jc L0001F8A5 L0001F8D2: test al,al jz L0001F8DE cmp al,68h jnz L0001F9BD L0001F8DE: and byte ptr [ebp-01h],00h xor edi,edi mov ebx,00000100h jmp L0001F8FC L0001F8EB: push FFFFFF9Ch call SUB_L0001A17A cmp byte ptr [esi+26h],00h jnz L0001F98E L0001F8FC: mov eax,[esi+04h] add eax,00000098h push eax call SUB_L00017282 test ebx,eax mov ecx,esi jnz L0001F8EB mov eax,edi shl eax,02h push eax call SUB_L0001A090 cmp di,0002h jz L0001F927 cmp di,0042h jnz L0001F92C L0001F927: and eax,0000FFFFh L0001F92C: test di,di jz L0001F93D cmp di,0001h jz L0001F93D cmp di,0002h jnz L0001F944 L0001F93D: movzx ecx,di mov [ebp+ecx*4-2Ch],eax L0001F944: cmp di,0040h jz L0001F956 cmp di,0041h jz L0001F956 cmp di,0042h jnz L0001F960 L0001F956: movzx ecx,di mov [ebp+ecx*4-00000120h],eax L0001F960: inc edi cmp di,0080h jc L0001F8FC xor ecx,ecx xor dl,dl L0001F96C: cmp byte ptr [ebp-01h],00h jnz L0001F99F movzx eax,cx movzx edi,dl add edi,eax mov edi,[ebp+edi*4-2Ch] cmp edi,[ebp+eax*4-14h] jz L0001F998 test dl,dl jz L0001F992 mov byte ptr [ebp-01h],6Eh jmp L0001F999 L0001F98E: mov al,86h jmp L0001F9BD L0001F992: mov dl,03h xor ecx,ecx jmp L0001F999 L0001F998: inc ecx L0001F999: cmp cx,0003h jc L0001F96C L0001F99F: mov eax,[esi+04h] add eax,0000009Ch push eax call SUB_L00017282 or eax,00800000h push eax mov ecx,esi call SUB_L0001E56A mov al,[ebp-01h] L0001F9BD: pop edi pop esi pop ebx leave retn ;------------------------------------------------------------------------------ SUB_L0001F9C2: push ebx push ebp mov ebp,[esp+0Ch] push esi xor ebx,ebx push ebx push [esp+18h] mov esi,ecx push ebp call SUB_L0001E6C4 push ebx push [esp+18h] mov ecx,esi push ebp call SUB_L0001EE50 push 00000001h push ebx push 00000004h mov ecx,esi call SUB_L0001E9F2 cmp al,bl jz L0001FAFE mov eax,[esi+04h] push edi push 0000FFFFh add eax,00000018h push eax call SUB_L000172AC mov eax,[esi+04h] push 00000002h add eax,00000010h push eax call SUB_L000172AC mov eax,[esi+04h] mov edi,0000009Ch add eax,edi push eax call SUB_L00017282 and eax,FFFFFFEFh push eax mov ecx,esi call SUB_L0001E56A mov eax,[esi+04h] add eax,edi push eax call SUB_L00017282 or eax,00000080h push eax mov ecx,esi call SUB_L0001E56A mov eax,[esi+04h] add eax,edi push eax call SUB_L00017282 and eax,FFFFFF7Fh push eax mov ecx,esi call SUB_L0001E56A mov cl,[esi+000000B3h] or byte ptr [esi+000000CBh],FFh or byte ptr [esi+000000C2h],FFh mov eax,0000FFFFh mov [esi+000000CCh],ax mov [esi+000000CEh],ax mov [esi+000000D0h],ax mov [esi+000000D2h],cl mov [esi+000000C4h],ax mov [esi+000000C6h],ax mov [esi+000000C8h],ax mov [esi+000000CAh],bl pop edi jmp L0001FAE9 L0001FAB6: movzx eax,[esi+7Ch] movzx eax,[esi+eax*2+6Ah] push ebx push eax push ebp call SUB_L0001E6C4 movzx eax,[esi+7Ch] movzx eax,[esi+eax*2+6Ah] push ebx push eax push ebp mov ecx,esi call SUB_L0001EE50 push 00000001h push ebx push 00000004h mov ecx,esi call SUB_L0001E9F2 dec [esi+7Ch] L0001FAE9: cmp [esi+7Ch],bl mov ecx,esi jnz L0001FAB6 push 00000001h push [esp+18h] push ebp call SUB_L0001F79C mov al,6Dh L0001FAFE: pop esi pop ebp pop ebx retn 0008h ;------------------------------------------------------------------------------ SUB_L0001FB04: push ecx push ecx push ebx push ebp push esi mov esi,ecx cmp word ptr [esi+000000B4h],0200h push edi jnc L0001FB21 shl dword ptr [esp+28h],1 shl dword ptr [esi+0000010Fh],1 L0001FB21: movzx eax,[esp+20h] and byte ptr [esp+13h],00h or eax,FFFFFC00h mov [esp+14h],eax mov edi,0000009Ch mov ebx,00000080h L0001FB3E: push [esp+14h] mov ecx,esi call SUB_L0001E5E0 cmp byte ptr [esi+0000010Eh],01h jnz L0001FB8B mov al,[esp+28h] cmp [esi+0000010Fh],al jnz L0001FB8B push 00000001h mov ecx,esi call SUB_L0001E5AC and eax,00FFFFFFh push eax push 00000001h mov ecx,esi call SUB_L0001E5C4 and byte ptr [esi+0000010Eh],00h and byte ptr [esi+0000010Fh],00h mov ecx,esi call SUB_L0001F0C8 L0001FB8B: mov eax,[esi+04h] add eax,edi push eax call SUB_L00017282 or eax,00000020h push eax mov ecx,esi call SUB_L0001E56A mov eax,[esi+04h] add eax,edi push eax call SUB_L00017282 or eax,00000010h push eax mov ecx,esi call SUB_L0001E56A cmp byte ptr [esp+2Ch],00h jnz L0001FBE3 push [esp+28h] mov ecx,esi push [esp+28h] push [esp+24h] call SUB_L0001EE50 push 00000001h push 00000001h push 0000000Ch mov ecx,esi call SUB_L0001E9F2 jmp L0001FCA0 L0001FBE3: mov eax,[esi+04h] add eax,edi push eax call SUB_L00017282 and eax,FFFFFFEFh push eax mov ecx,esi call SUB_L0001E56A mov eax,[esi+04h] push 00008100h add eax,00000010h push eax call SUB_L000172AC mov eax,[esi+04h] add eax,edi push eax call SUB_L00017282 or eax,ebx push eax mov ecx,esi call SUB_L0001E56A mov eax,[esi+04h] add eax,edi push eax call SUB_L00017282 and eax,FFFFFF7Fh push eax mov ecx,esi call SUB_L0001E56A push [esp+28h] mov ecx,esi push [esp+28h] push [esp+24h] call SUB_L0001EE50 xor ebp,ebp push ebp push 00000001h push 0000000Ch mov ecx,esi call SUB_L0001E9F2 jmp L0001FC6B L0001FC5A: push FFFFFF9Ch call SUB_L0001A17A cmp byte ptr [esi+26h],00h jnz L0001FCEC L0001FC6B: mov eax,[esi+04h] add eax,00000098h push eax call SUB_L00017282 test ah,01h mov ecx,esi jnz L0001FC5A mov eax,ebp shl eax,02h push eax call SUB_L0001A090 push eax mov ecx,esi call SUB_L0001E596 inc ebp cmp bp,bx jc L0001FC6B mov ecx,esi call SUB_L0001E976 L0001FCA0: test al,al mov [esp+20h],al jz L0001FCC8 mov ecx,esi call SUB_L0001F0C8 lea eax,[esi+00000090h] push eax push L0001E968 push [esi+08h] call [ntoskrnl.exe!KeSynchronizeExecution] test al,al jnz L0001FCF0 L0001FCC8: mov al,[esp+20h] inc [esp+13h] test al,al jz L0001FCDF cmp byte ptr [esp+13h],00h jbe L0001FB3E L0001FCDF: and byte ptr [esi+29h],00h L0001FCE3: pop edi pop esi pop ebp pop ebx pop ecx pop ecx retn 0014h ;------------------------------------------------------------------------------ L0001FCEC: mov al,86h jmp L0001FCE3 L0001FCF0: mov eax,[esi+04h] mov ebp,0000FFFFh push ebp add eax,00000018h push eax call SUB_L000172AC mov eax,[esi+04h] push 00000002h add eax,00000010h push eax call SUB_L000172AC mov eax,[esi+04h] add eax,edi push eax call SUB_L00017282 and eax,FFFFFFEFh push eax mov ecx,esi call SUB_L0001E56A mov eax,[esi+04h] add eax,edi push eax call SUB_L00017282 or eax,ebx push eax mov ecx,esi call SUB_L0001E56A mov eax,[esi+04h] add eax,edi push eax call SUB_L00017282 and eax,FFFFFF7Fh push eax mov ecx,esi call SUB_L0001E56A mov al,[esi+000000B3h] or byte ptr [esi+000000CBh],FFh or byte ptr [esi+000000C2h],FFh and byte ptr [esi+000000CAh],00h mov [esi+000000CCh],bp mov [esi+000000CEh],bp mov [esi+000000D0h],bp mov [esi+000000D2h],al mov [esi+000000C4h],bp mov [esi+000000C6h],bp mov [esi+000000C8h],bp jmp L0001FDBA L0001FDA0: movzx eax,[esi+7Ch] movzx eax,[esi+eax*2+6Ah] push eax push [esp+20h] call SUB_L0001F9C2 test al,al jnz L0001FDD1 dec [esi+7Ch] L0001FDBA: cmp byte ptr [esi+7Ch],00h mov ecx,esi jnz L0001FDA0 push 00000001h push [esp+28h] push [esp+24h] call SUB_L0001F79C L0001FDD1: mov al,6Dh jmp L0001FCE3 SUB_L0001FDD8: push ebp mov ebp,esp sub esp,00000010h mov eax,[ebp+10h] and byte ptr [ebp-01h],00h push ebx push esi push edi xor edi,edi cmp byte ptr [ebp+18h],00h mov di,[eax] mov esi,ecx mov [ebp-10h],edi jz L0001FDFE cmp byte ptr [ebp+18h],80h jbe L0001FE02 L0001FDFE: mov byte ptr [ebp+18h],80h L0001FE02: mov cl,[ebp+08h] lea eax,[esi+000000DEh] cmp cl,[eax] jz L0001FE18 or word ptr [esi+000000DCh],FFFFh L0001FE18: mov [eax],cl movzx eax,cl mov ecx,[esi+000000BCh] xor edx,edx cmp di,[esi+000000DCh] mov dx,[ecx+eax*2] mov [ebp-08h],edi mov [ebp-0Ch],edx jz L0001FE55 xor cl,cl lea eax,[esi+000000B3h] cmp [eax],cl jbe L0001FE55 L0001FE44: movzx ebx,cl and byte ptr [ebx+esi+000000DFh],00h inc cl cmp cl,[eax] jc L0001FE44 L0001FE55: or word ptr [esi+000000DCh],FFFFh cmp di,dx mov ebx,[ebp+14h] jz L0001FE78 movzx eax,bl cmp byte ptr [eax+esi+000000DFh],00h jz L0001FE78 mov [ebp-08h],edi jmp L0001FEC4 L0001FE78: lea eax,[ebp-08h] push eax push [ebp+08h] mov ecx,esi call SUB_L0001EDE2 test al,al jnz L000200DE push [ebp-08h] mov ecx,esi call SUB_L0001A2D8 push 00000001h push [ebp-08h] mov ecx,esi push [ebp+08h] call SUB_L0001E6C4 xor cl,cl lea eax,[esi+000000B3h] cmp [eax],cl jbe L0001FEC4 L0001FEB3: movzx edx,cl inc cl mov byte ptr [edx+esi+000000DFh],01h cmp cl,[eax] jc L0001FEB3 L0001FEC4: push 00000000h push ebx push [ebp-08h] mov ecx,esi push [ebp+0Ch] push [ebp+08h] call SUB_L0001FB04 mov edx,[ebp-08h] movzx ecx,bl and byte ptr [ecx+esi+000000DFh],00h cmp dx,di mov [ebp+17h],al jz L0001FFFB test al,al jnz L00020001 cmp di,[ebp-0Ch] jz L00020016 mov al,[ebp+18h] cmp al,[esi+000000B3h] jnc L0001FF12 test al,al jnz L0001FF16 L0001FF12: test bl,bl jz L0001FF87 L0001FF16: test bl,bl jbe L0001FF36 mov edx,ecx shr ecx,02h xor eax,eax lea edi,[esi+000000DFh] rep stosd mov ecx,edx mov edx,[ebp-08h] and ecx,00000003h rep stosb mov edi,[ebp-10h] L0001FF36: mov al,bl add al,[ebp+18h] jmp L0001FF4A L0001FF3D: movzx ecx,al and byte ptr [ecx+esi+000000DFh],00h inc al L0001FF4A: cmp al,[esi+000000B3h] jc L0001FF3D lea eax,[esi+000000C6h] cmp word ptr [eax],FFFFh jnz L0001FF87 mov cl,[ebp+08h] mov [esi+000000C2h],cl mov cx,[ebp+0Ch] mov [esi+000000C4h],cx mov [eax],di mov [esi+000000C8h],dx mov [esi+000000CAh],bl mov byte ptr [ebp-01h],01h L0001FF87: movzx ecx,[ebp+18h] movzx eax,bl add ecx,eax movzx eax,[esi+000000B3h] cmp ecx,eax jge L0001FFCA mov al,[ebp+08h] add bl,[ebp+18h] mov [esi+000000CBh],al mov ax,[ebp+0Ch] mov [esi+000000CCh],ax mov [esi+000000CEh],di mov [esi+000000D0h],dx mov [esi+000000D2h],bl mov byte ptr [ebp-01h],01h L0001FFCA: cmp byte ptr [ebp-01h],00h jnz L0001FFE6 push edi push [ebp+08h] mov ecx,esi call SUB_L0001F9C2 test al,al jz L0001FFE6 mov al,6Dh jmp L000200DE L0001FFE6: push 0000FFFFh push [ebp+0Ch] mov ecx,esi push [ebp+08h] call SUB_L0001E5F6 mov edx,[ebp-08h] L0001FFFB: cmp byte ptr [ebp+17h],00h jz L00020016 L00020001: push 00000001h push edx push [ebp+08h] mov ecx,esi call SUB_L0001E6C4 mov al,[ebp+17h] jmp L000200DE L00020016: mov eax,[ebp+10h] mov [eax],dx movzx eax,[esi+5Ch] mov ecx,[esi+68h] lea eax,[eax+ecx-01h] cmp [esi+000000D8h],eax mov [esi+000000DCh],dx jnz L000200DC xor bl,bl cmp [esi+000000B3h],bl mov [ebp+10h],bl jbe L000200DC L0002004B: movzx eax,bl cmp byte ptr [eax+esi+000000DFh],01h jnz L000200CB xor edi,edi inc edi push edi push 00000000h push 00000000h mov ecx,esi call SUB_L0001E9F2 cmp word ptr [esi+000000B4h],0200h mov [ebp+18h],bl jnc L0002007C mov al,bl shl al,1 mov [ebp+18h],al L0002007C: push [ebp+18h] mov ecx,esi push [ebp-08h] push [ebp+08h] call SUB_L0001EE50 push edi push edi push 00000009h mov ecx,esi call SUB_L0001E9F2 mov ecx,esi call SUB_L0001F082 movzx eax,[ebp+0Ch] or eax,FFFFFC00h push eax mov ecx,esi call SUB_L0001E5E0 push [ebp+10h] mov ecx,esi push [ebp-08h] push [ebp+08h] call SUB_L0001EEB6 push edi push 00000000h push 00000000h mov ecx,esi call SUB_L0001E9F2 L000200CB: inc bl cmp bl,[esi+000000B3h] mov [ebp+10h],bl jc L0002004B L000200DC: xor al,al L000200DE: pop edi pop esi pop ebx leave retn 0014h ;------------------------------------------------------------------------------ Align 2 SUB_L000200E6: push ebp mov ebp,esp sub esp,0000000Ch mov eax,[ebp+08h] push ebx push esi mov esi,ecx mov bl,[esi+000000B3h] cmp bl,20h push edi jnz L00020104 shr eax,05h jmp L00020111 L00020104: cmp bl,10h jnz L0002010E shr eax,04h jmp L00020111 L0002010E: shr eax,03h L00020111: movzx ecx,[esi+000000B0h] movzx eax,ax cdq idiv ecx movzx ebx,bl mov cl,al movzx eax,[ebp+08h] mov edi,edx cdq idiv ebx cmp cl,[esi+000000ACh] mov [ebp-04h],cl mov [ebp-08h],dl jc L0002013E mov al,82h jmp L0002018E L0002013E: push edi push [ebp-04h] mov ecx,esi call SUB_L0001E632 mov [ebp+08h],eax mov [ebp-0Ch],eax mov ax,[ebp+0Ch] cmp ax,0080h mov byte ptr [ebp+0Ch],80h ja L00020160 mov [ebp+0Ch],al L00020160: xor bl,bl L00020162: push [ebp+0Ch] lea eax,[ebp+08h] push [ebp-08h] mov ecx,esi push eax push edi push [ebp-04h] call SUB_L0001FDD8 inc bl test al,al jz L00020195 test bl,bl jbe L00020162 cmp al,81h jnz L0002018E mov ecx,esi call SUB_L0001EA3A mov al,81h L0002018E: pop edi pop esi pop ebx leave retn 000Ch ;------------------------------------------------------------------------------ L00020195: mov eax,[ebp+08h] cmp [ebp-0Ch],ax jz L000201AA push eax push edi push [ebp-04h] mov ecx,esi call SUB_L0001E5F6 L000201AA: xor al,al jmp L0002018E SUB_L000201AE: push ebp mov ebp,esp sub esp,00000014h push ebx push esi push edi xor edi,edi and byte ptr [ebp-10h],00h mov ebx,[ebp-10h] mov esi,ecx mov [ebp-08h],edi mov byte ptr [ebp-01h],01h mov [ebp-0Ch],edi L000201CC: mov ax,[ebp-08h] cmp ax,[esi+000000AEh] jnc L000204A7 mov al,[ebp-10h] cmp al,[esi+000000ACh] jnc L000204A7 cmp byte ptr [ebp-01h],00h jz L00020235 cmp [esi+000000B0h],di mov [ebp-0Ch],edi jbe L0002021E L000201FE: push 0000FFFFh push [ebp-0Ch] mov ecx,esi push ebx call SUB_L0001E5F6 inc [ebp-0Ch] mov ax,[ebp-0Ch] cmp ax,[esi+000000B0h] jc L000201FE L0002021E: movzx eax,[ebp-10h] mov ecx,[esi+000000B8h] or word ptr [ecx+eax*2],FFFFh and byte ptr [ebp-01h],00h mov [ebp-08h],edi L00020235: cmp byte ptr [ebp-10h],00h mov edi,[ebp-08h] jnz L00020251 cmp di,[esi+000000C0h] jnz L00020251 push 00000001h push edi push 00000000h jmp L000203D7 L00020251: push edi push ebx mov ecx,esi call SUB_L0001F3D4 test al,al mov ecx,esi push 00000001h jz L000203A6 push edi push ebx call SUB_L0001E6C4 mov eax,[esi+04h] add eax,00000098h push eax call SUB_L00017282 test eax,00200000h jnz L000203DE lea eax,[ebp-0Ch] push eax mov ecx,esi call SUB_L0001EF5C test al,al mov edi,[ebp-0Ch] jz L000202A3 cmp di,FFFFh jnz L000203DE L000202A3: push edi push ebx mov ecx,esi call SUB_L0001E632 cmp ax,FFFFh mov ecx,esi jz L0002039A xor eax,eax mov al,[esi+000000B3h] dec al push eax push [ebp-08h] push ebx call SUB_L0001EE80 test al,al jz L00020327 cmp al,86h jz L000204A3 push edi push ebx mov ecx,esi L000202DC: call SUB_L0001E632 xor ecx,ecx mov cl,[esi+000000B3h] dec cl push ecx push eax mov ecx,esi push ebx call SUB_L0001EE80 test al,al jnz L00020313 push [ebp-08h] L000202FC: mov ecx,esi L000202FE: push ebx call SUB_L0001F9C2 test al,al jz L000203DE mov al,6Dh jmp L000204B0 L00020313: cmp al,86h jz L000204A3 mov ecx,esi call SUB_L0001F0C8 jmp L000203DE L00020327: push 00000001h mov ecx,esi call SUB_L0001E5AC shr eax,1 and ax,03FFh cmp ax,di push edi mov ecx,esi push ebx jnz L000202DC call SUB_L0001E632 xor ecx,ecx mov cl,[esi+000000B3h] dec cl mov [ebp-14h],eax push ecx push eax push ebx mov ecx,esi call SUB_L0001EE80 test al,al jz L0002036E cmp al,86h jz L000204A3 push [ebp-08h] mov ecx,esi jmp L0002038B L0002036E: push 00000001h mov ecx,esi call SUB_L0001E5AC push [ebp-08h] shr eax,1 and ax,03FFh cmp ax,di mov ecx,esi jz L000202FE L0002038B: push edi push ebx call SUB_L0001E5F6 push [ebp-14h] jmp L000202FC L0002039A: push [ebp-08h] push edi push ebx call SUB_L0001E5F6 jmp L000203DE L000203A6: call SUB_L0001E5AC shr eax,10h push eax call SUB_L0001E71E cmp al,07h jc L000203D3 movzx eax,[ebp-10h] mov ecx,[esi+000000B8h] lea eax,[ecx+eax*2] cmp word ptr [eax],FFFFh jnz L000203CF mov [eax],di L000203CF: push 00000000h jmp L000203D5 L000203D3: push 00000001h L000203D5: push edi push ebx L000203D7: mov ecx,esi call SUB_L0001E6C4 L000203DE: inc [ebp-08h] mov ax,[ebp-08h] cmp ax,[esi+000000AEh] jnz L00020493 movzx edi,[ebp-10h] mov eax,[esi+000000B8h] mov ecx,[esi+000000BCh] and dword ptr [ebp-0Ch],00000000h shl edi,1 mov ax,[edi+eax] mov [edi+ecx],ax cmp word ptr [esi+000000B0h],0000h jbe L00020451 L0002041A: push [ebp-0Ch] mov ecx,esi push ebx call SUB_L0001E632 cmp ax,FFFFh jnz L00020441 mov eax,[esi+000000BCh] movzx eax,[eax+edi] push eax push [ebp-0Ch] mov ecx,esi push ebx call SUB_L0001E5F6 L00020441: inc [ebp-0Ch] mov ax,[ebp-0Ch] cmp ax,[esi+000000B0h] jc L0002041A L00020451: mov eax,[esi+000000BCh] movzx eax,[eax+edi] push 00000001h push eax push ebx mov ecx,esi call SUB_L0001E6C4 xor eax,eax inc [ebp-10h] mov cl,[ebp-10h] cmp cl,[esi+000000ACh] mov [ebp-08h],eax mov byte ptr [ebp-01h],01h jnz L00020490 push eax push eax mov ecx,esi mov byte ptr [esi+000000FFh],01h call SUB_L0001E632 mov [ebp-08h],eax L00020490: mov ebx,[ebp-10h] L00020493: cmp byte ptr [esi+000000FFh],00h jnz L000204AE xor edi,edi jmp L000201CC L000204A3: mov al,86h jmp L000204B0 L000204A7: mov byte ptr [esi+000000FFh],01h L000204AE: xor al,al L000204B0: pop edi pop esi pop ebx leave retn ;------------------------------------------------------------------------------ Align 2 SUB_L000204B6: push ebp mov ebp,esp push ecx push esi mov esi,ecx mov al,[esi+000000ACh] mov edx,[esi+000000B8h] movzx ecx,al push edi mov di,[edx+ecx*2-02h] cmp di,FFFFh jnz L000204E0 xor al,al jmp L00020595 L000204E0: dec al push ebx push edi mov ecx,esi push eax call SUB_L0001F9C2 xor ebx,ebx cmp al,bl jz L000204FE mov byte ptr [esi+00000110h],01h jmp L00020594 L000204FE: push 00000001h push ebx push ebx mov ecx,esi call SUB_L0001E9F2 xor eax,eax mov al,[esi+000000ACh] push 00000001h push ebx dec al push edi push ebx mov ecx,esi push eax call SUB_L0001FB04 cmp al,bl jnz L00020594 mov ecx,esi call SUB_L0001F082 push 00000001h push ebx push ebx mov ecx,esi call SUB_L0001E9F2 xor eax,eax mov al,[esi+000000ACh] push 00000001h dec al push ebx push edi mov ecx,esi push eax call SUB_L0001F42C cmp al,bl mov [ebp-01h],al jnz L00020594 mov ecx,esi call SUB_L0001F0C8 push 00000001h mov ecx,esi call SUB_L0001E5AC and eax,0000FFFFh cmp eax,00001001h jnz L00020591 xor eax,eax mov al,[esi+000000ACh] dec al push edi mov ecx,esi push eax call SUB_L0001F9C2 test al,al jz L0002058D mov byte ptr [esi+00000110h],01h L0002058D: mov byte ptr [ebp-01h],01h L00020591: mov al,[ebp-01h] L00020594: pop ebx L00020595: pop edi pop esi leave retn ;------------------------------------------------------------------------------ Align 2 L0002059A: mov eax,[esp+04h] cmp eax,FFFFFFFFh push esi push edi mov esi,ecx jz L000205AD mov [esi+000000D8h],eax L000205AD: mov edi,[esp+10h] push [esp+18h] xor eax,eax mov ax,[edi] mov ecx,esi push eax push [esi+000000D8h] call SUB_L000200E6 test al,al jnz L000205DD inc [esi+000000D8h] mov eax,[esp+14h] dec word ptr [edi] dec [eax] xor al,al L000205DD: pop edi pop esi retn 0010h ;------------------------------------------------------------------------------ SUB_L000205E2: push ebp mov ebp,esp push ecx push edi lea eax,[ebp-04h] push eax push [ebp+08h] mov edi,ecx call SUB_L0001EDE2 test al,al jnz L000206AC push ebx mov ebx,[ebp+14h] push esi push 00000001h push ebx push [ebp-04h] mov ecx,edi push [ebp+0Ch] push [ebp+08h] call SUB_L0001FB04 test al,al jnz L000206AA mov esi,[ebp+10h] push 00000001h xor eax,eax mov ax,[esi] push ebx push 00000000h mov ecx,edi push eax push [ebp-04h] push [ebp+0Ch] push [ebp+08h] call SUB_L00020A7A test al,al jnz L000206AA xor eax,eax mov al,[edi+000000B3h] push 00000001h inc bl mov ecx,edi push eax xor eax,eax mov ax,[esi] push ebx mov ebx,[ebp-04h] push eax push ebx push [ebp+0Ch] push [ebp+08h] call SUB_L00020A7A test al,al jnz L000206AA cmp [ebp+18h],al jnz L0002067B push ebx push [ebp+0Ch] mov ecx,edi push [ebp+08h] call SUB_L0001E5F6 L0002067B: xor eax,eax mov ax,[esi] mov ecx,edi push eax push [ebp+08h] call SUB_L0001F9C2 test al,al jz L00020693 mov al,6Dh jmp L000206AA L00020693: xor eax,eax mov ax,[esi] push 00000001h mov ecx,edi push eax push [ebp+08h] call SUB_L0001E6C4 mov [esi],bx xor al,al L000206AA: pop esi pop ebx L000206AC: pop edi leave retn 0014h ;------------------------------------------------------------------------------ Align 2 SUB_L000206B2: push ebp mov ebp,esp sub esp,0000000Ch push ebx push esi mov esi,ecx push edi lea edi,[esi+000000FFh] jmp L000206CC L000206C5: mov ecx,esi call SUB_L000201AE L000206CC: cmp byte ptr [edi],00h jz L000206C5 mov al,[esi+000000B3h] cmp al,20h jnz L000206E3 mov eax,[ebp+08h] shr eax,05h jmp L000206F2 L000206E3: cmp al,10h mov eax,[ebp+08h] jnz L000206EF shr eax,04h jmp L000206F2 L000206EF: shr eax,03h L000206F2: movzx ecx,[esi+000000B0h] movzx eax,ax cdq idiv ecx movzx ecx,[esi+000000B3h] mov bl,al movzx eax,[ebp+08h] mov [ebp-04h],edx cdq idiv ecx cmp bl,[esi+000000ACh] mov [ebp-0Ch],bl mov [ebp-08h],dl jc L00020724 mov al,82h jmp L0002079B L00020724: push [ebp-04h] mov edi,[ebp-0Ch] push edi mov ecx,esi call SUB_L0001E632 and byte ptr [ebp+0Bh],00h mov [ebp-0Ch],eax L00020739: push 00000000h push [ebp-08h] mov ecx,esi push [ebp-0Ch] push edi call SUB_L0001F42C cmp al,66h jz L0002079B cmp al,62h jz L0002079B cmp al,68h jz L00020768 cmp al,69h jz L00020780 inc [ebp+0Bh] test al,al jz L0002079B cmp byte ptr [ebp+0Bh],00h jbe L00020739 jmp L0002079B L00020768: push 00000000h push [ebp-08h] lea eax,[ebp-0Ch] push eax push [ebp-04h] mov ecx,esi push edi call SUB_L000205E2 mov al,68h jmp L0002079B L00020780: mov ecx,[esi+000000BCh] movzx eax,bl movzx eax,[ecx+eax*2] push eax push [ebp-04h] mov ecx,esi push edi call SUB_L0001E5F6 mov al,69h L0002079B: pop edi pop esi pop ebx leave retn 000Ch ;------------------------------------------------------------------------------ SUB_L000207A2: push ebp mov ebp,esp sub esp,00000010h movzx eax,[ebp+1Ch] push ebx mov bl,[ebp+18h] push esi mov esi,ecx movzx ecx,bl sub eax,ecx push edi mov [ebp-10h],eax mov edi,0000FFFFh L000207C1: and byte ptr [ebp-01h],00h mov [ebp-0Ch],eax mov eax,[esi+04h] push edi add eax,00000018h push eax mov [ebp-05h],bl call SUB_L000172AC mov eax,[esi+04h] push 00000001h add eax,00000024h push eax call SUB_L000172AC mov eax,[esi+04h] and byte ptr [esi+27h],00h push 00000005h add eax,00000014h push eax call SUB_L000172AC mov eax,[esi+04h] push [esi+00000084h] add eax,0000000Ch push eax call SUB_L0001729C xor eax,eax mov ah,[ebp-0Ch] or eax,00000001h push eax mov eax,[esi+04h] add eax,00000010h push eax call SUB_L000172AC mov al,[ebp+1Ch] cmp [ebp+18h],al jnc L00020901 L0002082B: cmp byte ptr [ebp-01h],00h jnz L00020875 push 00000000h push [ebp-05h] mov ecx,esi push [ebp+14h] push [ebp+08h] call SUB_L0001F42C cmp al,69h mov [ebp-01h],al jnz L0002085B and byte ptr [ebp-01h],00h mov byte ptr [esi+0000010Eh],01h mov [esi+0000010Fh],bl L0002085B: cmp byte ptr [ebp-01h],66h jz L00020867 cmp byte ptr [ebp-01h],62h jnz L0002086B L00020867: and byte ptr [ebp-01h],00h L0002086B: inc bl cmp bl,[ebp+1Ch] mov [ebp-05h],bl jc L0002082B L00020875: cmp byte ptr [ebp-01h],68h jnz L000208F7 dec bl push 00000001h lea eax,[ebp+14h] mov ecx,esi push ebx push eax push [ebp+0Ch] push [ebp+08h] call SUB_L000205E2 test al,al jnz L00020A6E cmp byte ptr [ebp+20h],00h lea eax,[esi+000000C6h] jz L000208BE mov dx,[eax] lea ecx,[esi+000000CEh] cmp dx,[ecx] jnz L000208CA mov edx,[ebp+14h] mov [eax],dx mov [ecx],dx jmp L000208D1 L000208BE: mov cx,[eax] cmp cx,[esi+000000CEh] jnz L000208D1 L000208CA: mov cx,[ebp+14h] mov [eax],cx L000208D1: mov eax,[esi+04h] push edi add eax,00000018h push eax call SUB_L000172AC mov eax,[esi+04h] push 00000002h add eax,00000010h push eax call SUB_L000172AC mov eax,[ebp-10h] mov bl,[ebp+18h] jmp L000207C1 L000208F7: cmp byte ptr [ebp-01h],00h jnz L000209CF L00020901: mov ebx,[ntoskrnl.exe!KeSynchronizeExecution] jmp L00020923 L00020909: push FFF0BDC0h lea eax,[esi+48h] push eax mov ecx,esi call SUB_L0001A23A cmp byte ptr [esi+26h],00h jnz L00020A75 L00020923: lea eax,[esi+20h] push eax push L00018364 push [esi+08h] call ebx test al,al jz L00020909 lea eax,[esi+20h] push eax push L000183B6 push [esi+08h] call ebx mov eax,[esi+04h] push edi add eax,00000018h push eax call SUB_L000172AC mov eax,[esi+04h] push 00000001h add eax,00000024h push eax call SUB_L000172AC mov eax,[esi+04h] push 00000005h add eax,00000014h push eax call SUB_L000172AC mov eax,[esi+04h] push [esi+00000084h] add eax,0000000Ch push eax call SUB_L0001729C xor eax,eax mov ah,[ebp-0Ch] or eax,00008001h push eax mov eax,[esi+04h] add eax,00000010h push eax call SUB_L000172AC mov al,[ebp+18h] cmp al,[ebp+1Ch] mov [ebp-05h],al jnc L00020A11 L000209A0: cmp byte ptr [ebp-01h],00h jnz L000209CF push 00000000h push [ebp-05h] mov ecx,esi push [ebp+10h] push [ebp+0Ch] push [ebp+08h] call SUB_L0001FB04 inc [ebp-05h] mov [ebp-01h],al mov al,[ebp-05h] cmp al,[ebp+1Ch] jc L000209A0 cmp byte ptr [ebp-01h],00h jz L00020A11 L000209CF: mov eax,[esi+04h] add eax,00000008h push eax call SUB_L0001728E mov eax,[esi+04h] push edi add eax,00000018h push eax call SUB_L000172AC mov eax,[esi+04h] push 00000002h add eax,00000010h push eax call SUB_L000172AC mov al,[ebp-01h] jmp L00020A6E L000209FB: push FFF0BDC0h lea eax,[esi+48h] push eax mov ecx,esi call SUB_L0001A23A cmp byte ptr [esi+26h],00h jnz L00020A75 L00020A11: lea eax,[esi+20h] push eax push L00018364 push [esi+08h] call ebx test al,al jz L000209FB lea eax,[esi+20h] push eax push L000183B6 push [esi+08h] call ebx mov eax,[esi+04h] push edi add eax,00000018h push eax call SUB_L000172AC mov eax,[esi+04h] push 00000001h add eax,00000024h push eax call SUB_L000172AC lea eax,[esi+0000010Eh] cmp byte ptr [eax],01h jz L00020A62 mov cl,[ebp-05h] cmp [esi+0000010Fh],cl jnz L00020A6C L00020A62: and byte ptr [eax],00h and byte ptr [esi+0000010Fh],00h L00020A6C: xor al,al L00020A6E: pop edi pop esi pop ebx leave retn 001Ch ;------------------------------------------------------------------------------ L00020A75: mov al,86h jmp L00020A6E Align 2 SUB_L00020A7A: push ebp mov ebp,esp push ecx push ebx push esi push edi mov edi,[ebp+14h] mov esi,ecx L00020A86: mov bl,[ebp+18h] mov [ebp-04h],bl L00020A8C: cmp bl,[ebp+1Ch] jnc L00020B78 push 00000001h push [ebp-04h] mov ecx,esi push edi push [ebp+08h] call SUB_L0001F42C cmp al,69h jnz L00020AB8 mov byte ptr [esi+0000010Eh],01h mov [esi+0000010Fh],bl xor al,al L00020AB8: cmp al,68h jz L00020AF3 cmp al,66h jz L00020AC4 cmp al,62h jnz L00020AC6 L00020AC4: xor al,al L00020AC6: test al,al jnz L00020B54 push 00000001h push [ebp-04h] mov ecx,esi push [ebp+10h] push [ebp+0Ch] push [ebp+08h] call SUB_L0001FB04 inc bl test al,al mov [ebp-04h],bl jz L00020A8C mov al,65h jmp L00020BB6 L00020AF3: push 00000001h push [ebp-04h] lea eax,[ebp+14h] push eax push [ebp+0Ch] mov ecx,esi push [ebp+08h] call SUB_L000205E2 test al,al jnz L00020BB6 cmp [ebp+20h],al mov edi,[ebp+14h] lea eax,[esi+000000C6h] jz L00020B3C mov dx,[eax] lea ecx,[esi+000000CEh] cmp dx,[ecx] mov [eax],di jnz L00020A86 mov [ecx],di jmp L00020A86 L00020B3C: mov cx,[eax] cmp cx,[esi+000000CEh] jnz L00020A86 mov [eax],di jmp L00020A86 L00020B54: cmp al,69h jnz L00020B74 movzx eax,[ebp+08h] mov ecx,[esi+000000BCh] movzx eax,[ecx+eax*2] push eax push [ebp+0Ch] mov ecx,esi push [ebp+08h] call SUB_L0001E5F6 L00020B74: mov al,64h jmp L00020BB6 L00020B78: mov eax,[esi+04h] push 0000FFFFh add eax,00000018h push eax call SUB_L000172AC mov eax,[esi+04h] push 00000001h add eax,00000024h push eax call SUB_L000172AC lea eax,[esi+0000010Eh] cmp byte ptr [eax],01h jz L00020BAA cmp [esi+0000010Fh],bl jnz L00020BB4 L00020BAA: and byte ptr [eax],00h and byte ptr [esi+0000010Fh],00h L00020BB4: xor al,al L00020BB6: pop edi pop esi pop ebx leave retn 001Ch ;------------------------------------------------------------------------------ Align 2 L00020BBE: push ebx push ebp push esi mov esi,ecx mov eax,[esi+04h] mov ebp,0000009Ch push 03FB8004h add eax,ebp push eax call SUB_L0001729C mov eax,[esi+04h] add eax,ebp push eax call SUB_L00017282 mov eax,[esi+04h] push 00000007h add eax,00000084h push eax call SUB_L0001729C mov ecx,esi call SUB_L0001EA3A mov ecx,esi call SUB_L0001EAD2 xor bl,bl cmp al,bl jnz L00020D31 mov ecx,esi call SUB_L0001EA7C cmp al,bl jnz L00020D31 mov ecx,esi call SUB_L0001EC0A cmp al,bl jnz L00020D31 mov ecx,esi call SUB_L0001F20A cmp al,bl jnz L00020D31 mov ecx,esi call SUB_L0001F136 cmp al,bl jnz L00020D31 mov ecx,esi call SUB_L0001F0F0 cmp ax,0017h mov [esi+000000C0h],ax jbe L00020C6C cmp [esi+26h],bl setz al dec al and al,18h add al,6Eh jmp L00020D31 L00020C6C: push edi lea edi,[esi+0000010Ch] mov ecx,esi mov byte ptr [edi],01h call SUB_L0001F852 cmp al,bl mov [edi],bl jnz L00020D30 mov ecx,esi call SUB_L0001A29E mov ecx,esi mov [esi+000000FFh],bl call SUB_L000201AE cmp al,bl jnz L00020D30 mov eax,[esi+04h] add eax,ebp push eax call SUB_L00017282 or eax,00000010h push eax mov ecx,esi call SUB_L0001E56A mov eax,[esi+04h] push 00000008h pop edi add eax,edi push eax call SUB_L0001728E test ah,02h jz L00020CEB L00020CCC: mov eax,[esi+04h] add eax,edi push eax call SUB_L0001728E mov eax,[esi+04h] add eax,000000A8h push eax call SUB_L00017282 mov byte ptr [esi+25h],01h jmp L00020D23 L00020CEB: mov ecx,esi call SUB_L000204B6 test al,al jnz L00020D07 lea eax,[esi+00000110h] cmp byte ptr [eax],01h jnz L00020CCC mov [eax],bl mov al,6Dh jmp L00020D30 L00020D07: mov eax,[esi+04h] add eax,edi push eax call SUB_L0001728E mov eax,[esi+04h] add eax,000000A8h push eax call SUB_L00017282 mov [esi+25h],bl L00020D23: mov ecx,esi call SUB_L0001EDCE mov byte ptr [esi+24h],01h xor al,al L00020D30: pop edi L00020D31: pop esi pop ebp pop ebx retn ;------------------------------------------------------------------------------ Align 2 L00020D36: push ebp mov ebp,esp sub esp,00000014h and byte ptr [ebp-01h],00h push ebx push esi push edi mov esi,ecx jmp L00020E7D L00020D4A: xor ebx,ebx mov bl,[esi+000000CAh] mov ecx,esi push ebx call SUB_L0001E9D4 mov [ebp-02h],al mov eax,[esi+00000088h] cmp eax,FFFFFFFFh jz L00020E0F cmp word ptr [esi+000000B4h],0200h jc L00020E0F lea edx,[eax+eax] xor cl,cl shr edx,0Ah cmp [ebp-02h],cl mov [ebp-03h],dl mov [ebp-10h],cl mov [ebp-0Ch],bl jbe L00020E45 jmp L00020D9A L00020D97: mov dl,[ebp-03h] L00020D9A: cmp byte ptr [ebp-01h],00h jnz L00020E4B mov al,[esi+000000CAh] cmp al,dl ja L00020DB7 and byte ptr [ebp-10h],00h mov [ebp-0Ch],al jmp L00020DC9 L00020DB7: cmp bl,dl jnc L00020DC0 add [ebp-0Ch],bl jmp L00020DC9 L00020DC0: add cl,dl sub al,cl mov [ebp-0Ch],cl mov bl,al L00020DC9: xor eax,eax mov ax,[esi+000000C6h] push 00000001h push [ebp-0Ch] mov ecx,esi push [ebp-10h] push eax xor eax,eax mov ax,[esi+000000C8h] push eax xor eax,eax mov ax,[esi+000000C4h] push eax xor eax,eax mov al,[esi+000000C2h] push eax call SUB_L000207A2 dec [ebp-02h] mov cl,[ebp-0Ch] mov [ebp-01h],al mov [ebp-10h],cl jnz L00020D97 jmp L00020E45 L00020E0F: xor eax,eax mov ax,[esi+000000C6h] push 00000001h push ebx push 00000000h mov ecx,esi push eax xor eax,eax mov ax,[esi+000000C8h] push eax xor eax,eax mov ax,[esi+000000C4h] push eax xor eax,eax mov al,[esi+000000C2h] push eax call SUB_L00020A7A mov [ebp-01h],al L00020E45: cmp byte ptr [ebp-01h],00h jz L00020E95 L00020E4B: mov al,[ebp-01h] cmp al,6Dh jnz L000210A1 lea eax,[ebp-08h] push eax xor eax,eax mov al,[esi+000000C2h] mov ecx,esi push eax call SUB_L0001EDE2 test al,al jnz L000210A5 mov ax,[ebp-08h] mov [esi+000000C8h],ax L00020E7D: mov byte ptr [esi+28h],01h cmp word ptr [esi+000000C6h],FFFFh jnz L00020D4A jmp L00021015 L00020E95: xor eax,eax mov ax,[esi+000000C6h] cmp [esi+000000CEh],ax jz L00021015 push eax xor eax,eax mov al,[esi+000000C2h] mov ecx,esi push eax call SUB_L0001F9C2 test al,al jnz L00021044 jmp L00021015 L00020EC9: mov bl,[esi+000000D2h] xor eax,eax mov al,[esi+000000B3h] sub al,bl mov ecx,esi mov [ebp-14h],al push eax call SUB_L0001E9D4 cmp dword ptr [esi+00000088h],FFFFFFFFh mov [ebp-02h],al jz L00020FA0 cmp word ptr [esi+000000B4h],0200h jc L00020FA0 test al,al mov cl,[ebp-14h] mov [ebp-04h],cl mov cl,bl mov [ebp-10h],cl jbe L00020FDD L00020F16: cmp byte ptr [ebp-01h],00h jnz L00020FE3 mov dl,[esi+000000D2h] mov al,[esi+000000B3h] movzx edi,dl movzx ebx,al sub ebx,edi movzx edi,[ebp-03h] cmp ebx,edi jg L00020F44 mov [ebp-10h],dl L00020F3F: mov [ebp-0Ch],al jmp L00020F56 L00020F44: mov dl,[ebp-03h] cmp [ebp-04h],dl jc L00020F3F add cl,dl sub al,cl mov [ebp-0Ch],cl mov [ebp-04h],al L00020F56: xor eax,eax mov ax,[esi+000000CEh] push 00000000h push [ebp-0Ch] mov ecx,esi push [ebp-10h] push eax xor eax,eax mov ax,[esi+000000D0h] push eax xor eax,eax mov ax,[esi+000000CCh] push eax xor eax,eax mov al,[esi+000000CBh] push eax call SUB_L000207A2 dec [ebp-02h] mov cl,[ebp-0Ch] mov [ebp-01h],al mov [ebp-10h],cl jnz L00020F16 jmp L00020FDD L00020FA0: xor eax,eax mov al,[esi+000000B3h] push 00000000h mov ecx,esi push eax xor eax,eax mov ax,[esi+000000CEh] push ebx push eax xor eax,eax mov ax,[esi+000000D0h] push eax xor eax,eax mov ax,[esi+000000CCh] push eax xor eax,eax mov al,[esi+000000CBh] push eax call SUB_L00020A7A mov [ebp-01h],al L00020FDD: cmp byte ptr [ebp-01h],00h jz L00021026 L00020FE3: mov al,[ebp-01h] cmp al,6Dh jnz L000210A1 lea eax,[ebp-08h] push eax xor eax,eax mov al,[esi+000000CBh] mov ecx,esi push eax call SUB_L0001EDE2 test al,al jnz L000210A5 mov ax,[ebp-08h] mov [esi+000000D0h],ax L00021015: cmp word ptr [esi+000000CEh],FFFFh jnz L00020EC9 jmp L00021076 L00021026: xor eax,eax mov ax,[esi+000000CEh] mov ecx,esi push eax xor eax,eax mov al,[esi+000000CBh] push eax call SUB_L0001F9C2 test al,al jz L00021048 L00021044: mov al,6Dh jmp L000210A5 L00021048: mov al,[esi+000000B3h] or byte ptr [esi+000000CBh],FFh or word ptr [esi+000000CCh],FFFFh or word ptr [esi+000000CEh],FFFFh or word ptr [esi+000000D0h],FFFFh mov [esi+000000D2h],al L00021076: or byte ptr [esi+000000C2h],FFh or word ptr [esi+000000C4h],FFFFh or word ptr [esi+000000C6h],FFFFh or word ptr [esi+000000C8h],FFFFh and byte ptr [esi+000000CAh],00h xor al,al L000210A1: and byte ptr [esi+28h],00h L000210A5: pop edi pop esi pop ebx leave retn ;------------------------------------------------------------------------------ L000210AA: mov eax,[esp+04h] cmp eax,FFFFFFFFh push esi push edi mov esi,ecx jz L000210BD mov [esi+000000D4h],eax L000210BD: mov eax,[esi+60h] cmp eax,FFFFFFFFh jz L000210CF or dword ptr [esi+60h],FFFFFFFFh mov [esi+000000D4h],eax L000210CF: mov edi,[esp+10h] push [esp+18h] xor eax,eax mov ax,[edi] mov ecx,esi push eax push [esi+000000D4h] call SUB_L000206B2 test al,al jnz L000210FF inc [esi+000000D4h] mov eax,[esp+14h] dec word ptr [edi] dec [eax] xor al,al L000210FF: pop edi pop esi retn 0010h ;------------------------------------------------------------------------------ SUB_L00021104: xor eax,eax retn 0004h ;------------------------------------------------------------------------------ Align 2 SUB_L0002110A: mov al,01h retn 0008h ;------------------------------------------------------------------------------ Align 4 jmp_ntoskrnl.exe!DbgPrint: jmp [ntoskrnl.exe!DbgPrint] jmp_ntoskrnl.exe!IoQueueWorkItem: jmp [ntoskrnl.exe!IoQueueWorkItem] jmp_ntoskrnl.exe!IoAllocateWorkItem: jmp [ntoskrnl.exe!IoAllocateWorkItem] jmp_ntoskrnl.exe!IoFreeWorkItem: jmp [ntoskrnl.exe!IoFreeWorkItem] SUB_L00021128: push jmp_ntoskrnl.exe!_except_handler3 mov eax,fs:[00000000h] push eax mov fs:[00000000h],esp mov eax,[esp+10h] mov [esp+10h],ebp lea ebp,[esp+10h] sub esp,eax push ebx push esi push edi mov eax,[ebp-08h] mov [ebp-18h],esp push eax mov eax,[ebp-04h] mov dword ptr [ebp-04h],FFFFFFFFh mov [ebp-08h],eax retn ;------------------------------------------------------------------------------ SUB_L00021161: mov ecx,[ebp-10h] mov fs:[00000000h],ecx pop ecx pop edi pop esi pop ebx leave push ecx retn ;------------------------------------------------------------------------------ jmp_ntoskrnl.exe!_purecall: jmp [ntoskrnl.exe!_purecall] jmp_ntoskrnl.exe!_except_handler3: jmp [ntoskrnl.exe!_except_handler3] ;------------------------------------------------------------------------------ 00000002h DUP (??) ; ; ;------------------------------------------------------------------------------ ; Name: page ; Virtual Address: 00021180h Virtual Size: 00001B35h ; Pointer To RawData: 00011180h Size Of RawData: 00001B80h ; SUB_L00021180: push esi mov esi,[esp+08h] push 00000000h push 00000000h lea eax,[esi+08h] push eax call [ntoskrnl.exe!KeInitializeEvent] and byte ptr [esi+04h],00h mov dword ptr [esi],00000001h pop esi retn 0010h ;------------------------------------------------------------------------------ Align 2 SUB_L000211A2: push esi mov esi,[esp+08h] push edi push [esp+10h] mov byte ptr [esi+04h],01h push esi call SUB_L00010774 xor edi,edi push edi push esi call SUB_L00010774 push edi push edi push edi push edi add esi,00000008h push esi call [ntoskrnl.exe!KeWaitForSingleObject] pop edi pop esi retn 0008h ;------------------------------------------------------------------------------ SSZ000211D2_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000211DA_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000211E2_TI_Msg_: db 'TI Msg',0Ah,0 L000211EA: push ebx push esi push edi push SSZ000211D2_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov edi,[esp+14h] mov eax,[edi+28h] cmp byte ptr [eax+0Ch],00h mov ebx,[esp+18h] mov esi,[ebx+60h] pop ecx jz L00021219 push SSZ000211DA_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx jmp L00021238 L00021219: push SSZ000211E2_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[edi+28h] pop ecx push C0000120h push [esi+18h] add eax,0000006Ch push eax call SUB_L0001041E L00021238: push 00000000h push 00000000h push ebx call SUB_L000171FE pop edi pop esi pop ebx retn 0008h ;------------------------------------------------------------------------------ SSZ00021248_TI_Msg_: db 'TI Msg',0Ah,0 L00021250: push ebx push esi mov esi,[esp+0Ch] mov eax,[esi+28h] xor ebx,ebx cmp [eax+0Ch],bl jz L00021278 push SSZ00021248_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi+28h] pop ecx xor ecx,ecx add eax,00000054h inc ecx lock xadd [eax],ecx L00021278: push ebx push ebx push [esp+18h] call SUB_L000171FE pop esi pop ebx retn 0008h ;------------------------------------------------------------------------------ SSZ00021288_TI_Msg_: db 'TI Msg',0Ah,0 L00021290: push ebx push esi mov esi,[esp+0Ch] mov eax,[esi+28h] xor ebx,ebx cmp [eax+0Ch],bl jz L000212B8 push SSZ00021288_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[esi+28h] pop ecx add eax,00000054h or ecx,FFFFFFFFh lock xadd [eax],ecx L000212B8: push ebx push ebx push [esp+18h] call SUB_L000171FE pop esi pop ebx retn 0008h ;------------------------------------------------------------------------------ L000212C8: mov eax,[esp+04h] mov ecx,[eax+28h] cmp byte ptr [ecx+0Ch],00h push [esp+08h] push eax jz L000212E1 call SUB_L000108E0 jmp L000212E6 L000212E1: call SUB_L00011844 L000212E6: retn 0008h ;------------------------------------------------------------------------------ Align 2 L000212EA: mov eax,[esp+04h] mov ecx,[eax+28h] cmp byte ptr [ecx+0Ch],00h push [esp+08h] push eax jz L00021303 call SUB_L000108E0 jmp L00021308 L00021303: call SUB_L00011D3E L00021308: retn 0008h ;------------------------------------------------------------------------------ Align 4 SSZ0002130C_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00021314_TI_Msg_: db 'TI Msg',0Ah,0 L0002131C: mov eax,[esp+04h] mov eax,[eax+28h] push ebx xor ebx,ebx cmp [eax+0Ch],bl jz L00021332 push SSZ0002130C_TI_Msg_ jmp L00021337 L00021332: push SSZ00021314_TI_Msg_ L00021337: call jmp_ntoskrnl.exe!DbgPrint pop ecx push ebx push ebx push [esp+14h] call SUB_L000171FE pop ebx retn 0008h ;------------------------------------------------------------------------------ L0002134C: mov eax,[esp+04h] mov ecx,[eax+28h] cmp byte ptr [ecx+0Ch],00h push [esp+08h] push eax jz L00021365 call SUB_L000218C4 jmp L0002136A L00021365: call SUB_L00013818 L0002136A: retn 0008h ;------------------------------------------------------------------------------ Align 2 L0002136E: mov eax,[esp+04h] mov ecx,[eax+28h] cmp byte ptr [ecx+0Ch],00h push [esp+08h] push eax jz L00021387 call SUB_L00014FF2 jmp L0002138C L00021387: call SUB_L000144C2 L0002138C: retn 0008h ;------------------------------------------------------------------------------ Align 4 SSZ00021390_TI_Msg_: db 'TI Msg',0Ah,0 SSZ00021398_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000213A0_TI_Msg_: db 'TI Msg',0Ah,0 L000213A8: mov eax,[esp+04h] push ebx push esi mov esi,[eax+28h] push SSZ00021390_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint xor ebx,ebx cmp [esi+0Ch],bl pop ecx jz L000213CA push SSZ00021398_TI_Msg_ jmp L000213CF L000213CA: push SSZ000213A0_TI_Msg_ L000213CF: call jmp_ntoskrnl.exe!DbgPrint pop ecx push ebx push ebx push [esp+18h] call SUB_L000171FE pop esi pop ebx retn 0008h ;------------------------------------------------------------------------------ Align 2 SSZ000213E6_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000213EE_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000213F6_TI_Msg_: db 'TI Msg',0Ah,0 L000213FE: mov eax,[esp+04h] push esi mov esi,[eax+28h] push SSZ000213E6_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint cmp byte ptr [esi+0Ch],00h pop ecx jz L00021438 push SSZ000213EE_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov edx,[esp+10h] inc [edx+23h] add dword ptr [edx+60h],00000024h pop ecx mov ecx,[esi+08h] call [ntoskrnl.exe!IofCallDriver] jmp L00021453 L00021438: push SSZ000213F6_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov eax,[esp+10h] pop ecx push [eax+1Ch] push [eax+18h] push eax call SUB_L000171FE L00021453: pop esi retn 0008h ;------------------------------------------------------------------------------ Align 4 SUB_L00021458: mov edx,[esp+08h] inc [edx+23h] add dword ptr [edx+60h],00000024h mov eax,[esp+04h] mov eax,[eax+28h] mov ecx,[eax+08h] call [ntoskrnl.exe!IofCallDriver] retn 0008h ;------------------------------------------------------------------------------ SSZ00021476_TI_Msg_: db 'TI Msg',0Ah,0 L0002147E: mov eax,[esp+04h] push esi push edi mov edi,[esp+10h] and dword ptr [edi+18h],00000000h mov esi,[eax+28h] cmp dword ptr [esi+10h],00000003h jnz L000214C0 push ebx push edi push eax call SUB_L00022C48 mov ebx,eax test ebx,ebx jl L000214AB mov eax,[esi+14h] mov [esi+10h],eax jmp L000214B6 L000214AB: push SSZ00021476_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx L000214B6: push ebx push edi call SUB_L00017220 pop ebx jmp L000214C7 L000214C0: push edi push eax call SUB_L00021458 L000214C7: pop edi pop esi retn 0008h ;------------------------------------------------------------------------------ SSZ000214CC_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000214D4_TI_Msg_: db 'TI Msg',0Ah,0 L000214DC: mov eax,[esp+04h] push esi push edi mov edi,[esp+10h] and dword ptr [edi+18h],00000000h mov esi,[eax+28h] cmp dword ptr [esi+10h],00000002h jnz L00021529 push ebx push edi push eax call SUB_L00022C48 mov ebx,eax test ebx,ebx jl L00021514 push SSZ000214CC_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov dword ptr [esi+10h],00000001h jmp L0002151E L00021514: push SSZ000214D4_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint L0002151E: pop ecx push ebx push edi call SUB_L00017220 pop ebx jmp L00021530 L00021529: push edi push eax call SUB_L00021458 L00021530: pop edi pop esi retn 0008h ;------------------------------------------------------------------------------ Align 2 L00021536: mov eax,[esp+04h] push ebx mov ebx,[esp+0Ch] mov ecx,[ebx+60h] mov ecx,[ecx+04h] cmp word ptr [ecx+02h],0001h push esi mov esi,[eax+28h] push ebx push eax jnc L00021559 call SUB_L00021458 jmp L00021579 L00021559: call SUB_L00022C48 test eax,eax jl L00021572 mov edx,[ebx+60h] push edi push 00000010h lea edi,[esi+5Ch] mov esi,[edx+04h] pop ecx rep movsd pop edi L00021572: push eax push ebx call SUB_L00017220 L00021579: pop esi pop ebx retn 0008h ;------------------------------------------------------------------------------ L0002157E: mov ecx,[esp+08h] and dword ptr [ecx+18h],00000000h mov edx,[esp+04h] mov eax,[edx+28h] push esi mov esi,[eax+10h] push ecx push edx mov [eax+14h],esi mov dword ptr [eax+10h],00000003h call SUB_L00021458 pop esi retn 0008h ;------------------------------------------------------------------------------ L000215A6: mov ecx,[esp+08h] mov edx,[esp+04h] and dword ptr [ecx+18h],00000000h mov eax,[edx+28h] cmp dword ptr [eax+10h],00000001h push ecx push edx jnz L000215C4 mov dword ptr [eax+10h],00000002h L000215C4: call SUB_L00021458 retn 0008h ;------------------------------------------------------------------------------ SSZ000215CC_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000215D4_TI_Msg_: db 'TI Msg',0Ah,0 SSZ000215DC_TI_Msg_: db 'TI Msg',0Ah,0 L000215E4: push ebp mov ebp,esp push ecx push ecx push ebx mov ebx,[ebp+08h] push esi push edi mov edi,[ebp+0Ch] and dword ptr [edi+18h],00000000h mov esi,[ebx+28h] push esi call SUB_L00017266 push 00000001h push ebx call SUB_L0002277A push edi lea eax,[esi+24h] push eax mov dword ptr [esi+10h],00000005h call SUB_L000211A2 lea ecx,[esi+00000114h] mov [ebp-08h],ecx call [HAL.dll!ExAcquireFastMutex] lea eax,[esi+0000010Ch] test eax,eax jz L0002169B mov ebx,[eax] mov ecx,[ebx] mov [ebp-04h],ecx jmp L00021697 L0002163A: mov edi,ebx mov eax,[edi] mov ecx,[edi+04h] mov [ecx],eax mov [eax+04h],ecx cmp dword ptr [esi+10h],00000004h jnz L00021666 push SSZ000215CC_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint mov [edi+04h],edi mov [edi],edi and dword ptr [ebx-60h],00000000h pop ecx mov byte ptr [ebx+09h],01h jmp L00021689 L00021666: lea eax,[esi+00000100h] mov ecx,[eax] test ecx,ecx jbe L00021675 dec ecx mov [eax],ecx L00021675: push SSZ000215D4_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx push [ebx-5Ch] call [ntoskrnl.exe!IoDeleteDevice] L00021689: mov ebx,[ebp-04h] mov eax,[ebx] mov [ebp-04h],eax lea eax,[esi+0000010Ch] L00021697: cmp ebx,eax jnz L0002163A L0002169B: mov ecx,[ebp-08h] call [HAL.dll!ExReleaseFastMutex] push [ebp+0Ch] push [ebp+08h] call SUB_L00021458 push SSZ000215DC_TI_Msg_ mov esi,eax call jmp_ntoskrnl.exe!DbgPrint pop ecx push [ebp+08h] call SUB_L00022C26 pop edi mov eax,esi pop esi pop ebx leave retn 0008h ;------------------------------------------------------------------------------ Align 2 L000216CE: push esi mov esi,[esp+0Ch] and dword ptr [esi+18h],00000000h push edi mov edi,[esp+0Ch] push esi push edi call SUB_L00022C48 test eax,eax jge L000216F0 push eax push esi call SUB_L00017220 jmp L00021738 L000216F0: mov eax,[esi+60h] mov ecx,[eax+04h] test ecx,ecx push ebx mov ebx,[edi+28h] jz L00021703 add ecx,0000000Ch jmp L00021705 L00021703: xor ecx,ecx L00021705: mov eax,[eax+08h] test eax,eax jz L00021711 add eax,0000000Ch jmp L00021713 L00021711: xor eax,eax L00021713: push eax push ecx push edi call SUB_L00021BE0 mov edi,eax test edi,edi jl L00021730 push 00000001h push ebx call SUB_L00017250 mov dword ptr [ebx+10h],00000001h L00021730: push edi push esi call SUB_L00017220 pop ebx L00021738: pop edi pop esi retn 0008h ;------------------------------------------------------------------------------ Align 2 SSZ0002173E_TI_Msg_: db 'TI Msg',0Ah,0 L00021746: push ebx mov ebx,[esp+0Ch] and dword ptr [ebx+18h],00000000h push esi push edi mov edi,[esp+10h] mov esi,[edi+28h] cmp dword ptr [esi+10h],00000002h jz L00021769 push SSZ0002173E_TI_Msg_ call jmp_ntoskrnl.exe!DbgPrint pop ecx L00021769: push 00000001h push edi mov byte ptr [esi+000001B1h],01h call SUB_L0002277A and dword ptr [esi+10h],00000000h push ebx push edi call SUB_L00021458 pop edi pop esi pop ebx retn 0008h ;------------------------------------------------------------------------------ Align 2 L0002178A: push ebp mov ebp,esp push ecx mov eax,[ebp+0Ch] and dword ptr [eax+18h],00000000h push ebx push esi push edi mov edi,[ebp+08h] mov esi,[edi+28h] push 00000000h push esi call SUB_L00017250 cmp dword ptr [esi+10h],00000001h mov dword ptr [esi+10h],00000004h setz al mov [ebp-04h],al push [ebp-04h] push edi call SUB_L0002277A lea ecx,[esi+00000114h] mov [ebp-04h],ecx call