#include <windows.h>#include <defs.h>//-------------------------------------

1. #include <windows.h>
2. #include <defs.h>
3. //-------------------------------------------------------------------------
4. // Data declarations
5. extern const WCHAR aSystemrootSyst[]; // idb
6. extern char dword_124C0[]; // idb
7. extern char dword_124D0[]; // idb
8. extern wchar_t aKernel32_dll[13]; // weak
9. // extern PBOOLEAN KdDebuggerEnabled;
10. // extern void *InitSafeBootMode; weak
11. extern int dword_12628; // weak
12. extern char byte_12630[]; // weak
13. extern _BYTE byte_12644[20]; // idb
14. extern int dword_12658; // weak
15. extern char a_text[6]; // weak
16. extern char aPage[5]; // weak
17. extern char asc_12678[2]; // weak
18. extern size_t dword_12680; // idb
19. extern int dword_12684; // weak
20. extern int dword_12688; // weak
21. extern int dword_1268C; // weak
22. extern int dword_12690; // weak
23. extern _UNKNOWN unk_12694; // weak
24. extern _UNKNOWN unk_12EB8; // weak
25. extern _UNKNOWN unk_14380; // weak
26. extern _UNKNOWN unk_14384; // weak
27. extern char byte_14390; // weak
28. extern int dword_14391; // weak
29. extern const WCHAR word_14395; // idb
30. extern const WCHAR word_1445D; // idb
31. extern const WCHAR word_14471; // idb
32. extern int dword_14539; // weak
33. extern int dword_1453D; // weak
34. extern const WCHAR SourceString; // idb
35. extern char byte_14614; // weak
36. extern char byte_14615; // weak
37. extern char byte_14616; // weak
38. extern char byte_14617; // weak
39. extern int dword_1461C; // weak
40. extern int dword_14620; // weak
41. extern int dword_14624; // weak
42. extern char byte_14628; // weak
43. extern RTL_GENERIC_TABLE Table; // idb
44. extern int dword_14654; // weak
45. extern char byte_14658; // weak
46. extern int dword_1465C; // weak
47. extern int dword_14660; // weak
48. extern char byte_14664; // weak
49. extern int dword_14668; // weak
50. extern struct _KMUTANT Mutex; // idb
51. extern int dword_1468C; // weak
52. extern int dword_14690; // weak
53. extern int dword_14694; // weak
54. extern int dword_14698; // weak
55. extern int dword_1469C; // weak
56. extern int dword_146A0; // weak
57. extern int dword_146A4; // weak
58. extern int dword_146A8; // weak
59. extern int dword_146AC; // weak
60. extern int dword_146B0; // weak
61. //-------------------------------------------------------------------------
62. // Function declarations
63. #define __thiscall __cdecl // Test compile in C mode
64. char __cdecl sub_10300();
65. void __stdcall DriverReinitializationRoutine(PDRIVER_OBJECT DriverObject, int a2, unsigned int a3);
66. NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath);
67. int __stdcall sub_1048A(int a1);
68. int __cdecl sub_10542();
69. // int __usercall sub_1056C<eax>(int a1<esi>);
70. // int __userpurge sub_105A0<eax>(int a1<ebx>, SIZE_T a2<edi>, int a3<esi>, const void *a4);
71. // int __usercall sub_105E4<eax>(LSA_UNICODE_STRING *a1<ecx>, int a2<edi>, int a3<esi>);
72. ULONG __thiscall sub_10638(LSA_UNICODE_STRING *this, ULONG a2, int a3);
73. // void __userpurge sub_1076E(int a1<ebx>, PVOID *a2);
74. signed int __fastcall sub_107A2(int a1, int a2);
75. int *__cdecl sub_107E8();
76. bool __stdcall sub_10886(int a1);
77. int __stdcall sub_108BE(const char *a1);
78. int __cdecl sub_1098E();
79. // signed int __usercall sub_109B0<eax>(int a1<edi>);
80. int __cdecl sub_10A3A();
81. // int __usercall sub_10A8A<eax>(int a1<edi>, int *a2<esi>);
82. // int __usercall sub_10AE2<eax>(int a1<esi>);
83. // int __usercall sub_10B36<eax>(int a1<esi>);
84. int __thiscall sub_10B68(int this);
85. int __stdcall sub_10BA2(int, int); // weak
86. signed int __cdecl sub_10BE8();
87. // int __userpurge sub_10BEC<eax>(int a1<ebp>, int a2, int a3);
88. // signed int __usercall sub_10C22<eax>(int a1<eax>);
89. signed int __stdcall sub_10CFE(int a1, int a2);
90. // void __usercall sub_10D7E(int a1<eax>);
91. // int __usercall sub_10DA8<eax>(int a1<ecx>, int a2<edi>, int a3<esi>);
92. void __stdcall sub_10DCC(int a1, HANDLE Handle, int a3);
93. void __stdcall NotifyRoutine(int a1, HANDLE Handle, int a3);
94. // int __userpurge sub_10FC4<eax>(int result<eax>, int a2);
95. RTL_GENERIC_TABLE *__cdecl sub_10FE6();
96. // PVOID __usercall sub_11028<eax>(int a1<eax>, RTL_GENERIC_TABLE *a2<edi>);
97. // signed int __usercall sub_11066<eax>(int a1<eax>, RTL_GENERIC_TABLE *a2<edi>);
98. // signed int __userpurge sub_110C0<eax>(RTL_GENERIC_TABLE *a1<eax>, int *a2);
99. bool __stdcall CompareRoutine(int a1, int a2, int a3);
100. PVOID __stdcall AllocateRoutine(int a1, SIZE_T NumberOfBytes);
101. void __stdcall FreeRoutine(int a1, PVOID P);
102. // int __usercall sub_1118A<eax>(int a1<ebx>, int a2<esi>);
103. // int __userpurge sub_111B4<eax>(int a1<eax>, int a2<ebx>, int a3);
104. // signed int __userpurge sub_11242<eax>(int a1<eax>, int a2, int a3);
105. // PVOID __userpurge sub_113C2<eax>(int a1<edi>, int a2, int a3);
106. // void __userpurge sub_1141E(int a1<eax>, int a2<ecx>, int a3<ebx>, int a4, int a5);
107. void __fastcall sub_114EC(int a1, int a2, int a3, int a4, int a5);
108. LONG_PTR __stdcall sub_11522(int a1, int a2, int a3, int a4, int a5);
109. PVOID __stdcall sub_11578(int a1);
110. PVOID __stdcall sub_11598(int a1);
111. // signed int __userpurge sub_115CC<eax>(const void *a1<eax>, int a2<ebx>, int a3);
112. signed int __thiscall sub_11718(int this, int a2, const void *a3);
113. __int32 __stdcall sub_1174A(int a1, int a2);
114. // char __usercall sub_117A8<al>(WCHAR *a1<eax>, int a2<ecx>);
115. // PVOID __usercall sub_1182C<eax>(ULONG a1<esi>);
116. // int __usercall sub_11864<eax>(HANDLE *a1<edi>);
117. signed int __stdcall sub_118E2(unsigned int a1, int a2);
118. char __fastcall sub_119AE(int a1, int a2);
119. // char __usercall sub_11A08<al>(int a1<edi>);
120. // int __userpurge sub_11A4A<eax>(int a1<eax>, int a2<ebx>, unsigned int a3);
121. // const char *__usercall sub_11ABC<eax>(const char *result<eax>, int a2<ecx>);
122. int __stdcall sub_11B04(int a1, const char *a2, unsigned int a3, int a4, int a5);
123. int *__cdecl sub_11C14();
124. int __stdcall sub_11CCC(int a1);
125. char __stdcall sub_11D46(int a1, unsigned int a2);
126. // NTSTATUS __userpurge sub_11D62<eax>(LSA_UNICODE_STRING *a1<eax>, PUNICODE_STRING ValueName, int a3);
127. int __stdcall sub_11DD6(int, PUNICODE_STRING ValueName, int); // idb
128. // int __usercall sub_11EC6<eax>(char a1<al>, int a2<ecx>, unsigned int a3<esi>);
129. int __stdcall sub_11F42(int, int, HANDLE Handle); // idb
130. // int __userpurge sub_11FC0<eax>(int a1<esi>, int a2, int a3);
131. int __stdcall sub_12000(HANDLE Handle, PVOID ProcessInformation); // idb
132. // int __userpurge sub_12094<eax>(int a1<ebx>, int a2<edi>, int a3);
133. // LONG_PTR __usercall sub_120CC<eax>(PVOID Object<ecx>, LONG_PTR result<eax>);
134. int __cdecl sub_120DE(int a1);
135. int __cdecl sub_1210F(int a1, unsigned int a2);
136. // signed int __usercall sub_1216B<eax>(int a1<eax>, unsigned int a2<ebx>);
137. signed int __cdecl sub_121E1(int a1, int a2, int a3);
138. signed int __cdecl sub_122B3(int a1, unsigned int a2);
139. bool __cdecl sub_122D0(int a1, unsigned int a2, int a3, int a4);
140. // signed int __usercall sub_12323<eax>(unsigned int a1<eax>, int a2, int a3, unsigned __int16 a4);
141. signed int __cdecl sub_1236B(int a1, int a2);
142. // NTSTATUS __stdcall ZwQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
143. // void *__cdecl memcpy(void *, const void *, size_t);
144. // void *__cdecl memset(void *, int, size_t);
145. // int _SEH_epilog(void); weak
146. int nullsub_1(); // weak
147. int nullsub_2(); // weak
148. int sub_124FE(); // weak
149. int nullsub_3(); // weak
150. // KIRQL __fastcall KfAcquireSpinLock(PKSPIN_LOCK SpinLock);
151. // KIRQL __stdcall KeGetCurrentIrql();
152. // void __fastcall KfReleaseSpinLock(PKSPIN_LOCK SpinLock, KIRQL NewIrql);
153. // NTSTATUS __stdcall ZwReadFile(HANDLE FileHandle, HANDLE Event, PIO_APC_ROUTINE ApcRoutine, PVOID ApcContext, PIO_STATUS_BLOCK IoStatusBlock, PVOID Buffer, ULONG Length, PLARGE_INTEGER ByteOffset, PULONG Key);
154. // NTSTATUS __stdcall ZwClose(HANDLE Handle);
155. // NTSTATUS __stdcall ZwOpenFile(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, ULONG ShareAccess, ULONG OpenOptions);
156. // NTSTATUS __stdcall ZwQueryInformationFile(HANDLE FileHandle, PIO_STATUS_BLOCK IoStatusBlock, PVOID FileInformation, ULONG Length, FILE_INFORMATION_CLASS FileInformationClass);
157. // BOOLEAN __stdcall PsGetVersion(PULONG MajorVersion, PULONG MinorVersion, PULONG BuildNumber, PUNICODE_STRING CSDVersion);
158. // int __cdecl stricmp(const char *, const char *);
159. // NTSTATUS __stdcall PsSetLoadImageNotifyRoutine(PLOAD_IMAGE_NOTIFY_ROUTINE NotifyRoutine);
160. // PVOID __stdcall ExAllocatePool(POOL_TYPE PoolType, SIZE_T NumberOfBytes);
161. // void __fastcall IofCompleteRequest(PIRP Irp, CCHAR PriorityBoost);
162. // NTSTATUS __stdcall IoCreateDevice(PDRIVER_OBJECT DriverObject, ULONG DeviceExtensionSize, PUNICODE_STRING DeviceName, ULONG DeviceType, ULONG DeviceCharacteristics, BOOLEAN Exclusive, PDEVICE_OBJECT *DeviceObject);
163. // BOOLEAN __stdcall RtlDeleteElementGenericTable(PRTL_GENERIC_TABLE Table, PVOID Buffer);
164. // PKTHREAD __stdcall KeGetCurrentThread();
165. // PVOID __stdcall RtlLookupElementGenericTable(PRTL_GENERIC_TABLE Table, PVOID Buffer);
166. // void __stdcall RtlInitializeGenericTable(PRTL_GENERIC_TABLE Table, PRTL_GENERIC_COMPARE_ROUTINE CompareRoutine, PRTL_GENERIC_ALLOCATE_ROUTINE AllocateRoutine, PRTL_GENERIC_FREE_ROUTINE FreeRoutine, PVOID TableContext);
167. // PVOID __stdcall RtlInsertElementGenericTable(PRTL_GENERIC_TABLE Table, PVOID Buffer, CLONG BufferSize, PBOOLEAN NewElement);
168. // WCHAR __stdcall RtlUpcaseUnicodeChar(WCHAR SourceCharacter);
169. // NTSTATUS __stdcall ZwAllocateVirtualMemory(HANDLE ProcessHandle, PVOID *BaseAddress, ULONG ZeroBits, PULONG AllocationSize, ULONG AllocationType, ULONG Protect);
170. // void __stdcall RtlInitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString);
171. // void __stdcall IoRegisterDriverReinitialization(PDRIVER_OBJECT DriverObject, PDRIVER_REINITIALIZE DriverReinitializationRoutine, PVOID Context);
172. // void __stdcall ExFreePoolWithTag(PVOID P, ULONG Tag);
173. // void __stdcall KeInitializeMutex(PRKMUTEX Mutex, ULONG Level);
174. // LONG __stdcall KeReleaseMutex(PRKMUTEX Mutex, BOOLEAN Wait);
175. // NTSTATUS __stdcall KeWaitForSingleObject(PVOID Object, KWAIT_REASON WaitReason, KPROCESSOR_MODE WaitMode, BOOLEAN Alertable, PLARGE_INTEGER Timeout);
176. // NTSTATUS __stdcall ZwQueryValueKey(HANDLE KeyHandle, PUNICODE_STRING ValueName, KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, PVOID KeyValueInformation, ULONG Length, PULONG ResultLength);
177. // NTSTATUS __stdcall ZwOpenKey(PHANDLE KeyHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes);
178. // int __stdcall KeUnstackDetachProcess(_DWORD); weak
179. // int __stdcall KeStackAttachProcess(_DWORD, _DWORD); weak
180. // NTSTATUS __stdcall ZwQueryInformationProcess(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength);
181. // int __stdcall ObOpenObjectByPointer(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD); weak
182. // int __stdcall PsLookupProcessByProcessId(_DWORD, _DWORD); weak
183. // LONG_PTR __fastcall ObfDereferenceObject(PVOID Object);
184. // signed int __usercall sub_12A24<eax>(int a1<esi>);
185. signed int __cdecl sub_12A95(int a1);
186. // bool __usercall sub_12D37<eax>(int a1<eax>, int a2);
187. int __thiscall sub_12D71(void *this);
188. // signed int __usercall sub_13343<eax>(int a1<eax>, unsigned int a2);
189. // int __usercall sub_133BF<eax>(int a1<eax>, int a2, int a3);
190. // int __usercall sub_13409<eax>(int a1<eax>, int a2, int a3, int a4);
191. // int __usercall sub_1356E<eax>(unsigned int *a1<eax>, int a2<ebx>, int a3<edi>, int a4, int a5, int a6);
192. int __thiscall sub_1369C(void *this);
193. signed int __cdecl sub_136F8(int a1, int a2, int a3);
194. signed int __cdecl sub_138BE(int a1, unsigned int a2);
195. bool __cdecl sub_138DB(int a1, unsigned int a2, int a3, int a4);
196. int __cdecl sub_1392E(int a1);
197. // signed int __usercall sub_13A4B<eax>(unsigned int a1<eax>, int a2, int a3, unsigned __int16 a4);
198. // signed int __usercall sub_13B3A<eax>(int a1<eax>, unsigned int a2<ebx>);
199. // int __usercall sub_13BF1<eax>(unsigned int a1<eax>, int a2<ecx>, int a3, int a4, int a5);
200. // signed int __usercall sub_13C66<eax>(int a1<eax>, int a2<edx>, int a3<ecx>, unsigned int a4);
201. int __cdecl sub_13C92(int a1, char a2, int a3);
202. // int __usercall sub_13CC0<eax>(int a1<eax>, int a2<edx>);
203. // signed int __usercall sub_13D8E<eax>(int a1<eax>, int a2, int a3, unsigned int a4, int (__cdecl *a5)(_DWORD, _DWORD, _DWORD));
204. //----- (00010300) --------------------------------------------------------
205. char __cdecl sub_10300()
206. {
207. LSA_UNICODE_STRING DestinationString; // [sp+8h] [bp-18h]@1
208. char v2; // [sp+10h] [bp-10h]@1
209. HANDLE Handle; // [sp+14h] [bp-Ch]@2
210. int v4; // [sp+18h] [bp-8h]@1
211. char v5; // [sp+1Fh] [bp-1h]@1
212. RtlInitUnicodeString(&DestinationString, L"\\SystemRoot\\System32\\hal.dll");
213. v4 = 0;
214. sub_105E4(&DestinationString, (int)&v4, (int)&v2);
215. v5 = v4 == 0;
216. if ( v2 )
217. {
218. v2 = 0;
219. ZwClose(Handle);
220. }
221. return v5;
222. }
223. //----- (0001034C) --------------------------------------------------------
224. void __stdcall DriverReinitializationRoutine(PDRIVER_OBJECT DriverObject, int a2, unsigned int a3)
225. {
226. if ( !KeGetCurrentIrql() )
227. {
228. if ( a3 <= 0x65 )
229. {
230. if ( !sub_10542() )
231. {
232. if ( sub_10300() )
233. sub_10A3A();
234. else
235. IoRegisterDriverReinitialization(DriverObject, DriverReinitializationRoutine, 0);
236. }
237. }
238. }
239. }
240. //----- (000103AA) --------------------------------------------------------
241. NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
242. {
243. signed int v2; // eax@2
244. LSA_UNICODE_STRING DestinationString; // [sp+Ch] [bp-24h]@11
245. unsigned int i; // [sp+14h] [bp-1Ch]@3
246. CPPEH_RECORD ms_exc; // [sp+18h] [bp-18h]@1
247. ms_exc.disabled = 0;
248. dword_14624 = 128;
249. dword_1461C = (int)ExAllocatePool(0, 0x200u);
250. if ( dword_1461C )
251. {
252. byte_14628 = 1;
253. for ( i = (unsigned int)&unk_14380; i < (unsigned int)&unk_14384; i += 4 )
254. {
255. if ( *(_DWORD *)i )
256. (*(void (**)(void))i)();
257. }
258. v2 = 0;
259. }
260. else
261. {
262. v2 = -1073741823;
263. }
264. if ( !v2 )
265. {
266. if ( !sub_109B0((int)RegistryPath) )
267. {
268. RtlInitUnicodeString(&DestinationString, &SourceString);
269. if ( !IoCreateDevice(DriverObject, 0, &DestinationString, 0x22u, 0x100u, 0, (PDEVICE_OBJECT *)&RegistryPath) )
270. {
271. DriverObject->MajorFunction[0] = (PDRIVER_DISPATCH)sub_10BA2;
272. DriverObject->MajorFunction[2] = (PDRIVER_DISPATCH)sub_10BA2;
273. DriverObject->MajorFunction[14] = (PDRIVER_DISPATCH)sub_10BA2;
274. RegistryPath[3].Buffer = (PWSTR)((unsigned int)RegistryPath[3].Buffer & 0xFFFFFF7F);
275. IoRegisterDriverReinitialization(DriverObject, (PDRIVER_REINITIALIZE)DriverReinitializationRoutine, 0);
276. }
277. }
278. }
279. return 0;
280. }
281. // 10BA2: using guessed type int __stdcall sub_10BA2(int, int);
282. // 1461C: using guessed type int dword_1461C;
283. // 14624: using guessed type int dword_14624;
284. // 14628: using guessed type char byte_14628;
285. //----- (0001048A) --------------------------------------------------------
286. int __stdcall sub_1048A(int a1)
287. {
288. int v1; // edi@5
289. int result; // eax@7
290. int (*v3)(void); // edi@11
291. int v4; // [sp+Ch] [bp-128h]@6
292. __int16 v5; // [sp+120h] [bp-14h]@9
293. int v6; // [sp+130h] [bp-4h]@3
294. *(_BYTE *)a1 = 1;
295. if ( !KeGetCurrentIrql() )
296. {
297. sub_1056C((int)&v6);
298. if ( sub_10886(0) || sub_10886(1) )
299. return 0;
300. v1 = v6;
301. if ( sub_10886(2) )
302. {
303. memset(&v4, 255, 0x11Cu);
304. v4 = 284;
305. if ( !*(_DWORD *)v1 )
306. return -1073741823;
307. result = (*(int (__stdcall **)(int *))v1)(&v4);
308. if ( result )
309. return result;
310. if ( !v5 )
311. return *(_DWORD *)(v1 + 4) != 0 ? 0xC0000001 : 0;
312. }
313. v3 = *(int (**)(void))(v1 + 4);
314. if ( v3 )
315. {
316. if ( (unsigned __int8)v3() )
317. *(_BYTE *)a1 = 0;
318. return 0;
319. }
320. return -1073741823;
321. }
322. *(_BYTE *)a1 = 0;
323. return 0;
324. }
325. //----- (00010542) --------------------------------------------------------
326. int __cdecl sub_10542()
327. {
328. int result; // eax@1
329. char v1; // [sp+7h] [bp-1h]@1
330. v1 = 0;
331. result = sub_1048A((int)&v1);
332. if ( !result )
333. result = (v1 != 0 ? 0x3FFFFFFF : 0) - 1073741823;
334. return result;
335. }
336. //----- (0001056C) --------------------------------------------------------
337. int __usercall sub_1056C<eax>(int a1<esi>)
338. {
339. int v1; // ecx@2
340. *(_DWORD *)a1 = 0;
341. if ( !(dword_146A4 & 1) )
342. {
343. dword_146A4 |= 1u;
344. sub_107E8();
345. sub_107A2(v1, (int)nullsub_1);
346. }
347. byte_14614 = 0;
348. *(_DWORD *)a1 = &dword_14694;
349. return a1;
350. }
351. // 124FA: using guessed type int nullsub_1();
352. // 14614: using guessed type char byte_14614;
353. // 14694: using guessed type int dword_14694;
354. // 146A4: using guessed type int dword_146A4;
355. //----- (000105A0) --------------------------------------------------------
356. int __userpurge sub_105A0<eax>(int a1<ebx>, SIZE_T a2<edi>, int a3<esi>, const void *a4)
357. {
358. PVOID v4; // eax@1
359. char v5; // zf@1
360. v4 = ExAllocatePool(0, a2);
361. v5 = *(_DWORD *)a1 == 0;
362. *(_DWORD *)a3 = v4;
363. *(_DWORD *)(a3 + 4) = a2;
364. *(_DWORD *)(a3 + 8) = v4;
365. *(_DWORD *)(a3 + 12) = a2;
366. if ( v5 )
367. {
368. if ( *(_DWORD *)a3 )
369. {
370. if ( a4 )
371. memcpy(*(void **)a3, a4, a2);
372. }
373. else
374. {
375. *(_DWORD *)a1 = -1073741823;
376. }
377. }
378. return a3;
379. }
380. //----- (000105E4) --------------------------------------------------------
381. int __usercall sub_105E4<eax>(LSA_UNICODE_STRING *a1<ecx>, int a2<edi>, int a3<esi>)
382. {
383. char v3; // zf@1
384. NTSTATUS v4; // eax@2
385. OBJECT_ATTRIBUTES ObjectAttributes; // [sp+8h] [bp-20h]@2
386. struct _IO_STATUS_BLOCK IoStatusBlock; // [sp+20h] [bp-8h]@2
387. v3 = *(_DWORD *)a2 == 0;
388. *(_BYTE *)a3 = 0;
389. *(_DWORD *)(a3 + 4) = 0;
390. if ( v3 )
391. {
392. ObjectAttributes.ObjectName = a1;
393. ObjectAttributes.Length = 24;
394. ObjectAttributes.RootDirectory = 0;
395. ObjectAttributes.Attributes = 576;
396. ObjectAttributes.SecurityDescriptor = 0;
397. ObjectAttributes.SecurityQualityOfService = 0;
398. v4 = ZwOpenFile((PHANDLE)(a3 + 4), 0x80100000u, &ObjectAttributes, &IoStatusBlock, 1u, 0x60u);
399. *(_DWORD *)a2 = v4;
400. *(_BYTE *)a3 = v4 == 0;
401. }
402. return a3;
403. }
404. //----- (00010638) --------------------------------------------------------
405. ULONG __thiscall sub_10638(LSA_UNICODE_STRING *this, ULONG a2, int a3)
406. {
407. char v3; // bl@1
408. ULONG result; // eax@4
409. HANDLE v5; // ecx@6
410. ULONG v6; // edi@6
411. ULONG v7; // esi@6
412. NTSTATUS v8; // eax@7
413. int v9; // eax@17
414. int v10; // eax@18
415. void **v11; // eax@21
416. void *v12; // eax@22
417. char FileInformation; // [sp+10h] [bp-28h]@7
418. ULONG v14; // [sp+18h] [bp-20h]@7
419. void *v15; // [sp+1Ch] [bp-1Ch]@7
420. ULONG Length; // [sp+28h] [bp-10h]@1
421. HANDLE Handle; // [sp+2Ch] [bp-Ch]@3
422. struct _IO_STATUS_BLOCK IoStatusBlock; // [sp+30h] [bp-8h]@1
423. v3 = 0;
424. IoStatusBlock.Information = 0;
425. sub_105E4(this, (int)&IoStatusBlock.Information, (int)&Length);
426. if ( IoStatusBlock.Information )
427. goto LABEL_2;
428. if ( (_BYTE)Length )
429. {
430. v8 = ZwQueryInformationFile(Handle, &IoStatusBlock, &FileInformation, 0x18u, FileStandardInformation);
431. v6 = v14;
432. v5 = v15;
433. v7 = v8;
434. }
435. else
436. {
437. v5 = Handle;
438. v6 = Length;
439. v7 = -1073741823;
440. }
441. IoStatusBlock.Information = v7;
442. if ( v7 )
443. goto LABEL_9;
444. if ( v5 || v6 > a2 )
445. goto LABEL_31;
446. v9 = (int)ExAllocatePool(0, 0x10u);
447. if ( v9 )
448. v10 = sub_105A0((int)&IoStatusBlock.Information, v6, v9, 0);
449. else
450. v10 = 0;
451. sub_1076E(a3, (PVOID *)v10);
452. v3 = 0;
453. if ( IoStatusBlock.Information )
454. {
455. LABEL_2:
456. if ( (_BYTE)Length != v3 )
457. {
458. LOBYTE(Length) = v3;
459. ZwClose(Handle);
460. }
461. return IoStatusBlock.Information;
462. }
463. v11 = *(void ***)(a3 + 4);
464. if ( !v11 )
465. goto LABEL_31;
466. v12 = *v11;
467. if ( !(_BYTE)Length )
468. return -1073741823;
469. v7 = ZwReadFile(Handle, 0, 0, 0, &IoStatusBlock, v12, v6, 0, 0);
470. if ( v7 )
471. {
472. LABEL_9:
473. if ( (_BYTE)Length != v3 )
474. {
475. LOBYTE(Length) = v3;
476. ZwClose(Handle);
477. }
478. return v7;
479. }
480. if ( IoStatusBlock.Information != v6 )
481. {
482. LABEL_31:
483. if ( (_BYTE)Length != v3 )
484. {
485. LOBYTE(Length) = v3;
486. ZwClose(Handle);
487. }
488. result = -1073741823;
489. }
490. else
491. {
492. if ( (_BYTE)Length )
493. {
494. LOBYTE(Length) = 0;
495. ZwClose(Handle);
496. }
497. result = 0;
498. }
499. return result;
500. }
501. //----- (0001076E) --------------------------------------------------------
502. void __userpurge sub_1076E(int a1<ebx>, PVOID *a2)
503. {
504. PVOID *v2; // esi@1
505. v2 = *(PVOID **)(a1 + 4);
506. if ( a2 != v2 )
507. {
508. if ( v2 )
509. {
510. if ( *v2 )
511. ExFreePoolWithTag(*v2, 0);
512. ExFreePoolWithTag(v2, 0);
513. }
514. *(_DWORD *)(a1 + 4) = a2;
515. }
516. }
517. //----- (000107A2) --------------------------------------------------------
518. signed int __fastcall sub_107A2(int a1, int a2)
519. {
520. signed int result; // eax@5
521. if ( !byte_14628 )
522. goto LABEL_9;
523. if ( !dword_1461C )
524. goto LABEL_9;
525. if ( dword_14624 <= dword_14620 )
526. goto LABEL_9;
527. _ECX = &dword_14620;
528. _EAX = 1;
529. __asm { lock xadd [ecx], eax }
530. if ( dword_14624 > _EAX )
531. {
532. *(_DWORD *)(dword_1461C + 4 * _EAX) = a2;
533. result = 0;
534. }
535. else
536. {
537. LABEL_9:
538. result = 1;
539. }
540. return result;
541. }
542. // 1461C: using guessed type int dword_1461C;
543. // 14620: using guessed type int dword_14620;
544. // 14624: using guessed type int dword_14624;
545. // 14628: using guessed type char byte_14628;
546. //----- (000107E8) --------------------------------------------------------
547. int *__cdecl sub_107E8()
548. {
549. int v0; // eax@2
550. char v2; // [sp+4h] [bp-20h]@3
551. dword_14694 = 0;
552. dword_14698 = 0;
553. dword_1469C = 0;
554. dword_146A0 = 0;
555. if ( !sub_10886(0) )
556. {
557. v0 = sub_1098E();
558. if ( v0 )
559. {
560. if ( !sub_121E1((int)&v2, v0, 1) )
561. {
562. dword_14694 = sub_1236B((int)&v2, -899745608);
563. dword_14698 = sub_1236B((int)&v2, -1332885072);
564. dword_1469C = sub_1236B((int)&v2, -2007787012);
565. dword_146A0 = sub_1236B((int)&v2, 1516803388);
566. }
567. }
568. }
569. return &dword_14694;
570. }
571. // 14694: using guessed type int dword_14694;
572. // 14698: using guessed type int dword_14698;
573. // 1469C: using guessed type int dword_1469C;
574. // 146A0: using guessed type int dword_146A0;
575. //----- (00010886) --------------------------------------------------------
576. bool __stdcall sub_10886(int a1)
577. {
578. ULONG MinorVersion; // [sp+0h] [bp-8h]@1
579. ULONG MajorVersion; // [sp+4h] [bp-4h]@1
580. MajorVersion = 0;
581. MinorVersion = 0;
582. PsGetVersion(&MajorVersion, &MinorVersion, 0, 0);
583. return MajorVersion == 5 && a1 == MinorVersion;
584. }
585. //----- (000108BE) --------------------------------------------------------
586. int __stdcall sub_108BE(const char *a1)
587. {
588. ULONG v1; // edi@3
589. PVOID v2; // esi@6
590. int v4; // edi@17
591. PVOID v5; // [sp-8h] [bp-3Ch]@5
592. ULONG v6; // [sp-4h] [bp-38h]@5
593. PVOID P; // [sp+10h] [bp-24h]@3
594. int SystemInformation; // [sp+20h] [bp-14h]@1
595. char *v9; // [sp+24h] [bp-10h]@3
596. int v10; // [sp+28h] [bp-Ch]@13
597. ULONG SystemInformationLength; // [sp+2Ch] [bp-8h]@1
598. SystemInformationLength = 0;
599. SystemInformation = 0;
600. if ( ZwQuerySystemInformation(SystemModuleInformation, &SystemInformation, 0, &SystemInformationLength) != -1073741820
601. || !SystemInformationLength )
602. return 0;
603. v9 = 0;
604. sub_105A0((int)&v9, SystemInformationLength, (int)&P, 0);
605. v1 = 0;
606. if ( v9 )
607. {
608. if ( P )
609. {
610. v6 = 0;
611. v5 = P;
612. LABEL_9:
613. ExFreePoolWithTag(v5, v6);
614. }
615. return 0;
616. }
617. v2 = P;
618. if ( ZwQuerySystemInformation(SystemModuleInformation, P, SystemInformationLength, (PULONG)&SystemInformation) )
619. {
620. if ( !v2 )
621. return 0;
622. LABEL_8:
623. v6 = v1;
624. v5 = v2;
625. goto LABEL_9;
626. }
627. if ( *(_DWORD *)v2 <= 0u )
628. goto LABEL_8;
629. v10 = 0;
630. v9 = (char *)v2 + 30;
631. while ( stricmp((const char *)v2 + v10 + *(_WORD *)v9 + 32, a1) )
632. {
633. v10 += 284;
634. v9 += 284;
635. ++v1;
636. if ( v1 >= *(_DWORD *)v2 )
637. {
638. v1 = 0;
639. goto LABEL_8;
640. }
641. }
642. v4 = *((_DWORD *)v2 + 71 * v1 + 3);
643. ExFreePoolWithTag(v2, 0);
644. return v4;
645. }
646. //----- (0001098E) --------------------------------------------------------
647. int __cdecl sub_1098E()
648. {
649. int result; // eax@1
650. result = sub_108BE(dword_124C0);
651. if ( !result )
652. result = sub_108BE(dword_124D0);
653. return result;
654. }
655. //----- (000109B0) --------------------------------------------------------
656. signed int __usercall sub_109B0<eax>(int a1<edi>)
657. {
658. signed int result; // eax@8
659. if ( byte_14390 )
660. {
661. sub_11EC6(0, (int)&dword_14391, 0x278u);
662. byte_14390 = 0;
663. }
664. if ( !word_14395 )
665. {
666. if ( (unsigned int)*(_WORD *)a1 + 2 <= 0xC8 )
667. {
668. memset((void *)&word_14395, 0, 0xC8u);
669. memcpy((void *)&word_14395, *(const void **)(a1 + 4), *(_WORD *)a1);
670. }
671. }
672. if ( dword_14391 & 1 && InitSafeBootMode || dword_14391 & 2 && (_BYTE)KdDebuggerEnabled )
673. result = -1073741823;
674. else
675. result = 0;
676. return result;
677. }
678. // 125E4: using guessed type void *InitSafeBootMode;
679. // 14390: using guessed type char byte_14390;
680. // 14391: using guessed type int dword_14391;
681. //----- (00010A3A) --------------------------------------------------------
682. int __cdecl sub_10A3A()
683. {
684. int result; // eax@1
685. char v1; // [sp+8h] [bp-8h]@1
686. int v2; // [sp+Ch] [bp-4h]@1
687. v2 = 0;
688. sub_10A8A((int)&v1, &v2);
689. result = v2;
690. if ( !v2 )
691. {
692. sub_10AE2((int)&v2);
693. result = sub_10C22(v2);
694. if ( !result )
695. {
696. sub_10B36((int)&v1);
697. sub_1056C((int)&v1);
698. result = PsSetLoadImageNotifyRoutine((PLOAD_IMAGE_NOTIFY_ROUTINE)NotifyRoutine);
699. }
700. }
701. return result;
702. }
703. //----- (00010A8A) --------------------------------------------------------
704. int __usercall sub_10A8A<eax>(int a1<edi>, int *a2<esi>)
705. {
706. int v2; // eax@2
707. int v3; // ecx@4
708. *(_DWORD *)a1 = 0;
709. if ( !(dword_146B0 & 1) )
710. {
711. v2 = *a2;
712. dword_146B0 |= 1u;
713. dword_146AC = v2;
714. }
715. if ( !(dword_146B0 & 2) )
716. {
717. dword_146B0 |= 2u;
718. sub_11C14();
719. sub_107A2(v3, (int)nullsub_3);
720. }
721. if ( dword_146AC )
722. *a2 = dword_146AC;
723. else
724. *(_DWORD *)a1 = &dword_146A8;
725. byte_14615 = 0;
726. return a1;
727. }
728. // 12508: using guessed type int nullsub_3();
729. // 14615: using guessed type char byte_14615;
730. // 146A8: using guessed type int dword_146A8;
731. // 146AC: using guessed type int dword_146AC;
732. // 146B0: using guessed type int dword_146B0;
733. //----- (00010AE2) --------------------------------------------------------
734. int __usercall sub_10AE2<eax>(int a1<esi>)
735. {
736. int v1; // ecx@2
737. *(_DWORD *)a1 = 0;
738. if ( !(dword_14690 & 1) )
739. {
740. dword_14668 = 0;
741. dword_14690 |= 1u;
742. byte_14664 = 1;
743. memset(&Mutex, 0, sizeof(Mutex));
744. KeInitializeMutex(&Mutex, 0);
745. sub_107A2(v1, (int)sub_124FE);
746. }
747. byte_14616 = 0;
748. *(_DWORD *)a1 = &byte_14664;
749. return a1;
750. }
751. // 124FE: using guessed type int sub_124FE();
752. // 14616: using guessed type char byte_14616;
753. // 14664: using guessed type char byte_14664;
754. // 14668: using guessed type int dword_14668;
755. // 14690: using guessed type int dword_14690;
756. //----- (00010B36) --------------------------------------------------------
757. int __usercall sub_10B36<eax>(int a1<esi>)
758. {
759. int v1; // ecx@2
760. *(_DWORD *)a1 = 0;
761. if ( !(dword_1468C & 1) )
762. {
763. dword_1468C |= 1u;
764. sub_10FE6();
765. sub_107A2(v1, (int)nullsub_2);
766. }
767. byte_14617 = 0;
768. *(_DWORD *)a1 = &Table;
769. return a1;
770. }
771. // 124FC: using guessed type int nullsub_2();
772. // 14617: using guessed type char byte_14617;
773. // 1468C: using guessed type int dword_1468C;
774. //----- (00010B68) --------------------------------------------------------
775. int __thiscall sub_10B68(int this)
776. {
777. int result; // eax@3
778. int v2; // [sp+0h] [bp-4h]@1
779. v2 = this;
780. if ( *(_DWORD *)(*(_DWORD *)(this + 96) + 12) == 2242560 )
781. {
782. result = sub_11CCC(this);
783. }
784. else
785. {
786. if ( *(_DWORD *)(*(_DWORD *)(this + 96) + 12) == 2242564 )
787. {
788. sub_10AE2((int)&v2);
789. result = sub_10C22(v2);
790. }
791. else
792. {
793. result = -1073741822;
794. }
795. }
796. return result;
797. }
798. //----- (00010BE8) --------------------------------------------------------
799. signed int __cdecl sub_10BE8()
800. {
801. return 1;
802. }
803. //----- (00010BEC) --------------------------------------------------------
804. int __userpurge sub_10BEC<eax>(int a1<ebp>, int a2, int a3)
805. {
806. int v3; // edi@1
807. int v4; // esi@1
808. *(_DWORD *)(a1 - 4) = -1;
809. v4 = *(_DWORD *)(a1 + 12);
810. v3 = *(_DWORD *)(a1 - 28);
811. if ( v3 != 259 )
812. {
813. if ( v3 )
814. *(_DWORD *)(v4 + 28) = 0;
815. *(_DWORD *)(v4 + 24) = v3;
816. IofCompleteRequest((PIRP)v4, 0);
817. }
818. return _SEH_epilog();
819. }
820. // 12463: using guessed type int _SEH_epilog(void);
821. //----- (00010C22) --------------------------------------------------------
822. signed int __usercall sub_10C22<eax>(int a1<eax>)
823. {
824. int v1; // edi@1
825. int v2; // eax@3
826. unsigned int v3; // esi@3
827. int v4; // ecx@3
828. signed int v6; // esi@6
829. int v7; // edi@9
830. struct _KMUTANT *v8; // [sp+10h] [bp-20h]@1
831. ULONG v9; // [sp+14h] [bp-1Ch]@1
832. LSA_UNICODE_STRING ValueName; // [sp+18h] [bp-18h]@1
833. LSA_UNICODE_STRING DestinationString; // [sp+20h] [bp-10h]@1
834. char v12; // [sp+28h] [bp-8h]@2
835. v1 = a1;
836. RtlInitUnicodeString(&DestinationString, &word_14395);
837. RtlInitUnicodeString(&ValueName, &word_1445D);
838. v8 = (struct _KMUTANT *)(v1 + 8);
839. KeWaitForSingleObject((PVOID)(v1 + 8), 0, 0, 0, 0);
840. v9 = sub_11D62(&DestinationString, &ValueName, v1);
841. if ( v9 )
842. {
843. RtlInitUnicodeString((PUNICODE_STRING)&v12, &word_14471);
844. v9 = sub_10638((LSA_UNICODE_STRING *)&v12, dword_14539, v1);
845. if ( v9 )
846. {
847. LABEL_6:
848. v6 = -1073741823;
849. goto LABEL_7;
850. }
851. }
852. v2 = *(_DWORD *)(v1 + 4);
853. v3 = *(_DWORD *)(v2 + 4);
854. sub_11EC6(dword_1453D, *(_DWORD *)v2, v3);
855. if ( sub_11D46(v4, v3) )
856. {
857. KeReleaseMutex(v8, 0);
858. return -1073741823;
859. }
860. v6 = v9;
861. if ( !v9 )
862. {
863. v7 = *(_DWORD *)(v1 + 4);
864. if ( v7 && *(_DWORD *)(v7 + 4) > 0u )
865. {
866. v6 = 0;
867. goto LABEL_7;
868. }
869. goto LABEL_6;
870. }
871. LABEL_7:
872. KeReleaseMutex(v8, 0);
873. return v6;
874. }
875. // 14539: using guessed type int dword_14539;
876. // 1453D: using guessed type int dword_1453D;
877. //----- (00010CFE) --------------------------------------------------------
878. signed int __stdcall sub_10CFE(int a1, int a2)
879. {
880. int v2; // eax@1
881. int v3; // edi@1
882. int v4; // esi@1
883. int v5; // eax@2
884. signed int v6; // edi@5
885. int v8; // [sp+10h] [bp-4h]@1
886. v3 = a1;
887. v4 = 0;
888. v8 = 0;
889. KeWaitForSingleObject((PVOID)(a1 + 8), 0, 0, 0, 0);
890. v2 = (int)ExAllocatePool(0, 0x10u);
891. if ( v2 )
892. {
893. v5 = sub_105A0((int)&v8, *(_DWORD *)(*(_DWORD *)(a1 + 4) + 4), v2, **(const void ***)(a1 + 4));
894. v3 = a1;
895. v4 = 0;
896. }
897. else
898. {
899. v5 = 0;
900. }
901. sub_1076E(a2, (PVOID *)v5);
902. if ( v8 == v4 )
903. {
904. if ( *(_DWORD *)(v3 + 4) == v4 )
905. v6 = -1073741823;
906. else
907. v6 = 0;
908. }
909. else
910. {
911. v6 = v8;
912. }
913. KeReleaseMutex((PRKMUTEX)(a1 + 8), v4);
914. return v6;
915. }
916. //----- (00010D7E) --------------------------------------------------------
917. void __usercall sub_10D7E(int a1<eax>)
918. {
919. PVOID *v1; // edi@2
920. if ( *(_BYTE *)a1 )
921. {
922. v1 = *(PVOID **)(a1 + 4);
923. *(_BYTE *)a1 = 0;
924. if ( v1 )
925. {
926. if ( *v1 )
927. ExFreePoolWithTag(*v1, 0);
928. ExFreePoolWithTag(v1, 0);
929. }
930. }
931. }
932. //----- (00010DA8) --------------------------------------------------------
933. int __usercall sub_10DA8<eax>(int a1<ecx>, int a2<edi>, int a3<esi>)
934. {
935. int v4; // eax@1
936. int v5; // [sp+0h] [bp-4h]@1
937. v5 = a1;
938. sub_10FC4(a3, (int)&v5);
939. *(_DWORD *)a2 = *(_DWORD *)(a3 + 8) + *(_DWORD *)a3;
940. v4 = v5;
941. *(_DWORD *)(a2 + 4) = v5;
942. *(_DWORD *)(a3 + 8) += v4;
943. return a3;
944. }
945. //----- (00010DCC) --------------------------------------------------------
946. void __stdcall sub_10DCC(int a1, HANDLE Handle, int a3)
947. {
948. int v3; // ecx@9
949. int v4; // esi@9
950. int v5; // ebx@12
951. int v6; // ecx@12
952. int v7; // eax@14
953. int i; // [sp+10h] [bp-50h]@4
954. unsigned int v9; // [sp+14h] [bp-4Ch]@9
955. RTL_GENERIC_TABLE *v10; // [sp+18h] [bp-48h]@8
956. int v11; // [sp+1Ch] [bp-44h]@8
957. int v12; // [sp+20h] [bp-40h]@9
958. char v13; // [sp+24h] [bp-3Ch]@8
959. int v14; // [sp+28h] [bp-38h]@8
960. int v15; // [sp+2Ch] [bp-34h]@9
961. int v16; // [sp+30h] [bp-30h]@9
962. int v17; // [sp+34h] [bp-2Ch]@11
963. int v18; // [sp+38h] [bp-28h]@11
964. int v19; // [sp+3Ch] [bp-24h]@4
965. char v20; // [sp+40h] [bp-20h]@7
966. WCHAR *v21; // [sp+44h] [bp-1Ch]@11
967. char v22; // [sp+4Ch] [bp-14h]@14
968. int v23; // [sp+54h] [bp-Ch]@9
969. unsigned int v24; // [sp+58h] [bp-8h]@9
970. int v25; // [sp+5Ch] [bp-4h]@9
971. if ( sub_117A8(L"KERNEL32.DLL", a1) )
972. {
973. sub_1174A((int)Handle, a3);
974. }
975. else
976. {
977. if ( !sub_10542() )
978. {
979. i = 0;
980. sub_11F42((int)&v19, (int)&i, Handle);
981. if ( !i )
982. {
983. if ( v19 == *(_DWORD *)(a3 + 4) )
984. {
985. if ( !(dword_14391 & 4) || !v20 )
986. {
987. sub_10B36((int)&v10);
988. sub_11066((int)Handle, v10);
989. v13 = 1;
990. v14 = 0;
991. sub_10AE2((int)&v11);
992. if ( !sub_10CFE(v11, (int)&v13) )
993. {
994. v3 = *(_DWORD *)v14;
995. v24 = *(_DWORD *)(v14 + 4);
996. v23 = v3;
997. v25 = 0;
998. v15 = 0;
999. v16 = 0;
1000. sub_10FC4((int)&v23, (int)&v12);
1001. sub_10DA8(v3, (int)&v15, (int)&v23);
1002. sub_10FC4((int)&v23, (int)&v9);
1003. v4 = v25;
1004. if ( v25 <= v24 )
1005. {
1006. if ( !v12 )
1007. {
1008. v21 = 0;
1009. v17 = 0;
1010. v18 = 0;
1011. for ( i = 0; i < v9; ++i )
1012. {
1013. v5 = v4 + v23;
1014. v25 = v4 + 16;
1015. v12 = v4 + v23;
1016. sub_10DA8(v3, (int)&v21, (int)&v23);
1017. sub_10DA8(v6, (int)&v17, (int)&v23);
1018. v4 = v25;
1019. if ( v25 > v24 )
1020. break;
1021. if ( sub_117A8(v21, a1) )
1022. {
1023. v7 = sub_111B4((int)&v15, (int)&v22, *(_DWORD *)(v5 + 12));
1024. sub_11522((int)Handle, a3, v12, (int)&v17, v7);
1025. }
1026. }
1027. }
1028. }
1029. }
1030. sub_10D7E((int)&v13);
1031. }
1032. }
1033. }
1034. }
1035. }
1036. }
1037. // 124E0: using guessed type wchar_t aKernel32_dll[13];
1038. // 14391: using guessed type int dword_14391;
1039. //----- (00010F80) --------------------------------------------------------
1040. void __stdcall NotifyRoutine(int a1, HANDLE Handle, int a3)
1041. {
1042. if ( KeGetCurrentIrql() <= 1u )
1043. {
1044. if ( Handle )
1045. sub_10DCC(a1, Handle, a3);
1046. }
1047. }
1048. //----- (00010FC4) --------------------------------------------------------
1049. int __userpurge sub_10FC4<eax>(int result<eax>, int a2)
1050. {
1051. int v2; // ecx@1
1052. v2 = *(_DWORD *)(result + 8);
1053. if ( (unsigned int)(v2 + 4) <= *(_DWORD *)(result + 4) )
1054. *(_DWORD *)a2 = *(_DWORD *)(v2 + *(_DWORD *)result);
1055. *(_DWORD *)(result + 8) = v2 + 4;
1056. return result;
1057. }
1058. //----- (00010FE6) --------------------------------------------------------
1059. RTL_GENERIC_TABLE *__cdecl sub_10FE6()
1060. {
1061. memset(&Table, 0, sizeof(Table));
1062. byte_14658 = -1;
1063. dword_14654 = 0;
1064. dword_1465C = 0;
1065. dword_14660 = 0;
1066. RtlInitializeGenericTable(
1067. &Table,
1068. (PRTL_GENERIC_COMPARE_ROUTINE)CompareRoutine,
1069. (PRTL_GENERIC_ALLOCATE_ROUTINE)AllocateRoutine,
1070. (PRTL_GENERIC_FREE_ROUTINE)FreeRoutine,
1071. 0);
1072. return &Table;
1073. }
1074. // 14654: using guessed type int dword_14654;
1075. // 14658: using guessed type char byte_14658;
1076. // 1465C: using guessed type int dword_1465C;
1077. // 14660: using guessed type int dword_14660;
1078. //----- (00011028) --------------------------------------------------------
1079. PVOID __usercall sub_11028<eax>(int a1<eax>, RTL_GENERIC_TABLE *a2<edi>)
1080. {
1081. PKSPIN_LOCK v2; // ecx@1
1082. PVOID v3; // esi@1
1083. PVOID v4; // eax@1
1084. char v5; // zf@1
1085. KIRQL v6; // dl@2
1086. int Buffer; // [sp+8h] [bp-18h]@1
1087. PKSPIN_LOCK SpinLock; // [sp+1Ch] [bp-4h]@1
1088. Buffer = a1;
1089. sub_1118A((int)&SpinLock, (int)&a2[1]);
1090. v4 = RtlLookupElementGenericTable(a2, &Buffer);
1091. v2 = SpinLock;
1092. v5 = SpinLock[3] == 1;
1093. --v2[3];
1094. v3 = v4;
1095. if ( v5 )
1096. {
1097. v6 = *((_BYTE *)v2 + 4);
1098. v2[2] = 0;
1099. KfReleaseSpinLock(v2, v6);
1100. }
1101. return v3;
1102. }
1103. //----- (00011066) --------------------------------------------------------
1104. signed int __usercall sub_11066<eax>(int a1<eax>, RTL_GENERIC_TABLE *a2<edi>)
1105. {
1106. int v2; // ecx@1
1107. BOOLEAN v3; // al@1
1108. char v4; // zf@2
1109. KIRQL v5; // dl@3
1110. signed int result; // eax@4
1111. char v7; // zf@5
1112. KIRQL v8; // dl@6
1113. int Buffer; // [sp+8h] [bp-18h]@1
1114. int v10; // [sp+1Ch] [bp-4h]@1
1115. Buffer = a1;
1116. sub_1118A((int)&v10, (int)&a2[1]);
1117. v3 = RtlDeleteElementGenericTable(a2, &Buffer);
1118. v2 = v10;
1119. if ( v3 )
1120. {
1121. v7 = *(_DWORD *)(v10 + 12)-- == 1;
1122. if ( v7 )
1123. {
1124. v8 = *(_BYTE *)(v2 + 4);
1125. *(_DWORD *)(v2 + 8) = 0;
1126. KfReleaseSpinLock((PKSPIN_LOCK)v2, v8);
1127. }
1128. result = 0;
1129. }
1130. else
1131. {
1132. v4 = *(_DWORD *)(v10 + 12)-- == 1;
1133. if ( v4 )
1134. {
1135. v5 = *(_BYTE *)(v2 + 4);
1136. *(_DWORD *)(v2 + 8) = 0;
1137. KfReleaseSpinLock((PKSPIN_LOCK)v2, v5);
1138. }
1139. result = -1073741823;
1140. }
1141. return result;
1142. }
1143. //----- (000110C0) --------------------------------------------------------
1144. signed int __userpurge sub_110C0<eax>(RTL_GENERIC_TABLE *a1<eax>, int *a2)
1145. {
1146. RTL_GENERIC_TABLE *v2; // edi@1
1147. PKSPIN_LOCK v3; // ecx@3
1148. char v4; // zf@3
1149. PVOID v6; // eax@7
1150. char v7; // zf@8
1151. char v8; // zf@10
1152. KIRQL v9; // dl@11
1153. PKSPIN_LOCK SpinLock; // [sp+Ch] [bp-4h]@1
1154. v2 = a1;
1155. sub_1118A((int)&SpinLock, (int)&a1[1]);
1156. if ( sub_11028(*a2, v2) && sub_11066(*a2, v2) )
1157. {
1158. v3 = SpinLock;
1159. v4 = SpinLock[3] == 1;
1160. --v3[3];
1161. if ( !v4 )
1162. return -1073741823;
1163. v3[2] = 0;
1164. LABEL_5:
1165. KfReleaseSpinLock(v3, *((_BYTE *)v3 + 4));
1166. return -1073741823;
1167. }
1168. v6 = RtlInsertElementGenericTable(v2, a2, 0x14u, 0);
1169. v3 = SpinLock;
1170. if ( !v6 )
1171. {
1172. v7 = SpinLock[3]-- == 1;
1173. if ( !v7 )
1174. return -1073741823;
1175. v3[2] = 0;
1176. goto LABEL_5;
1177. }
1178. v8 = SpinLock[3]-- == 1;
1179. if ( v8 )
1180. {
1181. v9 = *((_BYTE *)v3 + 4);
1182. v3[2] = 0;
1183. KfReleaseSpinLock(v3, v9);
1184. }
1185. return 0;
1186. }
1187. //----- (00011142) --------------------------------------------------------
1188. bool __stdcall CompareRoutine(int a1, int a2, int a3)
1189. {
1190. bool result; // eax@2
1191. if ( *(_DWORD *)a2 == *(_DWORD *)a3 )
1192. result = 2;
1193. else
1194. result = *(_DWORD *)a2 >= *(_DWORD *)a3;
1195. return result;
1196. }
1197. //----- (00011160) --------------------------------------------------------
1198. PVOID __stdcall AllocateRoutine(int a1, SIZE_T NumberOfBytes)
1199. {
1200. return ExAllocatePool(0, NumberOfBytes);
1201. }
1202. //----- (00011172) --------------------------------------------------------
1203. void __stdcall FreeRoutine(int a1, PVOID P)
1204. {
1205. if ( P )
1206. ExFreePoolWithTag(P, 0);
1207. }
1208. //----- (0001118A) --------------------------------------------------------
1209. int __usercall sub_1118A<eax>(int a1<ebx>, int a2<esi>)
1210. {
1211. PKTHREAD v2; // edi@1
1212. KIRQL v3; // al@2
1213. *(_DWORD *)a1 = a2;
1214. v2 = KeGetCurrentThread();
1215. if ( v2 != *(PKTHREAD *)(a2 + 8) )
1216. {
1217. v3 = KfAcquireSpinLock((PKSPIN_LOCK)a2);
1218. *(_DWORD *)(a2 + 12) = 0;
1219. *(_BYTE *)(a2 + 4) = v3;
1220. *(_DWORD *)(a2 + 8) = v2;
1221. }
1222. ++*(_DWORD *)(a2 + 12);
1223. return a1;
1224. }
1225. //----- (000111B4) --------------------------------------------------------
1226. int __userpurge sub_111B4<eax>(int a1<eax>, int a2<ebx>, int a3)
1227. {
1228. int v3; // esi@1
1229. int v4; // ecx@2
1230. int v5; // ecx@4
1231. int v7; // [sp+8h] [bp-24h]@2
1232. unsigned int v8; // [sp+Ch] [bp-20h]@2
1233. unsigned int v9; // [sp+10h] [bp-1Ch]@2
1234. int v10; // [sp+14h] [bp-18h]@2
1235. int v11; // [sp+18h] [bp-14h]@2
1236. int v12; // [sp+1Ch] [bp-10h]@4
1237. unsigned int v13; // [sp+20h] [bp-Ch]@2
1238. unsigned int v14; // [sp+24h] [bp-8h]@3
1239. v3 = 0;
1240. if ( a3
1241. && (v4 = *(_DWORD *)a1,
1242. v8 = *(_DWORD *)(a1 + 4),
1243. v7 = v4,
1244. v9 = 0,
1245. v10 = 0,
1246. v11 = 0,
1247. sub_10FC4((int)&v7, (int)&v13),
1248. v9 <= v8)
1249. && (v14 = 0, v13 > 0) )
1250. {
1251. while ( 1 )
1252. {
1253. sub_10FC4((int)&v7, (int)&v12);
1254. sub_10DA8(v5, (int)&v10, (int)&v7);
1255. if ( v9 > v8 )
1256. {
1257. LABEL_7:
1258. v3 = 0;
1259. goto LABEL_8;
1260. }
1261. if ( a3 == v12 )
1262. break;
1263. ++v14;
1264. if ( v14 >= v13 )
1265. goto LABEL_7;
1266. }
1267. *(_DWORD *)a2 = v10;
1268. *(_DWORD *)(a2 + 4) = v11;
1269. }
1270. else
1271. {
1272. LABEL_8:
1273. *(_DWORD *)a2 = v3;
1274. *(_DWORD *)(a2 + 4) = v3;
1275. }
1276. return a2;
1277. }
1278. //----- (00011242) --------------------------------------------------------
1279. signed int __userpurge sub_11242<eax>(int a1<eax>, int a2, int a3)
1280. {
1281. signed int result; // eax@1
1282. PVOID v4; // eax@2
1283. PVOID v5; // edi@2
1284. int v6; // eax@4
1285. int v7; // ebx@4
1286. unsigned int v8; // esi@4
1287. void *v9; // ST08_4@4
1288. int v10; // ecx@10
1289. char v11; // [sp+10h] [bp-38h]@1
1290. int v12; // [sp+18h] [bp-30h]@4
1291. int v13; // [sp+1Ch] [bp-2Ch]@4
1292. int v14; // [sp+30h] [bp-18h]@8
1293. int v15; // [sp+34h] [bp-14h]@7
1294. unsigned int v16; // [sp+38h] [bp-10h]@8
1295. int v17; // [sp+3Ch] [bp-Ch]@8
1296. unsigned int v18; // [sp+40h] [bp-8h]@4
1297. int v19; // [sp+44h] [bp-4h]@6
1298. result = sub_121E1((int)&v11, *(_DWORD *)(a1 + 4), 1);
1299. if ( !result )
1300. {
1301. v4 = sub_1182C(dword_12680 + 4981);
1302. v5 = v4;
1303. if ( v4
1304. && (v7 = (int)((char *)v4 + 4981),
1305. memcpy(v4, &unk_12EB8, 0x1375u),
1306. memcpy((char *)v5 + 4981, &unk_12694, dword_12680),
1307. *(_WORD *)v7 = 23117,
1308. *(_DWORD *)(dword_1268C + v7) = 17744,
1309. *(_WORD *)(dword_12690 + v7) = 267,
1310. v9 = (void *)(v7 + dword_12688),
1311. *(_DWORD *)(a3 + 4) = v7 + dword_12688,
1312. memset(v9, 0, 0x98u),
1313. *(_DWORD *)(*(_DWORD *)(a3 + 4) + 88) = v5,
1314. *(_DWORD *)(*(_DWORD *)(a3 + 4) + 96) = v7,
1315. *(_DWORD *)(*(_DWORD *)(a3 + 4) + 104) = dword_12680,
1316. v18 = v12 + *(_DWORD *)(v13 + 40),
1317. v8 = v18,
1318. (v6 = sub_1210F((int)&v11, v18)) != 0)
1319. && v12 + *(_DWORD *)(v6 + 8) + *(_DWORD *)(v6 + 12) >= v8 + 12 )
1320. {
1321. result = sub_118E2(v8, (int)&v11);
1322. v19 = result;
1323. if ( !result )
1324. {
1325. sub_10A8A((int)&v15, &v19);
1326. result = v19;
1327. if ( !v19 )
1328. {
1329. v16 = v18;
1330. v17 = 12;
1331. result = (*(int (__stdcall **)(signed int, unsigned int *, int *, signed int, int *))v15)(
1332. -1,
1333. &v16,
1334. &v17,
1335. 128,
1336. &v14);
1337. if ( !result )
1338. {
1339. result = sub_11864((HANDLE *)(*(_DWORD *)(a3 + 4) + 144));
1340. if ( !result )
1341. {
1342. v10 = v14;
1343. *(_DWORD *)a3 = a2;
1344. *(_DWORD *)(a3 + 8) = v7 + dword_12684;
1345. *(_DWORD *)(a3 + 12) = v18;
1346. *(_DWORD *)(*(_DWORD *)(a3 + 4) + 136) = v10;
1347. result = 0;
1348. }
1349. }
1350. }
1351. }
1352. }
1353. else
1354. {
1355. result = -1073741823;
1356. }
1357. }
1358. return result;
1359. }
1360. // 12684: using guessed type int dword_12684;
1361. // 12688: using guessed type int dword_12688;
1362. // 1268C: using guessed type int dword_1268C;
1363. // 12690: using guessed type int dword_12690;
1364. //----- (000113C2) --------------------------------------------------------
1365. PVOID __userpurge sub_113C2<eax>(int a1<edi>, int a2, int a3)
1366. {
1367. PVOID result; // eax@1
1368. PVOID v4; // esi@1
1369. int v5; // ebx@2
1370. result = sub_1182C(*(_DWORD *)(a1 + 4) + 40);
1371. v4 = result;
1372. if ( result )
1373. {
1374. v5 = (int)((char *)result + 40);
1375. memcpy((char *)result + 40, *(const void **)a1, *(_DWORD *)(a1 + 4));
1376. *((_DWORD *)v4 + 2) = v5;
1377. *((_DWORD *)v4 + 4) = *(_DWORD *)(a1 + 4);
1378. *((_WORD *)v4 + 12) = *(_WORD *)(a2 + 4);
1379. *((_BYTE *)v4 + 32) = (*(_BYTE *)(a2 + 6) >> 1) & 1;
1380. *(_DWORD *)v4 = *(_DWORD *)(*(_DWORD *)(a3 + 4) + 112);
1381. result = *(PVOID *)(a3 + 4);
1382. *((_DWORD *)result + 28) = v4;
1383. }
1384. return result;
1385. }
1386. //----- (0001141E) --------------------------------------------------------
1387. void __userpurge sub_1141E(int a1<eax>, int a2<ecx>, int a3<ebx>, int a4, int a5)
1388. {
1389. int v5; // esi@1
1390. char v6; // zf@1
1391. int v7; // edi@2
1392. int v8; // edi@4
1393. int v9; // eax@6
1394. int v10; // eax@10
1395. RTL_GENERIC_TABLE *v11; // edi@10
1396. char v12; // [sp+8h] [bp-30h]@11
1397. LSA_UNICODE_STRING DestinationString; // [sp+1Ch] [bp-1Ch]@3
1398. PCWSTR v14; // [sp+24h] [bp-14h]@2
1399. int v15; // [sp+28h] [bp-10h]@9
1400. char v16; // [sp+2Ch] [bp-Ch]@1
1401. int v17; // [sp+30h] [bp-8h]@1
1402. RTL_GENERIC_TABLE *v18; // [sp+34h] [bp-4h]@10
1403. v17 = 0;
1404. v6 = (*(_BYTE *)(a3 + 6) & 2) == 0;
1405. v5 = a2;
1406. v16 = 1;
1407. if ( v6 )
1408. {
1409. v7 = *(_DWORD *)(a1 + 4);
1410. v14 = *(PCWSTR *)a1;
1411. }
1412. else
1413. {
1414. RtlInitUnicodeString(&DestinationString, *(PCWSTR *)a1);
1415. if ( sub_10638(&DestinationString, dword_14539, (int)&v16) )
1416. {
1417. v9 = *(_DWORD *)v5;
1418. v7 = *(_DWORD *)(v5 + 4);
1419. }
1420. else
1421. {
1422. v8 = v17;
1423. if ( *(_BYTE *)(a3 + 6) & 1 )
1424. sub_11EC6(*(_DWORD *)(a3 + 8), *(_DWORD *)v17, *(_DWORD *)(v17 + 4));
1425. v9 = *(_DWORD *)v8;
1426. v7 = *(_DWORD *)(v8 + 4);
1427. }
1428. v14 = (PCWSTR)v9;
1429. }
1430. v15 = v7;
1431. if ( v7 )
1432. {
1433. sub_10B36((int)&v18);
1434. v11 = v18;
1435. v10 = (int)sub_11028(a4, v18);
1436. if ( v10 || !sub_11242(a5, a4, (int)&v12) && !sub_110C0(v11, (int *)&v12) && (v10 = (int)sub_11028(a4, v11)) != 0 )
1437. sub_113C2((int)&v14, a3, v10);
1438. }
1439. sub_10D7E((int)&v16);
1440. }
1441. // 14539: using guessed type int dword_14539;
1442. //----- (000114EC) --------------------------------------------------------
1443. void __fastcall sub_114EC(int a1, int a2, int a3, int a4, int a5)
1444. {
1445. sub_1141E(a5, a1, a2, a3, a4);
1446. }
1447. //----- (00011522) --------------------------------------------------------
1448. LONG_PTR __stdcall sub_11522(int a1, int a2, int a3, int a4, int a5)
1449. {
1450. void *v5; // ecx@1
1451. char v7; // [sp+Ch] [bp-28h]@1
1452. char v8; // [sp+10h] [bp-24h]@5
1453. char v9; // [sp+18h] [bp-1Ch]@4
1454. int v10; // [sp+30h] [bp-4h]@1
1455. v10 = 0;
1456. sub_11FC0((int)&v7, (int)&v10, a1);
1457. if ( !v10 )
1458. sub_114EC(a5, a3, a1, a2, a4);
1459. if ( v7 )
1460. {
1461. v7 = 0;
1462. KeUnstackDetachProcess(&v9);
1463. }
1464. return sub_120CC(v5, (LONG_PTR)&v8);
1465. }
1466. // 12600: using guessed type int __stdcall KeUnstackDetachProcess(_DWORD);
1467. //----- (00011578) --------------------------------------------------------
1468. PVOID __stdcall sub_11578(int a1)
1469. {
1470. RTL_GENERIC_TABLE *v2; // [sp+8h] [bp-4h]@1
1471. sub_10B36((int)&v2);
1472. return sub_11028(a1, v2);
1473. }
1474. //----- (00011598) --------------------------------------------------------
1475. PVOID __stdcall sub_11598(int a1)
1476. {
1477. return sub_11578(a1);
1478. }
1479. //----- (000115CC) --------------------------------------------------------
1480. signed int __userpurge sub_115CC<eax>(const void *a1<eax>, int a2<ebx>, int a3)
1481. {
1482. signed int result; // eax@1
1483. int v4; // ST38_4@1
1484. int v5; // esi@2
1485. char v6; // zf@2
1486. int v7; // edi@12
1487. int v8; // ecx@12
1488. int v9; // esi@12
1489. char v10; // [sp+8h] [bp-38h]@1
1490. char v11; // [sp+28h] [bp-18h]@1
1491. int v12; // [sp+2Ch] [bp-14h]@2
1492. int v13; // [sp+30h] [bp-10h]@12
1493. int v14; // [sp+34h] [bp-Ch]@12
1494. RTL_GENERIC_TABLE *v15; // [sp+3Ch] [bp-4h]@2
1495. v4 = *(_DWORD *)(a2 + 4);
1496. memcpy(&v11, a1, 0x14u);
1497. result = sub_121E1((int)&v10, v4, 1);
1498. if ( !result )
1499. {
1500. sub_10B36((int)&v15);
1501. sub_11066(a3, v15);
1502. v5 = v12;
1503. *(_DWORD *)v12 = *(_DWORD *)(a2 + 4);
1504. *(_DWORD *)(v5 + 8) = sub_1236B((int)&v10, -934890519);
1505. *(_DWORD *)(v5 + 16) = sub_1236B((int)&v10, -1871298611);
1506. *(_DWORD *)(v5 + 24) = sub_1236B((int)&v10, -1680372695);
1507. *(_DWORD *)(v5 + 32) = sub_1236B((int)&v10, 578844873);
1508. *(_DWORD *)(v5 + 40) = sub_1236B((int)&v10, 1538632765);
1509. *(_DWORD *)(v5 + 48) = sub_1236B((int)&v10, 1538689877);
1510. *(_DWORD *)(v5 + 56) = sub_1236B((int)&v10, -964130467);
1511. *(_DWORD *)(v5 + 64) = sub_1236B((int)&v10, -411935863);
1512. *(_DWORD *)(v5 + 72) = sub_1236B((int)&v10, 122157493);
1513. result = sub_1236B((int)&v10, 201870840);
1514. v6 = *(_DWORD *)(v5 + 8) == 0;
1515. *(_DWORD *)(v5 + 80) = result;
1516. if ( !v6 )
1517. {
1518. if ( *(_DWORD *)(v5 + 16) )
1519. {
1520. if ( *(_DWORD *)(v5 + 24) )
1521. {
1522. if ( *(_DWORD *)(v5 + 32) )
1523. {
1524. if ( *(_DWORD *)(v5 + 40) )
1525. {
1526. if ( *(_DWORD *)(v5 + 48) )
1527. {
1528. if ( *(_DWORD *)(v5 + 56) )
1529. {
1530. if ( *(_DWORD *)(v5 + 64) )
1531. {
1532. if ( *(_DWORD *)(v5 + 72) )
1533. {
1534. if ( result )
1535. {
1536. result = v14;
1537. v7 = v5 + 120;
1538. v8 = v13;
1539. v9 = v14;
1540. *(_DWORD *)v7 = *(_DWORD *)v14;
1541. v9 += 4;
1542. v7 += 4;
1543. *(_DWORD *)v7 = *(_DWORD *)v9;
1544. *(_DWORD *)(v7 + 4) = *(_DWORD *)(v9 + 4);
1545. *(_DWORD *)result = *(_DWORD *)"ž";
1546. *(_WORD *)(result + 4) = *(_WORD *)&asc_12678[4];
1547. *(_BYTE *)(result + 6) = asc_12678[6];
1548. *(_DWORD *)(result + 1) = v8;
1549. }
1550. }
1551. }
1552. }
1553. }
1554. }
1555. }
1556. }
1557. }
1558. }
1559. }
1560. return result;
1561. }
1562. //----- (00011718) --------------------------------------------------------
1563. signed int __thiscall sub_11718(int this, int a2, const void *a3)
1564. {
1565. return sub_115CC(a3, this, a2);
1566. }
1567. //----- (0001174A) --------------------------------------------------------
1568. __int32 __stdcall sub_1174A(int a1, int a2)
1569. {
1570. __int32 result; // eax@1
1571. const void *v3; // edi@1
1572. void *v4; // ecx@2
1573. char v5; // [sp+8h] [bp-28h]@2
1574. char v6; // [sp+Ch] [bp-24h]@6
1575. char v7; // [sp+14h] [bp-1Ch]@5
1576. int v8; // [sp+2Ch] [bp-4h]@2
1577. result = (__int32)sub_11598(a1);
1578. v3 = (const void *)result;
1579. if ( result )
1580. {
1581. v8 = 0;
1582. sub_11FC0((int)&v5, (int)&v8, a1);
1583. if ( !v8 )
1584. sub_11718(a2, a1, v3);
1585. if ( v5 )
1586. {
1587. v5 = 0;
1588. KeUnstackDetachProcess(&v7);
1589. }
1590. result = sub_120CC(v4, (LONG_PTR)&v6);
1591. }
1592. return result;
1593. }
1594. // 12600: using guessed type int __stdcall KeUnstackDetachProcess(_DWORD);
1595. //----- (000117A8) --------------------------------------------------------
1596. char __usercall sub_117A8<al>(WCHAR *a1<eax>, int a2<ecx>)
1597. {
1598. WCHAR *v2; // edi@1
1599. int v3; // esi@1
1600. WCHAR v4; // dx@2
1601. unsigned int v5; // eax@3
1602. int v6; // edx@3
1603. char result; // al@4
1604. int v8; // eax@5
1605. WCHAR *v9; // esi@6
1606. WCHAR v10; // bx@7
1607. int v11; // [sp+8h] [bp-Ch]@3
1608. unsigned int v12; // [sp+Ch] [bp-8h]@5
1609. int v13; // [sp+10h] [bp-4h]@6
1610. v2 = a1;
1611. v3 = (int)(a1 + 1);
1612. do
1613. {
1614. v4 = *a1;
1615. ++a1;
1616. }
1617. while ( v4 );
1618. v6 = (signed int)((char *)a1 - v3) >> 1;
1619. v5 = (unsigned __int16)(*(_WORD *)a2 >> 1);
1620. v11 = v6;
1621. if ( v6 <= v5 )
1622. {
1623. v12 = 0;
1624. v8 = *(_DWORD *)(a2 + 4) + 2 * (v5 - v6);
1625. if ( v6 )
1626. {
1627. v13 = v8 - (_DWORD)v2;
1628. v9 = v2;
1629. while ( 1 )
1630. {
1631. v10 = RtlUpcaseUnicodeChar(*(WCHAR *)((char *)v9 + v13));
1632. if ( RtlUpcaseUnicodeChar(*v9) != v10 )
1633. break;
1634. ++v12;
1635. ++v9;
1636. if ( v12 >= v11 )
1637. goto LABEL_9;
1638. }
1639. result = 0;
1640. }
1641. else
1642. {
1643. LABEL_9:
1644. result = 1;
1645. }
1646. }
1647. else
1648. {
1649. result = 0;
1650. }
1651. return result;
1652. }
1653. //----- (0001182C) --------------------------------------------------------
1654. PVOID __usercall sub_1182C<eax>(ULONG a1<esi>)
1655. {
1656. PVOID result; // eax@3
1657. PVOID BaseAddress; // [sp+0h] [bp-8h]@1
1658. ULONG AllocationSize; // [sp+4h] [bp-4h]@1
1659. BaseAddress = 0;
1660. AllocationSize = a1;
1661. if ( ZwAllocateVirtualMemory((HANDLE)0xFFFFFFFF, &BaseAddress, 0, &AllocationSize, 0x1000u, 0x40u)
1662. || AllocationSize < a1 )
1663. result = 0;
1664. else
1665. result = BaseAddress;
1666. return result;
1667. }
1668. //----- (00011864) --------------------------------------------------------
1669. int __usercall sub_11864<eax>(HANDLE *a1<edi>)
1670. {
1671. signed int v1; // esi@1
1672. int i; // esi@6
1673. HANDLE Handle; // [sp+4h] [bp-4Ch]@3
1674. OBJECT_ATTRIBUTES ObjectAttributes; // [sp+24h] [bp-2Ch]@1
1675. struct _IO_STATUS_BLOCK IoStatusBlock; // [sp+3Ch] [bp-14h]@2
1676. LSA_UNICODE_STRING DestinationString; // [sp+44h] [bp-Ch]@1
1677. NTSTATUS v8; // [sp+4Ch] [bp-4h]@2
1678. RtlInitUnicodeString(&DestinationString, &SourceString);
1679. ObjectAttributes.RootDirectory = 0;
1680. ObjectAttributes.SecurityDescriptor = 0;
1681. ObjectAttributes.SecurityQualityOfService = 0;
1682. ObjectAttributes.Length = 24;
1683. ObjectAttributes.Attributes = 64;
1684. ObjectAttributes.ObjectName = &DestinationString;
1685. v1 = 0;
1686. while ( 1 )
1687. {
1688. v8 = ZwOpenFile(a1, 0xC0100000u, &ObjectAttributes, &IoStatusBlock, 3u, 0x60u);
1689. if ( v8 )
1690. break;
1691. *(&Handle + v1++) = *a1;
1692. if ( v1 > 7 )
1693. goto LABEL_6;
1694. }
1695. ++v1;
1696. LABEL_6:
1697. for ( i = v1 - 2; i >= 0; --i )
1698. ZwClose(*(&Handle + i));
1699. return v8;
1700. }
1701. //----- (000118E2) --------------------------------------------------------
1702. signed int __stdcall sub_118E2(unsigned int a1, int a2)
1703. {
1704. signed int result; // eax@2
1705. bool v3; // eax@3
1706. int v4; // edx@6
1707. int v5; // ecx@6
1708. unsigned int v6; // eax@7
1709. unsigned int v7; // eax@9
1710. unsigned int v8; // edi@10
1711. int v9; // eax@11
1712. int i; // [sp+0h] [bp-10h]@6
1713. unsigned int v11; // [sp+4h] [bp-Ch]@10
1714. int v12; // [sp+8h] [bp-8h]@3
1715. int v13; // [sp+Ch] [bp-4h]@3
1716. if ( *(_DWORD *)(a2 + 8) == *(_DWORD *)(*(_DWORD *)(a2 + 12) + 52)
1717. || (v13 = 0, v12 = 0, v3 = sub_122D0(a2, 5u, (int)&v13, (int)&v12), v3 == 2) )
1718. {
1719. result = 0;
1720. }
1721. else
1722. {
1723. if ( v3 )
1724. {
1725. result = -1073741823;
1726. }
1727. else
1728. {
1729. v5 = v13;
1730. v4 = v13 + 8;
1731. for ( i = v13 + v12; v5 + 8 <= (unsigned int)i; v13 = v5 )
1732. {
1733. v6 = *(_DWORD *)(v5 + 4);
1734. if ( !v6 )
1735. break;
1736. if ( v6 < 8 || (v7 = v6 - 8, v7 & 1) )
1737. return -1073741823;
1738. v11 = v7 >> 1;
1739. v8 = 0;
1740. if ( v7 >> 1 )
1741. {
1742. do
1743. {
1744. v9 = *(_DWORD *)(a2 + 8) + *(_DWORD *)v5 + (*(_WORD *)(v4 + 2 * v8) & 0xFFF);
1745. if ( *(_WORD *)(v4 + 2 * v8) & 0xF000 )
1746. {
1747. if ( v9 >= a1 && v9 < a1 + 12 )
1748. return -1073741637;
1749. }
1750. ++v8;
1751. }
1752. while ( v8 < v11 );
1753. }
1754. v5 += *(_DWORD *)(v5 + 4);
1755. v4 = v5 + 8;
1756. }
1757. result = 0;
1758. }
1759. }
1760. return result;
1761. }
1762. //----- (000119AE) --------------------------------------------------------
1763. char __fastcall sub_119AE(int a1, int a2)
1764. {
1765. int v2; // eax@1
1766. v2 = *(_DWORD *)(a2 + 36);
1767. return !(v2 & 0x2000000)
1768. && v2 & 0x20000000
1769. && v2 & 0x20
1770. && v2 & 0x40000000
1771. && (!strncmp((const char *)a2, ".text", 8) || !strncmp((const char *)a2, "PAGE", 8));
1772. }
1773. //----- (00011A08) --------------------------------------------------------
1774. char __usercall sub_11A08<al>(int a1<edi>)
1775. {
1776. unsigned int v1; // ecx@1
1777. v1 = 0;
1778. while ( (byte_12644[v1] & *(&byte_12644[v1] + a1 - (_DWORD)byte_12644)) == byte_12630[v1] )
1779. {
1780. ++v1;
1781. if ( v1 >= 0x14 )
1782. return *(_DWORD *)(a1 + 13) - *(_DWORD *)((char *)&ZwAllocateVirtualMemory + 13) == (_DWORD)((char *)ZwAllocateVirtualMemory
1783. - a1);
1784. }
1785. return 0;
1786. }
1787. //----- (00011A4A) --------------------------------------------------------
1788. int __userpurge sub_11A4A<eax>(int a1<eax>, int a2<ebx>, unsigned int a3)
1789. {
1790. int v3; // esi@1
1791. int v4; // edx@4
1792. int v5; // edi@4
1793. int v6; // edx@5
1794. unsigned int v7; // eax@6
1795. int v9; // [sp-4h] [bp-10h]@4
1796. unsigned int v10; // [sp+8h] [bp-4h]@1
1797. v10 = 0;
1798. v3 = a1;
1799. while ( 1 )
1800. {
1801. if ( a3 <= v3 + 5 )
1802. return 0;
1803. if ( *(_BYTE *)v3 == -24 )
1804. {
1805. v5 = *(_DWORD *)(v3 + 1) + v3 + 5;
1806. v4 = sub_1210F(a2, v5);
1807. if ( v4 )
1808. {
1809. if ( sub_119AE(v9, v4) )
1810. {
1811. v7 = *(_DWORD *)(v6 + 8);
1812. if ( v7 >= *(_DWORD *)(v6 + 16) )
1813. v7 = *(_DWORD *)(v6 + 16);
1814. if ( v5 + 20 <= v7 + *(_DWORD *)(a2 + 8) + *(_DWORD *)(v6 + 12) && sub_11A08(v5) )
1815. break;
1816. }
1817. }
1818. }
1819. ++v10;
1820. ++v3;
1821. if ( v10 >= 0x1E )
1822. return 0;
1823. }
1824. return v5;
1825. }
1826. //----- (00011ABC) --------------------------------------------------------
1827. const char *__usercall sub_11ABC<eax>(const char *result<eax>, int a2<ecx>)
1828. {
1829. int v2; // ebx@1
1830. v2 = a2 - 19;
1831. while ( (unsigned int)result < v2 )
1832. {
1833. while ( (unsigned int)result <= v2 - 4 )
1834. {
1835. if ( *(_DWORD *)result == dword_12658 )
1836. goto LABEL_7;
1837. ++result;
1838. }
1839. result = 0;
1840. LABEL_7:
1841. if ( !result )
1842. break;
1843. if ( !strncmp(result, (const char *)&dword_12658, 14) )
1844. return result;
1845. ++result;
1846. }
1847. return 0;
1848. }
1849. // 12658: using guessed type int dword_12658;
1850. //----- (00011B04) --------------------------------------------------------
1851. int __stdcall sub_11B04(int a1, const char *a2, unsigned int a3, int a4, int a5)
1852. {
1853. int result; // eax@2
1854. const char *v6; // ebx@7
1855. int v7; // eax@17
1856. unsigned int v8; // ecx@17
1857. int v9; // eax@24
1858. int v10; // [sp+Ch] [bp-4h]@7
1859. int v11; // [sp+Ch] [bp-4h]@14
1860. *(_BYTE *)a5 = 0;
1861. if ( sub_10886(0) )
1862. {
1863. result = (int)sub_11ABC(a2, a3);
1864. if ( result )
1865. {
1866. if ( *(_DWORD *)a4 && result != *(_DWORD *)a4 )
1867. *(_BYTE *)a5 = 1;
1868. else
1869. *(_DWORD *)a4 = result;
1870. }
1871. }
1872. else
1873. {
1874. v6 = a2;
1875. result = a3 - 10;
1876. v10 = (int)a2;
1877. if ( (unsigned int)a2 < a3 - 10 )
1878. {
1879. while ( 2 )
1880. {
1881. for ( result = v10; ; ++result )
1882. {
1883. if ( result > a3 - 14 )
1884. {
1885. v11 = 0;
1886. goto LABEL_15;
1887. }
1888. if ( *(_DWORD *)result == dword_12628 )
1889. break;
1890. }
1891. v11 = result;
1892. LABEL_15:
1893. if ( v11 )
1894. {
1895. if ( !strncmp((const char *)v11, (const char *)&dword_12628, 5) )
1896. {
1897. v8 = 0;
1898. v7 = v11;
1899. while ( (unsigned int)&v6[v8] < v11 )
1900. {
1901. if ( *(_BYTE *)v7 == -24
1902. && (NTSTATUS (__stdcall *)(HANDLE, PVOID *, ULONG, PULONG, ULONG, ULONG))(*(_DWORD *)(v7 + 1) + v7 + 5) == ZwAllocateVirtualMemory )
1903. {
1904. v9 = sub_11A4A(v11, a1, a3);
1905. if ( !v9 )
1906. break;
1907. if ( !*(_DWORD *)a4 || v9 == *(_DWORD *)a4 )
1908. {
1909. *(_DWORD *)a4 = v9;
1910. break;
1911. }
1912. result = a5;
1913. *(_BYTE *)a5 = 1;
1914. return result;
1915. }
1916. ++v8;
1917. --v7;
1918. if ( v8 >= 0x78 )
1919. break;
1920. }
1921. }
1922. v10 = v11 + 1;
1923. result = v10;
1924. if ( v10 < a3 - 10 )
1925. {
1926. v6 = a2;
1927. continue;
1928. }
1929. }
1930. break;
1931. }
1932. }
1933. }
1934. return result;
1935. }
1936. // 12628: using guessed type int dword_12628;
1937. //----- (00011C14) --------------------------------------------------------
1938. int *__cdecl sub_11C14()
1939. {
1940. int v0; // ebx@1
1941. int v1; // eax@2
1942. int v2; // ecx@3
1943. __int16 v3; // di@4
1944. int v4; // esi@4
1945. int v5; // edx@5
1946. unsigned int v6; // ecx@6
1947. int v7; // eax@8
1948. const char *v8; // ST04_4@8
1949. char v10; // [sp+Ch] [bp-2Ch]@3
1950. int v11; // [sp+20h] [bp-18h]@4
1951. unsigned __int16 v12; // [sp+24h] [bp-14h]@4
1952. int v13; // [sp+2Ch] [bp-Ch]@2
1953. int v14; // [sp+30h] [bp-8h]@4
1954. char v15; // [sp+37h] [bp-1h]@8
1955. v0 = 0;
1956. dword_146A8 = 0;
1957. if ( !dword_146AC )
1958. {
1959. v1 = sub_1098E();
1960. v13 = v1;
1961. if ( v1 )
1962. {
1963. if ( !sub_121E1((int)&v10, v1, 1) )
1964. {
1965. v3 = v12;
1966. v4 = v11;
1967. v14 = 0;
1968. if ( v12 > 0u )
1969. {
1970. while ( 1 )
1971. {
1972. if ( sub_119AE(v2, 40 * (unsigned __int16)v0 + v4) )
1973. {
1974. v6 = *(_DWORD *)(v5 + 16);
1975. if ( *(_DWORD *)(v5 + 8) < v6 )
1976. v6 = *(_DWORD *)(v5 + 8);
1977. v7 = v13 + *(_DWORD *)(v5 + 12);
1978. v8 = (const char *)(v13 + *(_DWORD *)(v5 + 12));
1979. v15 = 1;
1980. sub_11B04((int)&v10, v8, v7 + v2, (int)&v14, (int)&v15);
1981. if ( v15 )
1982. break;
1983. }
1984. ++v0;
1985. if ( (_WORD)v0 >= (unsigned __int16)v3 )
1986. {
1987. if ( !v14 )
1988. break;
1989. dword_146A8 = v14;
1990. return &dword_146A8;
1991. }
1992. }
1993. }
1994. }
1995. }
1996. dword_146AC = -1073741823;
1997. }
1998. return &dword_146A8;
1999. }
2000. // 146A8: using guessed type int dword_146A8;
2001. // 146AC: using guessed type int dword_146AC;
2002. //----- (00011CCC) --------------------------------------------------------
2003. int __stdcall sub_11CCC(int a1)
2004. {
2005. int v1; // eax@1
2006. int result; // eax@2
2007. int v3; // ebx@4
2008. int v4; // [sp+0h] [bp-8h]@6
2009. int v5; // [sp+4h] [bp-4h]@6
2010. v1 = *(_DWORD *)(a1 + 96);
2011. *(_DWORD *)(a1 + 28) = 0;
2012. if ( *(_DWORD *)(v1 + 8) != 40 || *(_DWORD *)(v1 + 4) != 40 )
2013. {
2014. result = -1073741811;
2015. }
2016. else
2017. {
2018. v3 = *(_DWORD *)(a1 + 12);
2019. if ( *(_DWORD *)v3 == -1347686387 )
2020. {
2021. v5 = 0;
2022. sub_10A8A((int)&v4, &v5);
2023. result = v5;
2024. if ( !v5 )
2025. {
2026. result = (*(int (__stdcall **)(_DWORD, int, int, _DWORD, int))v4)(
2027. *(_DWORD *)(v3 + 8),
2028. v3 + 16,
2029. v3 + 24,
2030. *(_DWORD *)(v3 + 32),
2031. v3 + 32);
2032. if ( !result )
2033. {
2034. *(_DWORD *)(a1 + 28) = 40;
2035. result = 0;
2036. }
2037. }
2038. }
2039. else
2040. {
2041. result = -1073741811;
2042. }
2043. }
2044. return result;
2045. }
2046. //----- (00011D46) --------------------------------------------------------
2047. char __stdcall sub_11D46(int a1, unsigned int a2)
2048. {
2049. char result; // al@1
2050. unsigned int v3; // ecx@1
2051. v3 = 0;
2052. result = 0;
2053. if ( a2 )
2054. {
2055. do
2056. result += *(_BYTE *)(v3++ + a1);
2057. while ( v3 < a2 );
2058. }
2059. return result;
2060. }
2061. //----- (00011D62) --------------------------------------------------------
2062. NTSTATUS __userpurge sub_11D62<eax>(LSA_UNICODE_STRING *a1<eax>, PUNICODE_STRING ValueName, int a3)
2063. {
2064. NTSTATUS v3; // esi@1
2065. OBJECT_ATTRIBUTES ObjectAttributes; // [sp+8h] [bp-20h]@1
2066. int v6; // [sp+20h] [bp-8h]@1
2067. HANDLE Handle; // [sp+24h] [bp-4h]@1
2068. ObjectAttributes.ObjectName = a1;
2069. LOBYTE(v6) = 0;
2070. Handle = 0;
2071. ObjectAttributes.Length = 24;
2072. ObjectAttributes.RootDirectory = 0;
2073. ObjectAttributes.Attributes = 64;
2074. ObjectAttributes.SecurityDescriptor = 0;
2075. ObjectAttributes.SecurityQualityOfService = 0;
2076. v3 = ZwOpenKey(&Handle, 0x20019u, &ObjectAttributes);
2077. LOBYTE(v6) = v3 == 0;
2078. if ( !v3 )
2079. v3 = sub_11DD6((int)&v6, ValueName, a3);
2080. if ( (_BYTE)v6 )
2081. {
2082. LOBYTE(v6) = 0;
2083. ZwClose(Handle);
2084. }
2085. return v3;
2086. }
2087. //----- (00011DD6) --------------------------------------------------------
2088. signed int __stdcall sub_11DD6(int a1, PUNICODE_STRING ValueName, int a3)
2089. {
2090. PVOID v4; // edi@10
2091. signed int v5; // esi@14
2092. int v6; // eax@16
2093. int v7; // eax@17
2094. PVOID v8; // [sp-8h] [bp-34h]@7
2095. ULONG v9; // [sp-4h] [bp-30h]@7
2096. PVOID P; // [sp+10h] [bp-1Ch]@5
2097. ULONG ResultLength; // [sp+20h] [bp-Ch]@4
2098. NTSTATUS v12; // [sp+24h] [bp-8h]@5
2099. if ( !*(_BYTE *)a1
2100. || (ResultLength = 0,
2101. ZwQueryValueKey(*(HANDLE *)(a1 + 4), ValueName, KeyValuePartialInformation, 0, 0, &ResultLength) != -1073741789) )
2102. return -1073741823;
2103. v12 = 0;
2104. sub_105A0((int)&v12, ResultLength, (int)&P, 0);
2105. if ( v12 )
2106. {
2107. if ( !P )
2108. return v12;
2109. v9 = 0;
2110. v8 = P;
2111. LABEL_8:
2112. ExFreePoolWithTag(v8, v9);
2113. return v12;
2114. }
2115. v4 = P;
2116. v12 = ZwQueryValueKey(*(HANDLE *)(a1 + 4), ValueName, KeyValuePartialInformation, P, ResultLength, &ResultLength);
2117. if ( v12 )
2118. {
2119. if ( !v4 )
2120. return v12;
2121. v9 = 0;
2122. v8 = v4;
2123. goto LABEL_8;
2124. }
2125. if ( *((_DWORD *)v4 + 1) == 3 )
2126. {
2127. v6 = (int)ExAllocatePool(0, 0x10u);
2128. if ( v6 )
2129. {
2130. v7 = sub_105A0((int)&v12, *((_DWORD *)v4 + 2), v6, (char *)v4 + 12);
2131. v4 = P;
2132. }
2133. else
2134. {
2135. v7 = 0;
2136. }
2137. sub_1076E(a3, (PVOID *)v7);
2138. v5 = 0;
2139. if ( v12 )
2140. {
2141. v5 = v12;
2142. goto LABEL_15;
2143. }
2144. if ( *(_DWORD *)(a3 + 4) )
2145. goto LABEL_15;
2146. }
2147. v5 = -1073741823;
2148. LABEL_15:
2149. ExFreePoolWithTag(v4, 0);
2150. return v5;
2151. }
2152. //----- (00011EC6) --------------------------------------------------------
2153. int __usercall sub_11EC6<eax>(char a1<al>, int a2<ecx>, unsigned int a3<esi>)
2154. {
2155. unsigned int v3; // edx@2
2156. unsigned int v4; // eax@4
2157. int result; // eax@6
2158. char v7; // [sp+8h] [bp-10h]@1
2159. char v8; // [sp+Ch] [bp-Ch]@1
2160. signed int v9; // [sp+10h] [bp-8h]@1
2161. unsigned int v10; // [sp+14h] [bp-4h]@1
2162. v10 = a3 >> 1;
2163. v7 = a1 ^ 0xD;
2164. v8 = a1 ^ 0xEF;
2165. v9 = 7;
2166. do
2167. {
2168. v3 = 0;
2169. if ( a3 )
2170. {
2171. do
2172. {
2173. *(_BYTE *)(v3 + a2) ^= v9 * v8 + v3 * v7;
2174. ++v3;
2175. }
2176. while ( v3 < a3 );
2177. }
2178. v4 = 0;
2179. if ( v10 )
2180. {
2181. do
2182. {
2183. *(_BYTE *)(v4 + a2) ^= *(_BYTE *)(((a3 + 1) >> 1) + a2 + v4);
2184. ++v4;
2185. }
2186. while ( v4 < v10 );
2187. }
2188. for ( result = a3 - 1; (unsigned int)result >= 1; --result )
2189. *(_BYTE *)(result + a2) -= *(_BYTE *)(result + a2 - 1);
2190. }
2191. while ( v9-- - 1 >= 0 );
2192. return result;
2193. }
2194. //----- (00011F42) --------------------------------------------------------
2195. int __stdcall sub_11F42(int a1, int a2, HANDLE Handle)
2196. {
2197. int v3; // eax@2
2198. int v4; // ecx@3
2199. int v5; // eax@5
2200. char ProcessInformation; // [sp+Ch] [bp-34h]@2
2201. int v8; // [sp+10h] [bp-30h]@3
2202. CPPEH_RECORD ms_exc; // [sp+28h] [bp-18h]@2
2203. *(_DWORD *)a1 = 0;
2204. *(_BYTE *)(a1 + 4) = 1;
2205. if ( !*(_DWORD *)a2 )
2206. {
2207. ms_exc.disabled = 0;
2208. v3 = sub_12000(Handle, &ProcessInformation);
2209. *(_DWORD *)a2 = v3;
2210. if ( !v3 )
2211. {
2212. v4 = v8;
2213. if ( v8 && (v5 = *(_DWORD *)(v8 + 8)) != 0 )
2214. {
2215. *(_DWORD *)a1 = v5;
2216. *(_BYTE *)(a1 + 4) = *(_BYTE *)(v4 + 2) != 0;
2217. }
2218. else
2219. {
2220. *(_DWORD *)a2 = -1073741823;
2221. }
2222. }
2223. ms_exc.disabled = -1;
2224. }
2225. return a1;
2226. }
2227. //----- (00011FC0) --------------------------------------------------------
2228. int __userpurge sub_11FC0<eax>(int a1<esi>, int a2, int a3)
2229. {
2230. *(_BYTE *)a1 = 0;
2231. sub_12094(a1 + 4, a2, a3);
2232. memset((void *)(a1 + 12), 0, 0x18u);
2233. if ( !*(_DWORD *)a2 )
2234. {
2235. KeStackAttachProcess(*(_DWORD *)(a1 + 8), a1 + 12);
2236. *(_BYTE *)a1 = 1;
2237. }
2238. return a1;
2239. }
2240. // 12604: using guessed type int __stdcall KeStackAttachProcess(_DWORD, _DWORD);
2241. //----- (00012000) --------------------------------------------------------
2242. int __stdcall sub_12000(HANDLE Handle, PVOID ProcessInformation)
2243. {
2244. int result; // eax@4
2245. NTSTATUS v3; // esi@5
2246. char v4; // [sp+10h] [bp-10h]@1
2247. PVOID Object; // [sp+14h] [bp-Ch]@3
2248. ULONG ReturnLength; // [sp+18h] [bp-8h]@6
2249. int v7; // [sp+1Ch] [bp-4h]@1
2250. v7 = 0;
2251. sub_12094((int)&v4, (int)&v7, (int)Handle);
2252. if ( v7 )
2253. {
2254. if ( v4 )
2255. {
2256. v4 = 0;
2257. ObfDereferenceObject(Object);
2258. }
2259. result = v7;
2260. }
2261. else
2262. {
2263. Handle = 0;
2264. v3 = ObOpenObjectByPointer(Object, 0, 0, 0, 0, 0, &Handle);
2265. if ( !v3 )
2266. {
2267. ReturnLength = 0;
2268. v3 = ZwQueryInformationProcess(Handle, 0, ProcessInformation, 0x18u, &ReturnLength);
2269. }
2270. if ( Handle )
2271. ZwClose(Handle);
2272. if ( v4 )
2273. {
2274. v4 = 0;
2275. ObfDereferenceObject(Object);
2276. }
2277. result = v3;
2278. }
2279. return result;
2280. }
2281. // 1260C: using guessed type int __stdcall ObOpenObjectByPointer(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD);
2282. //----- (00012094) --------------------------------------------------------
2283. int __userpurge sub_12094<eax>(int a1<ebx>, int a2<edi>, int a3)
2284. {
2285. char v3; // zf@1
2286. int v4; // eax@2
2287. *(_DWORD *)(a1 + 4) = 0;
2288. v3 = *(_DWORD *)a2 == 0;
2289. *(_BYTE *)a1 = 0;
2290. if ( v3 )
2291. {
2292. v4 = PsLookupProcessByProcessId(a3, a1 + 4);
2293. *(_DWORD *)a2 = v4;
2294. if ( !v4 )
2295. {
2296. if ( *(_DWORD *)(a1 + 4) )
2297. *(_BYTE *)a1 = 1;
2298. else
2299. *(_DWORD *)a2 = -1073741823;
2300. }
2301. }
2302. return a1;
2303. }
2304. // 12610: using guessed type int __stdcall PsLookupProcessByProcessId(_DWORD, _DWORD);
2305. //----- (000120CC) --------------------------------------------------------
2306. LONG_PTR __usercall sub_120CC<eax>(PVOID Object<ecx>, LONG_PTR result<eax>)
2307. {
2308. void *v2; // ecx@2
2309. if ( *(_BYTE *)result )
2310. {
2311. v2 = *(void **)(result + 4);
2312. *(_BYTE *)result = 0;
2313. result = ObfDereferenceObject(v2);
2314. }
2315. return result;
2316. }
2317. //----- (000120DE) --------------------------------------------------------
2318. int __cdecl sub_120DE(int a1)
2319. {
2320. int result; // eax@1
2321. int v2; // edx@1
2322. char v3; // cl@1
2323. int v4; // esi@2
2324. v2 = a1;
2325. v3 = *(_BYTE *)a1;
2326. for ( result = 0; *(_BYTE *)v2; result = v4 )
2327. {
2328. v4 = result * (7 * result + 1) + v3 * (17 * v3 + 12);
2329. ++v2;
2330. v3 = *(_BYTE *)v2;
2331. }
2332. return result;
2333. }
2334. //----- (0001210F) --------------------------------------------------------
2335. int __cdecl sub_1210F(int a1, unsigned int a2)
2336. {
2337. unsigned __int16 v2; // bx@1
2338. int v3; // edi@1
2339. int v4; // esi@1
2340. int v5; // eax@3
2341. unsigned int v6; // ecx@3
2342. int v7; // eax@5
2343. int result; // eax@8
2344. int v9; // [sp+14h] [bp+8h]@2
2345. v2 = *(_WORD *)(a1 + 24);
2346. v4 = *(_DWORD *)(a1 + 20);
2347. v3 = 0;
2348. if ( v2 <= 0u )
2349. {
2350. LABEL_8:
2351. result = 0;
2352. }
2353. else
2354. {
2355. v9 = *(_DWORD *)(a1 + 8);
2356. while ( 1 )
2357. {
2358. v5 = v4 + 40 * (unsigned __int16)v3;
2359. v6 = *(_DWORD *)(v5 + 8);
2360. if ( v6 >= *(_DWORD *)(v5 + 16) )
2361. v6 = *(_DWORD *)(v5 + 16);
2362. v7 = v9 + *(_DWORD *)(v5 + 12);
2363. if ( a2 >= v7 )
2364. {
2365. if ( a2 < v6 + v7 )
2366. break;
2367. }
2368. ++v3;
2369. if ( (_WORD)v3 >= v2 )
2370. goto LABEL_8;
2371. }
2372. result = v4 + 40 * (unsigned __int16)v3;
2373. }
2374. return result;
2375. }
2376. //----- (0001216B) --------------------------------------------------------
2377. signed int __usercall sub_1216B<eax>(int a1<eax>, unsigned int a2<ebx>)
2378. {
2379. int v2; // esi@1
2380. signed int result; // eax@2
2381. int v4; // edi@3
2382. int v5; // eax@6
2383. unsigned int v6; // ecx@6
2384. unsigned int v7; // eax@8
2385. int v8; // esi@12
2386. unsigned __int16 v9; // [sp+4h] [bp-4h]@1
2387. v2 = *(_DWORD *)(a1 + 20);
2388. v9 = *(_WORD *)(a1 + 24);
2389. if ( a2 < *(_DWORD *)(a1 + 26) )
2390. {
2391. v4 = 0;
2392. if ( !*(_DWORD *)(a1 + 4) )
2393. goto LABEL_17;
2394. if ( *(_WORD *)(a1 + 24) <= 0u )
2395. goto LABEL_14;
2396. while ( 1 )
2397. {
2398. v5 = v2 + 40 * (unsigned __int16)v4;
2399. v6 = *(_DWORD *)(v5 + 8);
2400. if ( v6 >= *(_DWORD *)(v5 + 16) )
2401. v6 = *(_DWORD *)(v5 + 16);
2402. v7 = *(_DWORD *)(v5 + 12);
2403. if ( a2 >= v7 )
2404. {
2405. if ( a2 < v6 + v7 )
2406. break;
2407. }
2408. ++v4;
2409. if ( (_WORD)v4 >= v9 )
2410. goto LABEL_14;
2411. }
2412. v8 = *(_DWORD *)(40 * (unsigned __int16)v4 + v2 + 36);
2413. if ( v8 & 0x2000000 || !(v8 & 0x40000000) )
2414. LABEL_14:
2415. result = 0;
2416. else
2417. LABEL_17:
2418. result = 1;
2419. }
2420. else
2421. {
2422. result = 0;
2423. }
2424. return result;
2425. }
2426. //----- (000121E1) --------------------------------------------------------
2427. signed int __cdecl sub_121E1(int a1, int a2, int a3)
2428. {
2429. int v4; // eax@3
2430. unsigned __int16 v5; // cx@4
2431. int v6; // edx@7
2432. int v7; // ecx@7
2433. __int16 v8; // dx@12
2434. if ( *(_WORD *)a2 != 23117 || (v4 = a2 + *(_DWORD *)(a2 + 60), (*(_DWORD *)v4 ^ 0xF750F284) != -145705004) )
2435. return 1;
2436. v5 = *(_WORD *)(v4 + 4);
2437. if ( 22531 == (v5 ^ 0x594F) )
2438. {
2439. if ( (*(_WORD *)(v4 + 24) ^ 0x5908) == 22531 && *(_WORD *)(v4 + 20) == 224 )
2440. {
2441. v7 = a1;
2442. *(_DWORD *)a1 = 0;
2443. v6 = v4 + 120;
2444. LABEL_12:
2445. *(_DWORD *)(v7 + 16) = v6;
2446. *(_DWORD *)(v7 + 26) = *(_DWORD *)(v4 + 80);
2447. *(_DWORD *)(v7 + 20) = *(_WORD *)(v4 + 20) + v4 + 24;
2448. v8 = *(_WORD *)(v4 + 6);
2449. *(_DWORD *)(v7 + 12) = v4;
2450. *(_DWORD *)(v7 + 4) = a3;
2451. *(_WORD *)(v7 + 24) = v8;
2452. *(_DWORD *)(v7 + 8) = a2;
2453. return 0;
2454. }
2455. }
2456. else
2457. {
2458. if ( 22531 == (v5 ^ 0xDE67) && (*(_WORD *)(v4 + 24) ^ 0x5A08) == 22531 && *(_WORD *)(v4 + 20) == 240 )
2459. {
2460. v7 = a1;
2461. *(_DWORD *)a1 = 1;
2462. v6 = v4 + 136;
2463. goto LABEL_12;
2464. }
2465. }
2466. return 1;
2467. }
2468. //----- (000122B3) --------------------------------------------------------
2469. signed int __cdecl sub_122B3(int a1, unsigned int a2)
2470. {
2471. signed int result; // eax@1
2472. result = sub_1216B(a1, a2);
2473. if ( result )
2474. result = a2 + *(_DWORD *)(a1 + 8);
2475. return result;
2476. }
2477. //----- (000122D0) --------------------------------------------------------
2478. bool __cdecl sub_122D0(int a1, unsigned int a2, int a3, int a4)
2479. {
2480. int v4; // esi@1
2481. bool result; // eax@2
2482. unsigned int v6; // eax@3
2483. v4 = *(_DWORD *)(a1 + 16) + 8 * a2;
2484. if ( a2 >= 0x10 )
2485. return 1;
2486. v6 = *(_DWORD *)v4;
2487. if ( *(_DWORD *)v4 )
2488. {
2489. if ( v6 + *(_DWORD *)(v4 + 4) > *(_DWORD *)(a1 + 26) )
2490. return 1;
2491. *(_DWORD *)a3 = sub_122B3(a1, *(_DWORD *)v4);
2492. *(_DWORD *)a4 = *(_DWORD *)(v4 + 4);
2493. result = *(_DWORD *)a3 == 0;
2494. }
2495. else
2496. {
2497. LOBYTE(v6) = *(_DWORD *)(v4 + 4) == v6;
2498. result = v6 + 1;
2499. }
2500. return result;
2501. }
2502. //----- (00012323) --------------------------------------------------------
2503. signed int __usercall sub_12323<eax>(unsigned int a1<eax>, int a2, int a3, unsigned __int16 a4)
2504. {
2505. signed int v4; // eax@1
2506. unsigned int v5; // esi@1
2507. unsigned int v6; // eax@3
2508. signed int result; // eax@4
2509. v5 = a1;
2510. v4 = sub_122B3(a2, *(_DWORD *)(a1 + 28));
2511. if ( !v4
2512. || (unsigned int)a4 >= *(_DWORD *)(v5 + 20)
2513. || (v6 = *(_DWORD *)(v4 + 4 * a4), !v6)
2514. || (result = sub_122B3(a2, v6), !result)
2515. || result >= v5 && result < a3 + v5 )
2516. result = 0;
2517. return result;
2518. }
2519. //----- (0001236B) --------------------------------------------------------
2520. signed int __cdecl sub_1236B(int a1, int a2)
2521. {
2522. unsigned int v2; // esi@1
2523. signed int result; // eax@2
2524. unsigned int v4; // edi@3
2525. unsigned int v5; // ebx@6
2526. int v6; // eax@7
2527. int v7; // [sp+4h] [bp-Ch]@1
2528. int v8; // [sp+8h] [bp-8h]@4
2529. int v9; // [sp+Ch] [bp-4h]@1
2530. v2 = 0;
2531. if ( sub_122D0(a1, 0, (int)&v9, (int)&v7) )
2532. {
2533. result = 0;
2534. }
2535. else
2536. {
2537. v4 = v9;
2538. v9 = sub_122B3(a1, *(_DWORD *)(v9 + 32));
2539. if ( v9 && (v8 = sub_122B3(a1, *(_DWORD *)(v4 + 36))) != 0 )
2540. {
2541. v5 = *(_DWORD *)(v4 + 24);
2542. if ( v5 )
2543. {
2544. do
2545. {
2546. v6 = sub_122B3(a1, *(_DWORD *)(v9 + 4 * v2));
2547. if ( !v6 )
2548. break;
2549. if ( sub_120DE(v6) == a2 )
2550. return sub_12323(v4, a1, v7, *(_WORD *)(v8 + 2 * v2));
2551. ++v2;
2552. }
2553. while ( v2 < v5 );
2554. }
2555. result = 0;
2556. }
2557. else
2558. {
2559. result = 0;
2560. }
2561. }
2562. return result;
2563. }
2564. //----- (00012A24) --------------------------------------------------------
2565. signed int __usercall sub_12A24<eax>(int a1<esi>)
2566. {
2567. int v1; // edi@1
2568. int (__stdcall *v2)(_DWORD); // ebx@1
2569. int v3; // eax@1
2570. int v4; // eax@1
2571. signed int result; // eax@2
2572. v1 = sub_12D71((void *)0x2B8);
2573. v2 = *(int (__stdcall **)(_DWORD))(v1 + 32);
2574. *(_BYTE *)a1 = 21;
2575. *(_DWORD *)(a1 + 1) = 57;
2576. *(_DWORD *)(a1 + 13) = sub_12D71((void *)0x652);
2577. *(_DWORD *)(a1 + 17) = sub_12D71((void *)0x686);
2578. *(_DWORD *)(a1 + 21) = *(_DWORD *)(v1 + 40);
2579. *(_DWORD *)(a1 + 25) = *(_DWORD *)(v1 + 24);
2580. *(_DWORD *)(a1 + 29) = *(_DWORD *)(v1 + 72);
2581. v3 = sub_12D71((void *)0x260);
2582. v4 = v2(v3);
2583. *(_DWORD *)(a1 + 33) = v4;
2584. if ( v4 )
2585. {
2586. *(_DWORD *)(a1 + 41) = 0;
2587. *(_DWORD *)(a1 + 45) = 0;
2588. *(_DWORD *)(a1 + 49) = 1;
2589. result = 0;
2590. }
2591. else
2592. {
2593. result = 1;
2594. }
2595. return result;
2596. }
2597. //----- (00012A95) --------------------------------------------------------
2598. signed int __cdecl sub_12A95(int a1)
2599. {
2600. signed int result; // eax@1
2601. int v2; // edi@1
2602. int v3; // eax@2
2603. int v4; // eax@2
2604. int v5; // ecx@4
2605. char v6; // [sp+Ch] [bp-84h]@4
2606. char v7; // [sp+4Ch] [bp-44h]@1
2607. int v8; // [sp+51h] [bp-3Fh]@2
2608. int v9; // [sp+55h] [bp-3Bh]@2
2609. int (__cdecl *v10)(char *); // [sp+88h] [bp-8h]@1
2610. int (__cdecl *v11)(char *, int); // [sp+8Ch] [bp-4h]@1
2611. v2 = *(_DWORD *)(a1 + 88);
2612. v11 = (int (__cdecl *)(char *, int))(v2 + 149 + *(_DWORD *)(v2 + 113));
2613. v10 = (int (__cdecl *)(char *))(v2 + 149 + *(_DWORD *)(v2 + 129));
2614. *(_WORD *)(v2 + 149) = 23117;
2615. *(_DWORD *)(v2 + 149 + *(_DWORD *)(v2 + 141)) = 17744;
2616. *(_WORD *)(v2 + 149 + *(_DWORD *)(v2 + 145)) = 267;
2617. result = sub_12A24((int)&v7);
2618. if ( !result )
2619. {
2620. v3 = *(_DWORD *)(v2 + 1);
2621. v8 = v2 + 149;
2622. v9 = v3;
2623. v4 = sub_12D71((void *)0x350);
2624. result = v11(&v7, v4);
2625. if ( !result )
2626. {
2627. result = sub_12A24((int)&v7);
2628. if ( !result )
2629. {
2630. v5 = *(_DWORD *)(a1 + 96);
2631. v9 = *(_DWORD *)(a1 + 104);
2632. v8 = v5;
2633. result = v11(&v7, (int)&v6);
2634. if ( !result )
2635. {
2636. result = v10(&v6);
2637. if ( result )
2638. result = ((int (*)(void))result)();
2639. }
2640. }
2641. }
2642. }
2643. return result;
2644. }
2645. //----- (00012D37) --------------------------------------------------------
2646. bool __usercall sub_12D37<eax>(int a1<eax>, int a2)
2647. {
2648. int (__stdcall *v2)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD); // ecx@1
2649. bool result; // eax@2
2650. int v4; // [sp+0h] [bp-4h]@1
2651. v2 = *(int (__stdcall **)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD))(a1 + 80);
2652. v4 = 0;
2653. if ( v2(*(_DWORD *)(a1 + 144), 2242560, a2, 40, a2, 40, &v4, 0) )
2654. result = v4 != 40;
2655. else
2656. result = 1;
2657. return result;
2658. }
2659. //----- (00012D71) --------------------------------------------------------
2660. int __thiscall sub_12D71(void *this)
2661. {
2662. return (int)((char *)this + 75412);
2663. }
2664. //----- (00013343) --------------------------------------------------------
2665. signed int __usercall sub_13343<eax>(int a1<eax>, unsigned int a2)
2666. {
2667. unsigned int v2; // edi@1
2668. int v4; // ecx@3
2669. unsigned int v5; // ebx@4
2670. int v6; // eax@7
2671. unsigned int v7; // edx@8
2672. int v8; // ecx@8
2673. unsigned int v9; // [sp+8h] [bp-4h]@1
2674. v9 = 0;
2675. LOWORD(v2) = *(_WORD *)(a1 + 24);
2676. if ( *(_DWORD *)a1 || (v4 = *(_DWORD *)(a1 + 12), *(_DWORD *)(v4 + 84) > a2) )
2677. return 2;
2678. v5 = *(_DWORD *)(a1 + 26);
2679. if ( !(*(_DWORD *)(a1 + 26) % *(_DWORD *)(v4 + 56)) && *(_WORD *)(v4 + 6) )
2680. {
2681. v2 = (unsigned __int16)v2;
2682. if ( !(_WORD)v2 )
2683. return 0;
2684. v6 = *(_DWORD *)(a1 + 20) + 16;
2685. while ( 1 )
2686. {
2687. v8 = *(_DWORD *)v6;
2688. v7 = *(_DWORD *)(v6 - 8);
2689. if ( *(_DWORD *)v6 >= v7 )
2690. v8 = *(_DWORD *)(v6 - 8);
2691. if ( v8 + *(_DWORD *)(v6 + 4) > a2 || v7 + *(_DWORD *)(v6 - 4) > v5 )
2692. break;
2693. v6 += 40;
2694. ++v9;
2695. if ( v9 >= v2 )
2696. return 0;
2697. }
2698. }
2699. return 2;
2700. }
2701. //----- (000133BF) --------------------------------------------------------
2702. int __usercall sub_133BF<eax>(int a1<eax>, int a2, int a3)
2703. {
2704. int result; // eax@1
2705. int v4; // ecx@1
2706. int v5; // ebx@2
2707. int v6; // esi@2
2708. int v7; // edx@3
2709. int v8; // ecx@5
2710. int i; // edi@5
2711. v4 = *(_DWORD *)(a1 + 20);
2712. result = *(_WORD *)(a1 + 24);
2713. if ( result )
2714. {
2715. v6 = v4 + 8;
2716. v5 = result;
2717. do
2718. {
2719. v7 = *(_DWORD *)v6;
2720. if ( *(_DWORD *)(v6 + 8) < *(_DWORD *)v6 )
2721. v7 = *(_DWORD *)(v6 + 8);
2722. v8 = *(_DWORD *)(a2 + 5) + *(_DWORD *)(v6 + 12);
2723. result = a3 + *(_DWORD *)(v6 + 4);
2724. for ( i = v7; i; ++v8 )
2725. {
2726. --i;
2727. *(_BYTE *)result++ = *(_BYTE *)v8;
2728. }
2729. v6 += 40;
2730. --v5;
2731. }
2732. while ( v5 );
2733. }
2734. return result;
2735. }
2736. //----- (00013409) --------------------------------------------------------
2737. int __usercall sub_13409<eax>(int a1<eax>, int a2, int a3, int a4)
2738. {
2739. unsigned int v4; // edi@1
2740. int v5; // eax@4
2741. char v6; // dl@4
2742. int v7; // ecx@4
2743. int v8; // esi@5
2744. int v10; // [sp+Ch] [bp-Ch]@2
2745. unsigned int v11; // [sp+10h] [bp-8h]@1
2746. int v12; // [sp+14h] [bp-4h]@2
2747. v4 = 0;
2748. v11 = *(_DWORD *)(a1 + 45);
2749. if ( v11 )
2750. {
2751. v10 = *(_DWORD *)(a1 + 41);
2752. v12 = *(_DWORD *)(a1 + 41);
2753. while ( 1 )
2754. {
2755. if ( !sub_13CC0(a2, *(_DWORD *)v12) )
2756. {
2757. v7 = *(_DWORD *)(v12 + 4);
2758. v6 = *(_BYTE *)v7;
2759. v5 = *(_BYTE *)a3 - *(_BYTE *)v7;
2760. if ( *(_BYTE *)a3 == *(_BYTE *)v7 )
2761. {
2762. v8 = a3 - v7;
2763. do
2764. {
2765. if ( !v6 )
2766. break;
2767. ++v7;
2768. v6 = *(_BYTE *)v7;
2769. v5 = *(_BYTE *)(v8 + v7) - *(_BYTE *)v7;
2770. }
2771. while ( *(_BYTE *)(v8 + v7) == *(_BYTE *)v7 );
2772. }
2773. if ( v5 >= 0 )
2774. {
2775. if ( v5 > 0 )
2776. v5 = 1;
2777. if ( !v5 )
2778. break;
2779. }
2780. }
2781. v12 += 12;
2782. ++v4;
2783. if ( v4 >= v11 )
2784. goto LABEL_13;
2785. }
2786. *(_DWORD *)a4 = *(_DWORD *)(12 * v4 + v10 + 8);
2787. }
2788. else
2789. {
2790. LABEL_13:
2791. *(_DWORD *)a4 = 0;
2792. }
2793. return 0;
2794. }
2795. //----- (0001356E) --------------------------------------------------------
2796. int __usercall sub_1356E<eax>(unsigned int *a1<eax>, int a2<ebx>, int a3<edi>, int a4, int a5, int a6)
2797. {
2798. unsigned int v6; // eax@1
2799. int v7; // eax@2
2800. signed int v8; // eax@4
2801. int result; // eax@5
2802. int v10; // esi@6
2803. int v11; // eax@9
2804. v6 = *a1;
2805. if ( (signed int)v6 < 0 )
2806. {
2807. v7 = (unsigned __int16)v6;
2808. goto LABEL_9;
2809. }
2810. if ( !v6 || (v8 = sub_138BE(a4, v6), !v8) )
2811. return 4;
2812. v10 = v8 + 2;
2813. result = sub_13409(a2, a5, v8 + 2, a3);
2814. if ( result )
2815. return result;
2816. if ( !*(_DWORD *)a3 )
2817. {
2818. v7 = v10;
2819. LABEL_9:
2820. v11 = (*(int (__stdcall **)(int, int))(a2 + 25))(a6, v7);
2821. *(_DWORD *)a3 = v11;
2822. if ( v11 )
2823. return 0;
2824. return 4;
2825. }
2826. return 0;
2827. }
2828. //----- (0001369C) --------------------------------------------------------
2829. int __thiscall sub_1369C(void *this)
2830. {
2831. return (int)((char *)this - 4116659);
2832. }
2833. //----- (000136F8) --------------------------------------------------------
2834. signed int __cdecl sub_136F8(int a1, int a2, int a3)
2835. {
2836. int v4; // eax@3
2837. unsigned __int16 v5; // cx@4
2838. int v6; // edx@7
2839. int v7; // ecx@7
2840. __int16 v8; // dx@12
2841. if ( *(_WORD *)a2 != 23117 || (v4 = a2 + *(_DWORD *)(a2 + 60), (*(_DWORD *)v4 ^ 0xF750F284) != -145705004) )
2842. return 1;
2843. v5 = *(_WORD *)(v4 + 4);
2844. if ( 22531 == (v5 ^ 0x594F) )
2845. {
2846. if ( (*(_WORD *)(v4 + 24) ^ 0x5908) == 22531 && *(_WORD *)(v4 + 20) == 224 )
2847. {
2848. v7 = a1;
2849. *(_DWORD *)a1 = 0;
2850. v6 = v4 + 120;
2851. LABEL_12:
2852. *(_DWORD *)(v7 + 16) = v6;
2853. *(_DWORD *)(v7 + 26) = *(_DWORD *)(v4 + 80);
2854. *(_DWORD *)(v7 + 20) = *(_WORD *)(v4 + 20) + v4 + 24;
2855. v8 = *(_WORD *)(v4 + 6);
2856. *(_DWORD *)(v7 + 12) = v4;
2857. *(_DWORD *)(v7 + 4) = a3;
2858. *(_WORD *)(v7 + 24) = v8;
2859. *(_DWORD *)(v7 + 8) = a2;
2860. return 0;
2861. }
2862. }
2863. else
2864. {
2865. if ( 22531 == (v5 ^ 0xDE67) && (*(_WORD *)(v4 + 24) ^ 0x5A08) == 22531 && *(_WORD *)(v4 + 20) == 240 )
2866. {
2867. v7 = a1;
2868. *(_DWORD *)a1 = 1;
2869. v6 = v4 + 136;
2870. goto LABEL_12;
2871. }
2872. }
2873. return 1;
2874. }
2875. //----- (000138BE) --------------------------------------------------------
2876. signed int __cdecl sub_138BE(int a1, unsigned int a2)
2877. {
2878. signed int result; // eax@1
2879. result = sub_13B3A(a1, a2);
2880. if ( result )
2881. result = a2 + *(_DWORD *)(a1 + 8);
2882. return result;
2883. }
2884. //----- (000138DB) --------------------------------------------------------
2885. bool __cdecl sub_138DB(int a1, unsigned int a2, int a3, int a4)
2886. {
2887. int v4; // esi@1
2888. bool result; // eax@2
2889. unsigned int v6; // eax@3
2890. v4 = *(_DWORD *)(a1 + 16) + 8 * a2;
2891. if ( a2 >= 0x10 )
2892. return 1;
2893. v6 = *(_DWORD *)v4;
2894. if ( *(_DWORD *)v4 )
2895. {
2896. if ( v6 + *(_DWORD *)(v4 + 4) > *(_DWORD *)(a1 + 26) )
2897. return 1;
2898. *(_DWORD *)a3 = sub_138BE(a1, *(_DWORD *)v4);
2899. *(_DWORD *)a4 = *(_DWORD *)(v4 + 4);
2900. result = *(_DWORD *)a3 == 0;
2901. }
2902. else
2903. {
2904. LOBYTE(v6) = *(_DWORD *)(v4 + 4) == v6;
2905. result = v6 + 1;
2906. }
2907. return result;
2908. }
2909. //----- (0001392E) --------------------------------------------------------
2910. int __cdecl sub_1392E(int a1)
2911. {
2912. int result; // eax@1
2913. int v2; // edx@1
2914. char v3; // cl@1
2915. int v4; // esi@2
2916. v2 = a1;
2917. v3 = *(_BYTE *)a1;
2918. for ( result = 0; *(_BYTE *)v2; result = v4 )
2919. {
2920. v4 = result * (7 * result + 1) + v3 * (17 * v3 + 12);
2921. ++v2;
2922. v3 = *(_BYTE *)v2;
2923. }
2924. return result;
2925. }
2926. //----- (00013A4B) --------------------------------------------------------
2927. signed int __usercall sub_13A4B<eax>(unsigned int a1<eax>, int a2, int a3, unsigned __int16 a4)
2928. {
2929. signed int v4; // eax@1
2930. unsigned int v5; // esi@1
2931. unsigned int v6; // eax@3
2932. signed int result; // eax@4
2933. v5 = a1;
2934. v4 = sub_138BE(a2, *(_DWORD *)(a1 + 28));
2935. if ( !v4
2936. || (unsigned int)a4 >= *(_DWORD *)(v5 + 20)
2937. || (v6 = *(_DWORD *)(v4 + 4 * a4), !v6)
2938. || (result = sub_138BE(a2, v6), !result)
2939. || result >= v5 && result < a3 + v5 )
2940. result = 0;
2941. return result;
2942. }
2943. //----- (00013B3A) --------------------------------------------------------
2944. signed int __usercall sub_13B3A<eax>(int a1<eax>, unsigned int a2<ebx>)
2945. {
2946. int v2; // esi@1
2947. signed int result; // eax@2
2948. int v4; // edi@3
2949. int v5; // eax@6
2950. unsigned int v6; // ecx@6
2951. unsigned int v7; // eax@8
2952. int v8; // esi@12
2953. unsigned __int16 v9; // [sp+4h] [bp-4h]@1
2954. v2 = *(_DWORD *)(a1 + 20);
2955. v9 = *(_WORD *)(a1 + 24);
2956. if ( a2 < *(_DWORD *)(a1 + 26) )
2957. {
2958. v4 = 0;
2959. if ( !*(_DWORD *)(a1 + 4) )
2960. goto LABEL_17;
2961. if ( *(_WORD *)(a1 + 24) <= 0u )
2962. goto LABEL_14;
2963. while ( 1 )
2964. {
2965. v5 = v2 + 40 * (unsigned __int16)v4;
2966. v6 = *(_DWORD *)(v5 + 8);
2967. if ( v6 >= *(_DWORD *)(v5 + 16) )
2968. v6 = *(_DWORD *)(v5 + 16);
2969. v7 = *(_DWORD *)(v5 + 12);
2970. if ( a2 >= v7 )
2971. {
2972. if ( a2 < v6 + v7 )
2973. break;
2974. }
2975. ++v4;
2976. if ( (_WORD)v4 >= v9 )
2977. goto LABEL_14;
2978. }
2979. v8 = *(_DWORD *)(40 * (unsigned __int16)v4 + v2 + 36);
2980. if ( v8 & 0x2000000 || !(v8 & 0x40000000) )
2981. LABEL_14:
2982. result = 0;
2983. else
2984. LABEL_17:
2985. result = 1;
2986. }
2987. else
2988. {
2989. result = 0;
2990. }
2991. return result;
2992. }
2993. //----- (00013BF1) --------------------------------------------------------
2994. int __usercall sub_13BF1<eax>(unsigned int a1<eax>, int a2<ecx>, int a3, int a4, int a5)
2995. {
2996. int v5; // ecx@1
2997. int v6; // edi@1
2998. int v7; // esi@1
2999. int result; // eax@2
3000. int v9; // eax@4
3001. int v10; // ebx@4
3002. unsigned int v11; // [sp+Ch] [bp-4h]@1
3003. v6 = a2 + 4;
3004. v5 = a2 + a1 - 13;
3005. v7 = a1 - 4;
3006. v11 = v5;
3007. if ( a1 >= 0xD )
3008. {
3009. if ( v6 <= (unsigned int)v5 )
3010. {
3011. do
3012. {
3013. v9 = v7 + v6 - 4;
3014. v10 = v6;
3015. if ( v6 > (unsigned int)v9 )
3016. {
3017. LABEL_7:
3018. v10 = 0;
3019. }
3020. else
3021. {
3022. while ( *(_DWORD *)v10 != a3 )
3023. {
3024. ++v10;
3025. if ( v10 > (unsigned int)v9 )
3026. goto LABEL_7;
3027. }
3028. }
3029. if ( !v10 || v10 - 4 > v11 )
3030. break;
3031. if ( sub_13C66(a5, a4, v10 - 4, 0xDu) )
3032. return v10 - 4;
3033. v7 = v7 + v6 - v10 - 1;
3034. v6 = v10 + 1;
3035. }
3036. while ( v10 + 1 <= v11 );
3037. }
3038. result = 0;
3039. }
3040. else
3041. {
3042. result = 0;
3043. }
3044. return result;
3045. }
3046. //----- (00013C66) --------------------------------------------------------
3047. signed int __usercall sub_13C66<eax>(int a1<eax>, int a2<edx>, int a3<ecx>, unsigned int a4)
3048. {
3049. unsigned int v4; // edi@1
3050. int v5; // ecx@2
3051. int v6; // esi@2
3052. signed int result; // eax@5
3053. v4 = 0;
3054. if ( a4 )
3055. {
3056. v5 = a3 - a1;
3057. v6 = a2 - a1;
3058. while ( (*(_BYTE *)a1 & *(_BYTE *)(v5 + a1)) == *(_BYTE *)(v6 + a1) )
3059. {
3060. ++v4;
3061. ++a1;
3062. if ( v4 >= a4 )
3063. goto LABEL_5;
3064. }
3065. result = 0;
3066. }
3067. else
3068. {
3069. LABEL_5:
3070. result = 1;
3071. }
3072. return result;
3073. }
3074. //----- (00013C92) --------------------------------------------------------
3075. int __cdecl sub_13C92(int a1, char a2, int a3)
3076. {
3077. int v3; // eax@2
3078. int v5; // [sp+0h] [bp-4h]@1
3079. v5 = a1;
3080. while ( 1 )
3081. {
3082. v3 = a3--;
3083. if ( !v3 )
3084. break;
3085. *(_BYTE *)a1++ = a2;
3086. }
3087. return v5;
3088. }
3089. //----- (00013CC0) --------------------------------------------------------
3090. int __usercall sub_13CC0<eax>(int a1<eax>, int a2<edx>)
3091. {
3092. int v2; // esi@1
3093. int v3; // eax@2
3094. int v4; // ecx@4
3095. v2 = a1;
3096. do
3097. {
3098. v3 = *(_BYTE *)v2++;
3099. if ( (unsigned int)(v3 - 65) <= 0x19 )
3100. v3 += 32;
3101. v4 = *(_BYTE *)a2++;
3102. if ( (unsigned int)(v4 - 65) <= 0x19 )
3103. v4 += 32;
3104. }
3105. while ( v3 && v3 == v4 );
3106. return v3 - v4;
3107. }
3108. //----- (00013D8E) --------------------------------------------------------
3109. signed int __usercall sub_13D8E<eax>(int a1<eax>, int a2, int a3, unsigned int a4, int (__cdecl *a5)(_DWORD, _DWORD, _DWORD))
3110. {
3111. unsigned int v5; // ebx@1
3112. int v6; // esi@2
3113. int v7; // eax@5
3114. signed int result; // eax@9
3115. v5 = 0;
3116. if ( a4 )
3117. {
3118. v6 = a1 + 8;
3119. while ( 1 )
3120. {
3121. if ( (*(_DWORD *)(v6 + 28) & 0x60000020) == 1610612768 )
3122. {
3123. if ( !(*(_DWORD *)(v6 + 28) & 0x2000000) )
3124. {
3125. v7 = *(_DWORD *)v6;
3126. if ( *(_DWORD *)v6 >= *(_DWORD *)(v6 + 8) )
3127. v7 = *(_DWORD *)(v6 + 8);
3128. if ( a5(*(_DWORD *)(a2 + 33) + *(_DWORD *)(v6 + 4), v7, a3) )
3129. break;
3130. }
3131. }
3132. ++v5;
3133. v6 += 40;
3134. if ( v5 >= a4 )
3135. goto LABEL_9;
3136. }
3137. result = 1;
3138. }
3139. else
3140. {
3141. LABEL_9:
3142. result = 0;
3143. }
3144. return result;
3145. }