Disassembly and Decompilation

1.  
2. GUID struc ; (sizeof=0x10, align=0x4, copyof_1) ; XREF: .text:0000000000010360/r
3. Data1 dd ?
4. Data2 dw ?
5. Data3 dw ?
6. Data4 db 8 dup(?)
7. GUID ends
8.  
9.  
10. UNICODE_STRING struc ; (sizeof=0x10, align=0x8, copyof_3) ; XREF: sub_1047C/r
11. ; DriverEntry/r ...
12. Length dw ?
13. MaximumLength dw ?
14. db ? ; undefined
15. db ? ; undefined
16. db ? ; undefined
17. db ? ; undefined
18. Buffer dq ? ; offset
19. UNICODE_STRING ends
20.  
21.  
22. RUNTIME_FUNCTION struc ; (sizeof=0xC, mappedto_9) ; XREF: .pdata:ExceptionDir/r
23. ; .pdata:000000000001090C/r ...
24. FunctionStart dd ? ; offset rva
25. FunctionEnd dd ? ; offset rva pastend
26. UnwindInfo dd ? ; offset rva
27. RUNTIME_FUNCTION ends
28.  
29.  
30. UNWIND_INFO struc ; (sizeof=0x4, mappedto_10) ; XREF: .text:stru_107A8/r
31. ; .text:stru_107B0/r ...
32. Ver3_Flags db ? ; base 16
33. PrologSize db ? ; base 16
34. CntUnwindCodes db ? ; base 16
35. FrReg_FrRegOff db ? ; base 16
36. UNWIND_INFO ends
37.  
38.  
39. UNWIND_CODE struc ; (sizeof=0x2, mappedto_11) ; XREF: .text:00000000000107AC/r
40. ; .text:00000000000107AE/r ...
41. PrologOff db ? ; base 16
42. OpCode_OpInfo db ? ; base 16
43. UNWIND_CODE ends
44.  
45.  
46. C_SCOPE_TABLE struc ; (sizeof=0x10, mappedto_12)
47. Begin dd ? ; offset rva
48. End dd ? ; offset rva pastend
49. Handler dd ? ; offset rva
50. Target dd ? ; offset rva
51. C_SCOPE_TABLE ends
52.  
53.  
54. ;
55. ; +-------------------------------------------------------------------------+
56. ; | This file has been generated by The Interactive Disassembler (IDA) |
57. ; | Copyright (c) 2015 Hex-Rays, <support@hex-rays.com> |
58. ; | License info: My License |
59. ; | Me |
60. ; +-------------------------------------------------------------------------+
61. ;
62. ; Input SHA256 : DA6CA1FB539F825CA0F012ED6976BAF57EF9C70143B7A1E88B4650BF7A925E24
63. ; Input MD5 : 73C98438AC64A68E88B7B0AFD11BA140
64. ; Input CRC32 : 37578D38
65.  
66.  
67. include uni.inc ; see unicode subdir of ida for info on unicode
68.  
69. .686p
70. .mmx
71. .model flat
72.  
73.  
74. ; [00000300 BYTES: COLLAPSED SEGMENT HEADER. PRESS CTRL-NUMPAD+ TO EXPAND]
75. ; File Name : C:\Capcom.sys
76. ; Format : Portable executable for AMD64 (PE)
77. ; Imagebase : 10000
78. ; Timestamp : 57CD1415 (Mon Sep 05 06:43:33 2016)
79. ; Section 1. (virtual address 00000300)
80. ; Virtual size : 000004E0 ( 1248.)
81. ; Section size in file : 00000500 ( 1280.)
82. ; Offset to raw data for section: 00000300
83. ; Flags 68000020: Text Not pageable Executable Readable
84. ; Alignment : default
85. ;
86. ; Imports from ntoskrnl.exe
87. ;
88.  
89. ; Segment type: Externs
90. ; _idata
91. ; NTSTATUS __stdcall IoDeleteSymbolicLink(PUNICODE_STRING SymbolicLinkName)
92. extrn IoDeleteSymbolicLink:qword
93. ; void __stdcall RtlInitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString)
94. extrn RtlInitUnicodeString:qword
95. ; void __stdcall IofCompleteRequest(PIRP Irp, CCHAR PriorityBoost)
96. extrn IofCompleteRequest:qword
97. ; PVOID __stdcall MmGetSystemRoutineAddress(PUNICODE_STRING SystemRoutineName)
98. extrn MmGetSystemRoutineAddress:qword
99. ; NTSTATUS __stdcall IoCreateSymbolicLink(PUNICODE_STRING SymbolicLinkName, PUNICODE_STRING DeviceName)
100. extrn IoCreateSymbolicLink:qword
101. ; NTSTATUS __stdcall IoCreateDevice(PDRIVER_OBJECT DriverObject, ULONG DeviceExtensionSize, PUNICODE_STRING DeviceName, ULONG DeviceType, ULONG DeviceCharacteristics, BOOLEAN Exclusive, PDEVICE_OBJECT *DeviceObject)
102. extrn IoCreateDevice:qword
103. ; void __stdcall IoDeleteDevice(PDEVICE_OBJECT DeviceObject)
104. extrn IoDeleteDevice:qword
105.  
106.  
107. ; Debug Directory entries
108.  
109. ; Segment type: Pure code
110. ; Segment permissions: Read/Execute
111. _text segment para public 'CODE' use64
112. assume cs:_text
113. ;org 10340h
114. assume es:GAP, ss:GAP, ds:_data, fs:nothing, gs:nothing
115. dword_10340 dd 0 ; Characteristics
116. dd 519B3DE3h ; TimeDateStamp: Tue May 21 09:26:59 2013
117. dw 0 ; MajorVersion
118. dw 0 ; MinorVersion
119. dd 2 ; Type: IMAGE_DEBUG_TYPE_CODEVIEW
120. dd 4Eh ; SizeOfData
121. dd rva asc_1035C ; AddressOfRawData
122. dd 35Ch ; PointerToRawData
123. ; Debug information (IMAGE_DEBUG_TYPE_CODEVIEW)
124. asc_1035C db 'RSDS' ; CV signature
125. dd 0D13A6931h ; Data1 ; GUID
126. dw 8488h ; Data2
127. dw 4F8Eh ; Data3
128. db 83h, 0B3h, 7Fh, 0BCh, 0CDh, 2Eh, 0D9h; Data4
129. db 1Ch ; Data4
130. dd 17h ; Age
131. db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 ; PdbFileName
132. db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
133. align 4
134.  
135.  
136.  
137. sub_103AC proc near
138.  
139. var_48= word ptr -48h
140.  
141. push rdi
142. sub rsp, 40h
143. mov r8, rcx
144. lea rcx, [rsp+48h+var_48]
145. sub rcx, rdx
146.  
147. loc_103BC:
148. movzx eax, word ptr [rdx]
149. mov [rcx+rdx], ax
150. add rdx, 2
151. test ax, ax
152. jnz short loc_103BC
153. xor edi, edi
154. lea rdx, [rsp+48h+var_48]
155. mov r9w, 5555h
156. cmp [rsp+48h+var_48], di
157. jz short loc_1044F
158.  
159. loc_103DD:
160. movzx ecx, word ptr [rdx]
161. shl r9w, 2
162. mov r10d, ecx
163. add r9w, di
164. shr r10d, 6
165. lea eax, [r10-1]
166. cmp eax, 2
167. ja short loc_1044F
168. xor cl, r9b
169. xor ax, ax
170. sub cl, dil
171. sub cl, r10b
172. and cx, 3Fh
173. cmp cx, 0Ah
174. jnb short loc_10414
175. lea eax, [rcx+30h]
176. jmp short loc_1041D
177.  
178. loc_10414:
179. cmp cx, 24h
180. jnb short loc_10423
181. lea eax, [rcx+37h]
182.  
183. loc_1041D:
184. cmp cx, 24h
185. jb short loc_1042C
186.  
187. loc_10423:
188. cmp cx, 3Eh
189. jnb short loc_1042C
190. lea eax, [rcx+3Dh]
191.  
192. loc_1042C:
193. cmp cx, 3Eh
194. mov r10d, 2Eh
195. cmovz ax, r10w
196. test ax, ax
197. jz short loc_1044F
198. mov [rdx], ax
199. add rdx, 2
200. inc edi
201. cmp word ptr [rdx], 0
202. jnz short loc_103DD
203.  
204. loc_1044F:
205. xor eax, eax
206. mov rdi, r8
207. lea rdx, [rsp+48h+var_48]
208. lea rcx, [rax-1]
209. repne scasw
210. xor ecx, ecx
211.  
212. loc_10461:
213. movzx eax, word ptr [rdx+rcx]
214. add rcx, 2
215. test ax, ax
216. mov [rdi+rcx-4], ax
217. jnz short loc_10461
218. mov rax, r8
219. add rsp, 40h
220. pop rdi
221. retn
222. sub_103AC endp
223.  
224. /**********************************************************
225. _WORD *__fastcall sub_103AC(_WORD *a1, char *a2)
226. {
227. _WORD *v2; // r8@1
228. signed __int64 v3; // rcx@1
229. __int16 v4; // ax@2
230. __int16 v5; // di@3
231. __int16 *v6; // rdx@3
232. signed __int16 v7; // r9@3
233. unsigned int v8; // er10@4
234. signed __int16 v9; // ax@5
235. unsigned __int16 v10; // cx@5
236. _WORD *v11; // rdi@16
237. signed __int64 v12; // rcx@16
238. bool v13; // zf@18
239. __int64 v14; // rcx@19
240. __int16 v15; // ax@20
241. __int16 v17[36]; // [rsp+0h] [rbp-48h]@1
242.  
243. v2 = a1;
244. v3 = (char *)v17 - a2;
245. do
246. {
247. v4 = *(_WORD *)a2;
248. *(_WORD *)&a2[v3] = *(_WORD *)a2;
249. a2 += 2;
250. }
251. while ( v4 );
252. v5 = 0;
253. v6 = v17;
254. v7 = 21845;
255. if ( v17[0] )
256. {
257. while ( 1 )
258. {
259. v7 = v5 + 4 * v7;
260. v8 = (unsigned int)(unsigned __int16)*v6 >> 6;
261. if ( v8 - 1 > 2 )
262. break;
263. v9 = 0;
264. v10 = (((unsigned __int8)v7 ^ (unsigned __int8)*v6) - (_BYTE)v5 - (_BYTE)v8) & 0x3F;
265. if ( v10 >= 0xAu )
266. {
267. if ( v10 >= 0x24u )
268. goto LABEL_10;
269. v9 = v10 + 55;
270. }
271. else
272. {
273. v9 = v10 + 48;
274. }
275. if ( v10 >= 0x24u )
276. {
277. LABEL_10:
278. if ( v10 < 0x3Eu )
279. v9 = v10 + 61;
280. }
281. if ( v10 == 62 )
282. v9 = 46;
283. if ( v9 )
284. {
285. *v6 = v9;
286. ++v6;
287. ++v5;
288. if ( *v6 )
289. continue;
290. }
291. break;
292. }
293. }
294. v11 = v2;
295. v12 = -1i64;
296. do
297. {
298. if ( !v12 )
299. break;
300. v13 = *v11 == 0;
301. ++v11;
302. --v12;
303. }
304. while ( !v13 );
305. v14 = 0i64;
306. do
307. {
308. v15 = v17[v14];
309. ++v14;
310. v11[v14 - 2] = v15;
311. }
312. while ( v15 );
313. return v2;
314. }
315. ************************************************************/
316.  
317.  
318. sub_1047C proc near
319.  
320. DestinationString= UNICODE_STRING ptr -18h
321.  
322. push rbx
323. sub rsp, 30h
324. mov rbx, [rcx+8]
325. xor r8d, r8d
326. lea r11, unk_10800
327.  
328. loc_10490: ; "\\DosDevices\\"
329. lea rax, aDosdevices
330. movzx eax, word ptr [r8+rax]
331. mov [r8+r11], ax
332. add r8, 2
333. test ax, ax
334. jnz short loc_10490
335. lea rdx, unk_10980
336. mov rcx, r11
337. call sub_103AC
338. lea rcx, [rsp+38h+DestinationString] ; DestinationString
339. mov rdx, r11 ; SourceString
340. call cs:RtlInitUnicodeString
341. lea rcx, [rsp+38h+DestinationString] ; SymbolicLinkName
342. call cs:IoDeleteSymbolicLink
343. mov rcx, rbx ; DeviceObject
344. call cs:IoDeleteDevice
345. add rsp, 30h
346. pop rbx
347. retn
348. sub_1047C endp
349.  
350. algn_104E1:
351. align 4
352.  
353. /**********************************************************
354. void __fastcall sub_1047C(__int64 a1)
355. {
356. struct _DEVICE_OBJECT *v1; // rbx@1
357. __int64 v2; // r8@1
358. wchar_t v3; // ax@2
359. PCWSTR v4; // r11@3
360. UNICODE_STRING DestinationString; // [rsp+20h] [rbp-18h]@3
361.  
362. v1 = *(struct _DEVICE_OBJECT **)(a1 + 8);
363. v2 = 0i64;
364. do
365. {
366. v3 = aDosdevices[v2];
367. *(_WORD *)((char *)&unk_10800 + v2 * 2) = v3;
368. ++v2;
369. }
370. while ( v3 );
371. sub_103AC(&unk_10800, (char *)&unk_10980);
372. RtlInitUnicodeString(&DestinationString, v4);
373. IoDeleteSymbolicLink(&DestinationString);
374. IoDeleteDevice(v1);
375. }
376. ************************************************************/
377.  
378.  
379. sub_104E4 proc near
380. push rbx
381. sub rsp, 20h
382. mov rax, [rdx+0B8h]
383. xor ecx, ecx
384. mov rbx, rdx
385. mov [rdx+30h], ecx
386. mov [rdx+38h], rcx
387. cmp [rax], cl
388. jz short loc_1050D
389. cmp byte ptr [rax], 2
390. jz short loc_1050D
391. mov dword ptr [rdx+30h], 0C0000002h
392.  
393. loc_1050D: ; PriorityBoost
394. xor edx, edx
395. mov rcx, rbx ; Irp
396. call cs:IofCompleteRequest
397. mov eax, [rbx+30h]
398. add rsp, 20h
399. pop rbx
400. retn
401. sub_104E4 endp
402.  
403. algn_10521:
404. align 4
405.  
406. /**********************************************************
407. __int64 __fastcall sub_104E4(__int64 a1, struct _IRP *a2)
408. {
409. struct _IO_STACK_LOCATION *v2; // rax@1
410. struct _IRP *v3; // rbx@1
411.  
412. v2 = a2->Tail.Overlay.CurrentStackLocation;
413. v3 = a2;
414. a2->IoStatus.Status = 0;
415. a2->IoStatus.Information = 0i64;
416. if ( v2->MajorFunction && v2->MajorFunction != 2 )
417. a2->IoStatus.Status = -1073741822;
418. IofCompleteRequest(a2, 0);
419. return (unsigned int)v3->IoStatus.Status;
420. }
421. ************************************************************/
422.  
423.  
424. sub_10524 proc near
425.  
426. var_28= qword ptr -28h
427. var_20= qword ptr -20h
428. var_18= qword ptr -18h
429. arg_0= qword ptr 8
430.  
431. mov [rsp+arg_0], rcx
432. sub rsp, 48h
433. mov rax, [rsp+48h+arg_0]
434. mov rcx, [rsp+48h+arg_0]
435. cmp [rax-8], rcx
436. jz short loc_10541
437. xor eax, eax
438. jmp short loc_1058A
439.  
440. loc_10541:
441. mov rax, [rsp+48h+arg_0]
442. mov [rsp+48h+var_20], rax
443. mov rax, cs:MmGetSystemRoutineAddress
444. mov [rsp+48h+var_18], rax
445. mov [rsp+48h+var_28], 0
446. lea rax, sub_10788
447. lea rcx, [rsp+48h+var_28]
448. call rax ; sub_10788
449. mov rcx, [rsp+48h+var_18]
450. call [rsp+48h+var_20]
451. lea rax, sub_107A0
452. lea rcx, [rsp+48h+var_28]
453. call rax ; sub_107A0
454. mov eax, 1
455.  
456. loc_1058A:
457. add rsp, 48h
458. retn
459. sub_10524 endp
460.  
461. algn_1058F:
462. align 10h
463.  
464. /**********************************************************
465. signed __int64 __fastcall sub_10524(void (__fastcall *a1)(_QWORD))
466. {
467. __int64 v2; // [rsp+20h] [rbp-28h]@3
468. void (__fastcall *v3)(PVOID (__stdcall *)(PUNICODE_STRING)); // [rsp+28h] [rbp-20h]@3
469. PVOID (__stdcall *v4)(PUNICODE_STRING); // [rsp+30h] [rbp-18h]@3
470.  
471. if ( *((void (__fastcall **)(_QWORD))a1 - 1) != a1 )
472. return 0i64;
473. v3 = (void (__fastcall *)(PVOID (__stdcall *)(PUNICODE_STRING)))a1;
474. v4 = MmGetSystemRoutineAddress;
475. v2 = 0i64;
476. sub_10788((unsigned __int64 *)&v2);
477. v3(v4);
478. sub_107A0((unsigned __int64 *)&v2);
479. return 1i64;
480. }
481.  
482. ************************************************************/
483.  
484.  
485.  
486. sub_10590 proc near
487. push rbx
488. push rsi
489. push rdi
490. sub rsp, 20h
491. mov rax, [rdx+0B8h]
492. mov rdi, [rdx+18h]
493. xor ecx, ecx
494. mov [rdx+30h], ecx
495. mov [rdx+38h], rcx
496. cmp byte ptr [rax], 0Eh
497. mov r9d, [rax+10h]
498. mov r8d, [rax+8]
499. mov rbx, rdx
500. mov edx, [rax+18h]
501. jz short loc_105C8
502. mov dword ptr [rbx+30h], 0C0000002h
503. jmp short loc_10626
504.  
505. loc_105C8:
506. mov r11d, 0AA012044h
507. mov eax, ecx
508. mov esi, ecx
509. cmp edx, r11d
510. mov r10d, 0AA013044h
511. jz short loc_105EC
512. cmp edx, r10d
513. jnz short loc_105F3
514. mov eax, 8
515. lea esi, [rax-4]
516. jmp short loc_105F3
517.  
518. loc_105EC:
519. mov esi, 4
520. mov eax, esi
521.  
522. loc_105F3:
523. cmp r9d, eax
524. jnz short loc_1061F
525. cmp r8d, esi
526. jnz short loc_1061F
527. cmp edx, r11d
528. jz short loc_1060C
529. cmp edx, r10d
530. jnz short loc_10615
531. mov rcx, [rdi]
532. jmp short loc_1060E
533.  
534. loc_1060C:
535. mov ecx, [rdi]
536.  
537. loc_1060E:
538. call sub_10524
539. mov ecx, eax
540.  
541. loc_10615:
542. mov eax, esi
543. mov [rdi], ecx
544. mov [rbx+38h], rax
545. jmp short loc_10626
546.  
547. loc_1061F:
548. mov dword ptr [rbx+30h], 0C000000Dh
549.  
550. loc_10626: ; PriorityBoost
551. xor edx, edx
552. mov rcx, rbx ; Irp
553. call cs:IofCompleteRequest
554. mov eax, [rbx+30h]
555. add rsp, 20h
556. pop rdi
557. pop rsi
558. pop rbx
559. retn
560. sub_10590 endp
561.  
562. /**********************************************************
563. __int64 __fastcall sub_10590(__int64 a1, struct _IRP *a2)
564. {
565. struct _IO_STACK_LOCATION *v2; // rax@1
566. struct _IRP *v3; // rdi@1
567. int v4; // ecx@1
568. ULONG v5; // er9@1
569. ULONG v6; // er8@1
570. struct _IRP *v7; // rbx@1
571. ULONG v8; // edx@1
572. signed int v9; // eax@3
573. unsigned int v10; // esi@3
574. void (__fastcall *v11)(_QWORD); // rcx@11
575.  
576. v2 = a2->Tail.Overlay.CurrentStackLocation;
577. v3 = a2->AssociatedIrp.MasterIrp;
578. v4 = 0;
579. a2->IoStatus.Status = 0;
580. a2->IoStatus.Information = 0i64;
581. v5 = v2->Parameters.Create.Options;
582. v6 = v2->Parameters.Read.Length;
583. v7 = a2;
584. v8 = v2->Parameters.Read.ByteOffset.LowPart;
585. if ( v2->MajorFunction == 14 )
586. {
587. v9 = 0;
588. v10 = 0;
589. if ( v8 == -1442766780 )
590. {
591. v10 = 4;
592. v9 = 4;
593. }
594. else if ( v8 == -1442762684 )
595. {
596. v9 = 8;
597. v10 = 4;
598. }
599. if ( v5 != v9 || v6 != v10 )
600. {
601. v7->IoStatus.Status = -1073741811;
602. goto LABEL_16;
603. }
604. if ( v8 == -1442766780 )
605. {
606. v11 = (void (__fastcall *)(_QWORD))*(unsigned int *)&v3->Type;
607. }
608. else
609. {
610. if ( v8 != -1442762684 )
611. {
612. LABEL_14:
613. *(_DWORD *)&v3->Type = v4;
614. v7->IoStatus.Information = v10;
615. goto LABEL_16;
616. }
617. v11 = *(void (__fastcall **)(_QWORD))&v3->Type;
618. }
619. v4 = sub_10524(v11);
620. goto LABEL_14;
621. }
622. v7->IoStatus.Status = -1073741822;
623. LABEL_16:
624. IofCompleteRequest(v7, 0);
625. return (unsigned int)v7->IoStatus.Status;
626. }
627. ************************************************************/
628.  
629. ; NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
630. public DriverEntry
631. DriverEntry proc near
632.  
633. DeviceCharacteristics= dword ptr -58h
634. Exclusive= byte ptr -50h
635. DeviceObject= qword ptr -48h
636. DestinationString= UNICODE_STRING ptr -38h
637. SymbolicLinkName= UNICODE_STRING ptr -28h
638. arg_10= qword ptr 18h
639.  
640. push rbx
641. push rdi
642. sub rsp, 68h
643. mov rbx, rcx
644. lea rdi, __ImageBase
645. lea r11, unk_10880
646. xor ecx, ecx
647.  
648. loc_10656:
649. movzx eax, word ptr [rcx+rdi+774h]
650. mov [rcx+r11], ax
651. add rcx, 2
652. test ax, ax
653. jnz short loc_10656
654. lea rdx, unk_10980
655. mov rcx, r11
656. call sub_103AC
657. lea rcx, [rsp+78h+DestinationString] ; DestinationString
658. mov rdx, r11 ; SourceString
659. call cs:RtlInitUnicodeString
660. lea r11, [rsp+78h+arg_10]
661. lea r8, [rsp+78h+DestinationString] ; DeviceName
662. mov [rsp+78h+DeviceObject], r11 ; DeviceObject
663. mov r9d, 0AA01h ; DeviceType
664. xor edx, edx ; DeviceExtensionSize
665. mov rcx, rbx ; DriverObject
666. mov [rsp+78h+Exclusive], 0 ; Exclusive
667. mov [rsp+78h+DeviceCharacteristics], 0 ; DeviceCharacteristics
668. call cs:IoCreateDevice
669. test eax, eax
670. js loc_10750
671. xor ecx, ecx
672. lea r11, unk_10840
673.  
674. loc_106CA:
675. movzx eax, word ptr [rcx+rdi+758h]
676. mov [rcx+r11], ax
677. add rcx, 2
678. test ax, ax
679. jnz short loc_106CA
680. lea rdx, unk_10980
681. mov rcx, r11
682. call sub_103AC
683. lea rcx, [rsp+78h+SymbolicLinkName] ; DestinationString
684. mov rdx, r11 ; SourceString
685. call cs:RtlInitUnicodeString
686. lea rdx, [rsp+78h+DestinationString] ; DeviceName
687. lea rcx, [rsp+78h+SymbolicLinkName] ; SymbolicLinkName
688. call cs:IoCreateSymbolicLink
689. test eax, eax
690. mov edi, eax
691. jns short loc_10723
692. mov rcx, [rsp+78h+arg_10] ; DeviceObject
693. call cs:IoDeleteDevice
694. jmp short loc_1074E
695.  
696. loc_10723:
697. lea rax, sub_104E4
698. mov [rbx+80h], rax
699. mov [rbx+70h], rax
700. lea rax, sub_10590
701. mov [rbx+0E0h], rax
702. lea rax, sub_1047C
703. mov [rbx+68h], rax
704.  
705. loc_1074E:
706. mov eax, edi
707.  
708. loc_10750:
709. add rsp, 68h
710. pop rdi
711. pop rbx
712. retn
713. DriverEntry endp
714.  
715. algn_10757:
716. align 8
717. aDosdevices:
718. unicode 0, <\DosDevices\>,0
719. align 4
720. aDevice:
721. unicode 0, <\Device\>,0
722. align 8
723.  
724. /**********************************************************
725.  
726. NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
727. {
728. PDRIVER_OBJECT v2; // rbx@1
729. __int64 v3; // rcx@1
730. __int16 v4; // ax@2
731. PCWSTR v5; // r11@3
732. NTSTATUS result; // eax@3
733. __int64 v7; // rcx@4
734. __int16 v8; // ax@5
735. PCWSTR v9; // r11@6
736. NTSTATUS v10; // edi@6
737. UNICODE_STRING DestinationString; // [rsp+40h] [rbp-38h]@3
738. UNICODE_STRING SymbolicLinkName; // [rsp+50h] [rbp-28h]@6
739. PDEVICE_OBJECT DeviceObject; // [rsp+90h] [rbp+18h]@3
740.  
741. v2 = DriverObject;
742. v3 = 0i64;
743. do
744. {
745. v4 = _ImageBase[v3 + 954];
746. *(_WORD *)((char *)&unk_10880 + v3 * 2) = v4;
747. ++v3;
748. }
749. while ( v4 );
750. sub_103AC(&unk_10880, (char *)&unk_10980);
751. RtlInitUnicodeString(&DestinationString, v5);
752. result = IoCreateDevice(v2, 0, &DestinationString, 0xAA01u, 0, 0, &DeviceObject);
753. if ( result >= 0 )
754. {
755. v7 = 0i64;
756. do
757. {
758. v8 = _ImageBase[v7 + 940];
759. *(_WORD *)((char *)&unk_10840 + v7 * 2) = v8;
760. ++v7;
761. }
762. while ( v8 );
763. sub_103AC(&unk_10840, (char *)&unk_10980);
764. RtlInitUnicodeString(&SymbolicLinkName, v9);
765. v10 = IoCreateSymbolicLink(&SymbolicLinkName, &DestinationString);
766. if ( v10 >= 0 )
767. {
768. v2->MajorFunction[2] = (PDRIVER_DISPATCH)&sub_104E4;
769. v2->MajorFunction[0] = (PDRIVER_DISPATCH)&sub_104E4;
770. v2->MajorFunction[14] = (PDRIVER_DISPATCH)&sub_10590;
771. v2->DriverUnload = (PDRIVER_UNLOAD)sub_1047C;
772. }
773. else
774. {
775. IoDeleteDevice(DeviceObject);
776. }
777. result = v10;
778. }
779. return result;
780. }
781.  
782. ************************************************************/
783.  
784.  
785.  
786.  
787.  
788.  
789. sub_10788 proc near
790. cli
791. mov rax, cr4
792. mov [rcx], rax
793. and rax, 0FFFFFFFFFFEFFFFFh
794. mov cr4, rax
795. retn
796. sub_10788 endp
797.  
798. align 20h
799.  
800. /**********************************************************
801. unsigned __int64 __fastcall sub_10788(unsigned __int64 *a1)
802. {
803. unsigned __int64 v1; // rax@1
804. unsigned __int64 result; // rax@1
805.  
806. _disable();
807. v1 = __readcr4();
808. *a1 = v1;
809. result = v1 & 0xFFFFFFFFFFEFFFFFui64;
810. __writecr4(result);
811. return result;
812. }
813. ************************************************************/
814.  
815.  
816.  
817.  
818.  
819.  
820.  
821.  
822.  
823.  
824. sub_107A0 proc near
825. mov rax, [rcx]
826. mov cr4, rax
827. sti
828. retn
829. sub_107A0 endp
830.  
831. /**********************************************************
832. unsigned __int64 __fastcall sub_107A0(unsigned __int64 *a1)
833. {
834. unsigned __int64 result; // rax@1
835.  
836. result = *a1;
837. __writecr4(*a1);
838. _enable();
839. return result;
840. }
841. ************************************************************/
842.  
843.  
844.  
845.  
846. stru_107A8 UNWIND_INFO <1, 6, 2, 0>
847. UNWIND_CODE <6, 72h> ; UWOP_ALLOC_SMALL
848. UNWIND_CODE <2, 70h> ; UWOP_PUSH_NONVOL
849. stru_107B0 UNWIND_INFO <1, 6, 2, 0>
850. UNWIND_CODE <6, 52h> ; UWOP_ALLOC_SMALL
851. UNWIND_CODE <2, 30h> ; UWOP_PUSH_NONVOL
852. stru_107B8 UNWIND_INFO <1, 6, 2, 0>
853. UNWIND_CODE <6, 32h> ; UWOP_ALLOC_SMALL
854. UNWIND_CODE <2, 30h> ; UWOP_PUSH_NONVOL
855. stru_107C0 UNWIND_INFO <1, 9, 1, 0>
856. UNWIND_CODE <9, 82h> ; UWOP_ALLOC_SMALL
857. align 4
858. stru_107C8 UNWIND_INFO <1, 8, 4, 0>
859. UNWIND_CODE <8, 32h> ; UWOP_ALLOC_SMALL
860. UNWIND_CODE <4, 70h> ; UWOP_PUSH_NONVOL
861. UNWIND_CODE <3, 60h> ; UWOP_PUSH_NONVOL
862. UNWIND_CODE <2, 30h> ; UWOP_PUSH_NONVOL
863. stru_107D4 UNWIND_INFO <1, 7, 3, 0>
864. UNWIND_CODE <7, 0C2h> ; UWOP_ALLOC_SMALL
865. UNWIND_CODE <3, 70h> ; UWOP_PUSH_NONVOL
866. UNWIND_CODE <2, 30h> ; UWOP_PUSH_NONVOL
867. align 4
868. align 40h
869. _text ends
870.  
871. ; Section 2. (virtual address 00000800)
872. ; Virtual size : 000000C0 ( 192.)
873. ; Section size in file : 00000100 ( 256.)
874. ; Offset to raw data for section: 00000800
875. ; Flags C8000040: Data Not pageable Readable Writable
876. ; Alignment : default
877.  
878. ; Segment type: Pure data
879. ; Segment permissions: Read/Write
880. _data segment para public 'DATA' use64
881. assume cs:_data
882. ;org 10800h
883. unk_10800 db 0
884. db 0
885. db 0
886. db 0
887. db 0
888. db 0
889. db 0
890. db 0
891. db 0
892. db 0
893. db 0
894. db 0
895. db 0
896. db 0
897. db 0
898. db 0
899. db 0
900. db 0
901. db 0
902. db 0
903. db 0
904. db 0
905. db 0
906. db 0
907. db 0
908. db 0
909. db 0
910. db 0
911. db 0
912. db 0
913. db 0
914. db 0
915. db 0
916. db 0
917. db 0
918. db 0
919. db 0
920. db 0
921. db 0
922. db 0
923. db 0
924. db 0
925. db 0
926. db 0
927. db 0
928. db 0
929. db 0
930. db 0
931. db 0
932. db 0
933. db 0
934. db 0
935. db 0
936. db 0
937. db 0
938. db 0
939. db 0
940. db 0
941. db 0
942. db 0
943. db 0
944. db 0
945. db 0
946. db 0
947. unk_10840 db 0
948. db 0
949. db 0
950. db 0
951. db 0
952. db 0
953. db 0
954. db 0
955. db 0
956. db 0
957. db 0
958. db 0
959. db 0
960. db 0
961. db 0
962. db 0
963. db 0
964. db 0
965. db 0
966. db 0
967. db 0
968. db 0
969. db 0
970. db 0
971. db 0
972. db 0
973. db 0
974. db 0
975. db 0
976. db 0
977. db 0
978. db 0
979. db 0
980. db 0
981. db 0
982. db 0
983. db 0
984. db 0
985. db 0
986. db 0
987. db 0
988. db 0
989. db 0
990. db 0
991. db 0
992. db 0
993. db 0
994. db 0
995. db 0
996. db 0
997. db 0
998. db 0
999. db 0
1000. db 0
1001. db 0
1002. db 0
1003. db 0
1004. db 0
1005. db 0
1006. db 0
1007. db 0
1008. db 0
1009. db 0
1010. db 0
1011. unk_10880 db 0
1012. db 0
1013. db 0
1014. db 0
1015. db 0
1016. db 0
1017. db 0
1018. db 0
1019. db 0
1020. db 0
1021. db 0
1022. db 0
1023. db 0
1024. db 0
1025. db 0
1026. db 0
1027. db 0
1028. db 0
1029. db 0
1030. db 0
1031. db 0
1032. db 0
1033. db 0
1034. db 0
1035. db 0
1036. db 0
1037. db 0
1038. db 0
1039. db 0
1040. db 0
1041. db 0
1042. db 0
1043. db 0
1044. db 0
1045. db 0
1046. db 0
1047. db 0
1048. db 0
1049. db 0
1050. db 0
1051. db 0
1052. db 0
1053. db 0
1054. db 0
1055. db 0
1056. db 0
1057. db 0
1058. db 0
1059. db 0
1060. db 0
1061. db 0
1062. db 0
1063. db 0
1064. db 0
1065. db 0
1066. db 0
1067. db 0
1068. db 0
1069. db 0
1070. db 0
1071. db 0
1072. db 0
1073. db 0
1074. db 0
1075. db 0
1076. db 0
1077. db 0
1078. db 0
1079. db 0
1080. db 0
1081. db 0
1082. db 0
1083. db 0
1084. db 0
1085. db 0
1086. db 0
1087. db 0
1088. db 0
1089. db 0
1090. db 0
1091. db 0
1092. db 0
1093. db 0
1094. db 0
1095. db 0
1096. db 0
1097. db 0
1098. db 0
1099. db 0
1100. db 0
1101. db 0
1102. db 0
1103. db 0
1104. db 0
1105. db 0
1106. db 0
1107. db 0
1108. db 0
1109. db 0
1110. db 0
1111. db 0
1112. db 0
1113. db 0
1114. db 0
1115. db 0
1116. db 0
1117. db 0
1118. db 0
1119. db 0
1120. db 0
1121. db 0
1122. db 0
1123. db 0
1124. db 0
1125. db 0
1126. db 0
1127. db 0
1128. db 0
1129. db 0
1130. db 0
1131. db 0
1132. db 0
1133. db 0
1134. db 0
1135. db 0
1136. db 0
1137. db 0
1138. db 0
1139. _data ends
1140.  
1141. ; Section 3. (virtual address 00000900)
1142. ; Virtual size : 00000048 ( 72.)
1143. ; Section size in file : 00000080 ( 128.)
1144. ; Offset to raw data for section: 00000900
1145. ; Flags 48000040: Data Not pageable Readable
1146. ; Alignment : default
1147.  
1148. ; Segment type: Pure data
1149. ; Segment permissions: Read
1150. _pdata segment para public 'DATA' use64
1151. assume cs:_pdata
1152. ;org 10900h
1153. ExceptionDir RUNTIME_FUNCTION <rva sub_103AC, \
1154. rva sub_1047C, \
1155. rva stru_107A8>
1156. RUNTIME_FUNCTION <rva sub_1047C, \
1157. rva algn_104E1, \
1158. rva stru_107B0>
1159. RUNTIME_FUNCTION <rva sub_104E4, \
1160. rva algn_10521, \
1161. rva stru_107B8>
1162. RUNTIME_FUNCTION <rva sub_10524, \
1163. rva algn_1058F, \
1164. rva stru_107C0>
1165. RUNTIME_FUNCTION <rva sub_10590, \
1166. rva DriverEntry, \
1167. rva stru_107C8>
1168. RUNTIME_FUNCTION <rva DriverEntry, \
1169. rva algn_10757, \
1170. rva stru_107D4>
1171. align 40h
1172. _pdata ends
1173.  
1174. ; Section 4. (virtual address 00000980)
1175. ; Virtual size : 000000A0 ( 160.)
1176. ; Section size in file : 00000100 ( 256.)
1177. ; Offset to raw data for section: 00000980
1178. ; Flags C8000040: Data Not pageable Readable Writable
1179. ; Alignment : default
1180.  
1181. ; Segment type: Pure data
1182. ; Segment permissions: Read/Write
1183. _info segment para public 'DATA' use64
1184. assume cs:_info
1185. ;org 10980h
1186. unk_10980 db 87h ; ‡
1187. db 0
1188. db 0EAh ; ê
1189. db 0
1190. db 0FDh ; ý
1191. db 0
1192. db 9Ah ; š
1193. db 0
1194. db 4Bh ; K
1195. db 0
1196. db 73h ; s
1197. db 0
1198. db 54h ; T
1199. db 0
1200. db 0A4h ; ¤
1201. db 0
1202. db 5Ch ; \
1203. db 0
1204. db 8Fh ; 
1205. db 0
1206. db 0
1207. db 0
1208. db 0
1209. db 0
1210. db 0
1211. db 0
1212. db 0
1213. db 0
1214. db 0
1215. db 0
1216. db 0
1217. db 0
1218. db 59h ; Y
1219. db 0
1220. db 77h ; w
1221. db 0
1222. db 0B1h ; ±
1223. db 0
1224. db 0F7h ; ÷
1225. db 0
1226. db 88h ; ˆ
1227. db 0
1228. db 73h ; s
1229. db 0
1230. db 0
1231. db 0
1232. db 0
1233. db 0
1234. db 0
1235. db 0
1236. db 0
1237. db 0
1238. db 0
1239. db 0
1240. db 0
1241. db 0
1242. db 0
1243. db 0
1244. db 0
1245. db 0
1246. db 0
1247. db 0
1248. db 0
1249. db 0
1250. db 0
1251. db 0
1252. db 0
1253. db 0
1254. db 0
1255. db 0
1256. db 0
1257. db 0
1258. db 0
1259. db 0
1260. db 0
1261. db 0
1262. db 0
1263. db 0
1264. db 0
1265. db 0
1266. db 0
1267. db 0
1268. db 0
1269. db 0
1270. db 0
1271. db 0
1272. db 0
1273. db 0
1274. db 0
1275. db 0
1276. db 0
1277. db 0
1278. db 0
1279. db 0
1280. db 0
1281. db 0
1282. db 59h ; Y
1283. db 0
1284. db 0B6h ; ¶
1285. db 0
1286. db 0FEh ; þ
1287. db 0
1288. db 0F7h ; ÷
1289. db 0
1290. db 0C9h ; É
1291. db 0
1292. db 0B2h ; ²
1293. db 0
1294. db 0DDh ; Ý
1295. db 0
1296. db 90h ; 
1297. db 0
1298. db 0C3h ; Ã
1299. db 0
1300. db 0DBh ; Û
1301. db 0
1302. db 0
1303. db 0
1304. db 0
1305. db 0
1306. db 0
1307. db 0
1308. db 0
1309. db 0
1310. db 0
1311. db 0
1312. db 0
1313. db 0
1314. db 0
1315. db 0
1316. db 0
1317. db 0
1318. db 0
1319. db 0
1320. db 0
1321. db 0
1322. db 0
1323. db 0
1324. db 0
1325. db 0
1326. db 0
1327. db 0
1328. db 0
1329. db 0
1330. db 0
1331. db 0
1332. db 0
1333. db 0
1334. db 0
1335. db 0
1336. db 0
1337. db 0
1338. db 0
1339. db 0
1340. db 0
1341. db 0
1342. db 0
1343. db 0
1344. db 0
1345. db 0
1346. db 0
1347. db 0
1348. db 0
1349. db 0
1350. db 0
1351. db 0
1352. db 0
1353. db 0
1354. db 0
1355. db 0
1356. db 0
1357. db 0
1358. db 0
1359. db 0
1360. db 0
1361. db 0
1362. db 0
1363. db 0
1364. db 0
1365. db 0
1366. db 0
1367. db 0
1368. db 0
1369. db 0
1370. db 0
1371. db 0
1372. db 0
1373. db 0
1374. db 0
1375. db 0
1376. db 0
1377. db 0
1378. db 0
1379. db 0
1380. db 0
1381. db 0
1382. db 0
1383. db 0
1384. db 0
1385. db 0
1386. db 0
1387. db 0
1388. db 0
1389. db 0
1390. db 0
1391. db 0
1392. db 0
1393. db 0
1394. db 0
1395. db 0
1396. db 0
1397. db 0
1398. db 0
1399. db 0
1400. db 0
1401. db 0
1402. db 0
1403. db 0
1404. db 0
1405. db 0
1406. db 0
1407. db 0
1408. db 0
1409. db 0
1410. db 0
1411. db 0
1412. db 0
1413. db 0
1414. db 0
1415. db 0
1416. db 0
1417. db 0
1418. db 0
1419. db 0
1420. db 0
1421. db 0
1422. db 0
1423. db 0
1424. db 0
1425. db 0
1426. db 0
1427. db 0
1428. db 0
1429. db 0
1430. db 0
1431. db 0
1432. db 0
1433. db 0
1434. db 0
1435. db 0
1436. db 0
1437. db 0
1438. db 0
1439. db 0
1440. db 0
1441. db 0
1442. _info ends
1443.  
1444. ; Section 5. (virtual address 00000A80)
1445. ; Virtual size : 00000114 ( 276.)
1446. ; Section size in file : 00000180 ( 384.)
1447. ; Offset to raw data for section: 00000A80
1448. ; Flags E2000020: Text Discardable Executable Readable Writable
1449. ; Alignment : default
1450.  
1451. ; Segment type: Pure code
1452. ; Segment permissions: Read/Write/Execute
1453. INIT segment para public 'CODE' use64
1454. assume cs:INIT
1455. ;org 10A80h
1456. assume es:GAP, ss:GAP, ds:_data, fs:nothing, gs:nothing
1457. __IMPORT_DESCRIPTOR_ntoskrnl_exe dd rva off_10AA8 ; Import Name Table
1458. dd 0 ; Time stamp
1459. dd 0 ; Forwarder Chain
1460. dd rva aNtoskrnl_exe ; DLL Name
1461. dd rva IoDeleteSymbolicLink ; Import Address Table
1462. align 8
1463. dq 2 dup(0)
1464. ;
1465. ; Import names for ntoskrnl.exe
1466. ;
1467. off_10AA8 dq rva word_10AFA
1468. dq rva word_10B12
1469. dq rva word_10B2A
1470. dq rva word_10B40
1471. dq rva word_10B5C
1472. dq rva word_10B74
1473. dq rva word_10AE8
1474. dq 0
1475. word_10AE8 dw 15Fh
1476. db 'IoDeleteDevice',0
1477. align 2
1478. word_10AFA dw 161h
1479. db 'IoDeleteSymbolicLink',0
1480. align 2
1481. word_10B12 dw 43Eh
1482. db 'RtlInitUnicodeString',0
1483. align 2
1484. word_10B2A dw 1F6h
1485. db 'IofCompleteRequest',0
1486. align 20h
1487. word_10B40 dw 2C2h
1488. db 'MmGetSystemRoutineAddress',0
1489. word_10B5C dw 155h
1490. db 'IoCreateSymbolicLink',0
1491. align 4
1492. word_10B74 dw 14Ch
1493. db 'IoCreateDevice',0
1494. align 2
1495. aNtoskrnl_exe db 'ntoskrnl.exe',0
1496. align 80h
1497. INIT ends
1498.  
1499.  
1500. ; Segment type: Pure data
1501. ; Segment permissions: Read/Write
1502. GAP segment byte private 'DATA' use64
1503. assume cs:GAP
1504. ;org 10C00h
1505. unk_10C00 db 50h ; P
1506. db 1Dh
1507. db 0
1508. db 0
1509. db 0
1510. db 2
1511. db 2
1512. db 0
1513. db 30h ; 0
1514. db 82h ; ‚
1515. db 1Dh
1516. db 40h ; @
1517. db 6
1518. db 9
1519. db 2Ah ; *
1520. db 86h ; †
1521. db 48h ; H
1522. db 86h ; †
1523. db 0F7h ; ÷
1524. db 0Dh
1525. db 1
1526. db 7
1527. db 2
1528. db 0A0h ;  
1529. db 82h ; ‚
1530. db 1Dh
1531. db 31h ; 1
1532. db 30h ; 0
1533. db 82h ; ‚
1534. db 1Dh
1535. db 2Dh ; -
1536. db 2
1537. db 1
1538. db 1
1539. db 31h ; 1
1540. db 0Bh
1541. db 30h ; 0
1542. db 9
1543. db 6
1544. db 5
1545. db 2Bh ; +
1546. db 0Eh
1547. db 3
1548. db 2
1549. db 1Ah
1550. db 5
1551. db 0
1552. db 30h ; 0
1553. db 4Ch ; L
1554. db 6
1555. db 0Ah
1556. db 2Bh ; +
1557. db 6
1558. db 1
1559. db 4
1560. db 1
1561. db 82h ; ‚
1562. db 37h ; 7
1563. db 2
1564. db 1
1565. db 4
1566. db 0A0h ;  
1567. db 3Eh ; >
1568. db 30h ; 0
1569. db 3Ch ; <
1570. db 30h ; 0
1571. db 17h
1572. db 6
1573. db 0Ah
1574. db 2Bh ; +
1575. db 6
1576. db 1
1577. db 4
1578. db 1
1579. db 82h ; ‚
1580. db 37h ; 7
1581. db 2
1582. db 1
1583. db 0Fh
1584. db 30h ; 0
1585. db 9
1586. db 3
1587. db 1
1588. db 0
1589. db 0A0h ;  
1590. db 4
1591. db 0A2h ; ¢
1592. db 2
1593. db 80h ; €
1594. db 0
1595. db 30h ; 0
1596. db 21h ; !
1597. db 30h ; 0
1598. db 9
1599. db 6
1600. db 5
1601. db 2Bh ; +
1602. db 0Eh
1603. db 3
1604. db 2
1605. db 1Ah
1606. db 5
1607. db 0
1608. db 4
1609. db 14h
1610. db 1Dh
1611. db 1Ch
1612. db 0AFh ; ¯
1613. db 0C7h ; Ç
1614. db 3Ch ; <
1615. db 97h ; —
1616. db 0C6h ; Æ
1617. db 0BCh ; ¼
1618. db 0D2h ; Ò
1619. db 33h ; 3
1620. db 1Fh
1621. db 87h ; ‡
1622. db 77h ; w
1623. db 0D9h ; Ù
1624. db 0Fh
1625. db 0DCh ; Ü
1626. db 0A5h ; ¥
1627. db 71h ; q
1628. db 25h ; %
1629. db 0A3h ; £
1630. db 0A0h ;  
1631. db 82h ; ‚
1632. db 18h
1633. db 8Bh ; ‹
1634. db 30h ; 0
1635. db 82h ; ‚
1636. db 3
1637. db 0EEh ; î
1638. db 30h ; 0
1639. db 82h ; ‚
1640. db 3
1641. db 57h ; W
1642. db 0A0h ;  
1643. db 3
1644. db 2
1645. db 1
1646. db 2
1647. db 2
1648. db 10h
1649. db 7Eh ; ~
1650. db 93h ; “
1651. db 0EBh ; ë
1652. db 0FBh ; û
1653. db 7Ch ; |
1654. db 0C6h ; Æ
1655. db 4Eh ; N
1656. db 59h ; Y
1657. db 0EAh ; ê
1658. db 4Bh ; K
1659. db 9Ah ; š
1660. db 77h ; w
1661. db 0D4h ; Ô
1662. db 6
1663. db 0FCh ; ü
1664. db 3Bh ; ;
1665. db 30h ; 0
1666. db 0Dh
1667. db 6
1668. db 9
1669. db 2Ah ; *
1670. db 86h ; †
1671. db 48h ; H
1672. db 86h ; †
1673. db 0F7h ; ÷
1674. db 0Dh
1675. db 1
1676. db 1
1677. db 5
1678. db 5
1679. db 0
1680. db 30h ; 0
1681. db 81h ; 
1682. db 8Bh ; ‹
1683. db 31h ; 1
1684. db 0Bh
1685. db 30h ; 0
1686. db 9
1687. db 6
1688. db 3
1689. db 55h ; U
1690. db 4
1691. db 6
1692. db 13h
1693. db 2
1694. db 5Ah ; Z
1695. db 41h ; A
1696. db 31h ; 1
1697. db 15h
1698. db 30h ; 0
1699. db 13h
1700. db 6
1701. db 3
1702. db 55h ; U
1703. db 4
1704. db 8
1705. db 13h
1706. db 0Ch
1707. db 57h ; W
1708. db 65h ; e
1709. db 73h ; s
1710. db 74h ; t
1711. db 65h ; e
1712. db 72h ; r
1713. db 6Eh ; n
1714. db 20h
1715. db 43h ; C
1716. db 61h ; a
1717. db 70h ; p
1718. db 65h ; e
1719. db 31h ; 1
1720. db 14h
1721. db 30h ; 0
1722. db 12h
1723. db 6
1724. db 3
1725. db 55h ; U
1726. db 4
1727. db 7
1728. db 13h
1729. db 0Bh
1730. db 44h ; D
1731. db 75h ; u
1732. db 72h ; r
1733. db 62h ; b
1734. db 61h ; a
1735. db 6Eh ; n
1736. db 76h ; v
1737. db 69h ; i
1738. db 6Ch ; l
1739. db 6Ch ; l
1740. db 65h ; e
1741. db 31h ; 1
1742. db 0Fh
1743. db 30h ; 0
1744. db 0Dh
1745. db 6
1746. db 3
1747. db 55h ; U
1748. db 4
1749. db 0Ah
1750. db 13h
1751. db 6
1752. db 54h ; T
1753. db 68h ; h
1754. db 61h ; a
1755. db 77h ; w
1756. db 74h ; t
1757. db 65h ; e
1758. db 31h ; 1
1759. db 1Dh
1760. db 30h ; 0
1761. db 1Bh
1762. db 6
1763. db 3
1764. db 55h ; U
1765. db 4
1766. db 0Bh
1767. db 13h
1768. db 14h
1769. db 54h ; T
1770. db 68h ; h
1771. db 61h ; a
1772. db 77h ; w
1773. db 74h ; t
1774. db 65h ; e
1775. db 20h
1776. db 43h ; C
1777. db 65h ; e
1778. db 72h ; r
1779. db 74h ; t
1780. db 69h ; i
1781. db 66h ; f
1782. db 69h ; i
1783. db 63h ; c
1784. db 61h ; a
1785. db 74h ; t
1786. db 69h ; i
1787. db 6Fh ; o
1788. db 6Eh ; n
1789. db 31h ; 1
1790. db 1Fh
1791. db 30h ; 0
1792. db 1Dh
1793. db 6
1794. db 3
1795. db 55h ; U
1796. db 4
1797. db 3
1798. db 13h
1799. db 16h
1800. db 54h ; T
1801. db 68h ; h
1802. db 61h ; a
1803. db 77h ; w
1804. db 74h ; t
1805. db 65h ; e
1806. db 20h
1807. db 54h ; T
1808. db 69h ; i
1809. db 6Dh ; m
1810. db 65h ; e
1811. db 73h ; s
1812. db 74h ; t
1813. db 61h ; a
1814. db 6Dh ; m
1815. db 70h ; p
1816. db 69h ; i
1817. db 6Eh ; n
1818. db 67h ; g
1819. db 20h
1820. db 43h ; C
1821. db 41h ; A
1822. db 30h ; 0
1823. db 1Eh
1824. db 17h
1825. db 0Dh
1826. db 31h ; 1
1827. db 32h ; 2
1828. db 31h ; 1
1829. db 32h ; 2
1830. db 32h ; 2
1831. db 31h ; 1
1832. db 30h ; 0
1833. db 30h ; 0
1834. db 30h ; 0
1835. db 30h ; 0
1836. db 30h ; 0
1837. db 30h ; 0
1838. db 5Ah ; Z
1839. db 17h
1840. db 0Dh
1841. db 32h ; 2
1842. db 30h ; 0
1843. db 31h ; 1
1844. db 32h ; 2
1845. db 33h ; 3
1846. db 30h ; 0
1847. db 32h ; 2
1848. db 33h ; 3
1849. db 35h ; 5
1850. db 39h ; 9
1851. db 35h ; 5
1852. db 39h ; 9
1853. db 5Ah ; Z
1854. db 30h ; 0
1855. db 5Eh ; ^
1856. db 31h ; 1
1857. db 0Bh
1858. db 30h ; 0
1859. db 9
1860. db 6
1861. db 3
1862. db 55h ; U
1863. db 4
1864. db 6
1865. db 13h
1866. db 2
1867. db 55h ; U
1868. db 53h ; S
1869. db 31h ; 1
1870. db 1Dh
1871. db 30h ; 0
1872. db 1Bh
1873. db 6
1874. db 3
1875. db 55h ; U
1876. db 4
1877. db 0Ah
1878. db 13h
1879. db 14h
1880. db 53h ; S
1881. db 79h ; y
1882. db 6Dh ; m
1883. db 61h ; a
1884. db 6Eh ; n
1885. db 74h ; t
1886. db 65h ; e
1887. db 63h ; c
1888. db 20h
1889. db 43h ; C
1890. db 6Fh ; o
1891. db 72h ; r
1892. db 70h ; p
1893. db 6Fh ; o
1894. db 72h ; r
1895. db 61h ; a
1896. db 74h ; t
1897. db 69h ; i
1898. db 6Fh ; o
1899. db 6Eh ; n
1900. db 31h ; 1
1901. db 30h ; 0
1902. db 30h ; 0
1903. db 2Eh ; .
1904. db 6
1905. db 3
1906. db 55h ; U
1907. db 4
1908. db 3
1909. db 13h
1910. db 27h ; '
1911. db 53h ; S
1912. db 79h ; y
1913. db 6Dh ; m
1914. db 61h ; a
1915. db 6Eh ; n
1916. db 74h ; t
1917. db 65h ; e
1918. db 63h ; c
1919. db 20h
1920. db 54h ; T
1921. db 69h ; i
1922. db 6Dh ; m
1923. db 65h ; e
1924. db 20h
1925. db 53h ; S
1926. db 74h ; t
1927. db 61h ; a
1928. db 6Dh ; m
1929. db 70h ; p
1930. db 69h ; i
1931. db 6Eh ; n
1932. db 67h ; g
1933. db 20h
1934. db 53h ; S
1935. db 65h ; e
1936. db 72h ; r
1937. db 76h ; v
1938. db 69h ; i
1939. db 63h ; c
1940. db 65h ; e
1941. db 73h ; s
1942. db 20h
1943. db 43h ; C
1944. db 41h ; A
1945. db 20h
1946. db 2Dh ; -
1947. db 20h
1948. db 47h ; G
1949. db 32h ; 2
1950. db 30h ; 0
1951. db 82h ; ‚
1952. db 1
1953. db 22h ; "
1954. db 30h ; 0
1955. db 0Dh
1956. db 6
1957. db 9
1958. db 2Ah ; *
1959. db 86h ; †
1960. db 48h ; H
1961. db 86h ; †
1962. db 0F7h ; ÷
1963. db 0Dh
1964. db 1
1965. db 1
1966. db 1
1967. db 5
1968. db 0
1969. db 3
1970. db 82h ; ‚
1971. db 1
1972. db 0Fh
1973. db 0
1974. db 30h ; 0
1975. db 82h ; ‚
1976. db 1
1977. db 0Ah
1978. db 2
1979. db 82h ; ‚
1980. db 1
1981. db 1
1982. db 0
1983. db 0B1h ; ±
1984. db 0ACh ; ¬
1985. db 0B3h ; ³
1986. db 49h ; I
1987. db 54h ; T
1988. db 4Bh ; K
1989. db 97h ; —
1990. db 1Ch
1991. db 12h
1992. db 0Ah
1993. db 0D8h ; Ø
1994. db 25h ; %
1995. db 79h ; y
1996. db 91h ; ‘
1997. db 22h ; "
1998. db 57h ; W
1999. db 2Ah ; *
2000. db 6Fh ; o
2001. db 0DCh ; Ü
2002. db 0B8h ; ¸
2003. db 26h ; &
2004. db 0C4h ; Ä
2005. db 43h ; C
2006. db 73h ; s
2007. db 6Bh ; k
2008. db 0C2h ; Â
2009. db 0BFh ; ¿
2010. db 2Eh ; .
2011. db 50h ; P
2012. db 5Ah ; Z
2013. db 0FBh ; û
2014. db 14h
2015. db 0C2h ; Â
2016. db 76h ; v
2017. db 8Eh ; Ž
2018. db 43h ; C
2019. db 1
2020. db 25h ; %
2021. db 43h ; C
2022. db 0B4h ; ´
2023. db 0A1h ; ¡
2024. db 0E2h ; â
2025. db 45h ; E
2026. db 0F4h ; ô
2027. db 0E8h ; è
2028. db 0B7h ; ·
2029. db 7Bh ; {
2030. db 0C3h ; Ã
2031. db 74h ; t
2032. db 0CCh ; Ì
2033. db 22h ; "
2034. db 0D7h ; ×
2035. db 0B4h ; ´
2036. db 94h ; ”
2037. db 0
2038. db 2
2039. db 0F7h ; ÷
2040. db 4Dh ; M
2041. db 0EDh ; í
2042. db 0BFh ; ¿
2043. db 0B4h ; ´
2044. db 0B7h ; ·
2045. db 44h ; D
2046. db 24h ; $
2047. db 6Bh ; k
2048. db 0CDh ; Í
2049. db 5Fh ; _
2050. db 45h ; E
2051. db 3Bh ; ;
2052. db 0D1h ; Ñ
2053. db 44h ; D
2054. db 0CEh ; Î
2055. db 43h ; C
2056. db 12h
2057. db 73h ; s
2058. db 17h
2059. db 82h ; ‚
2060. db 8Bh ; ‹
2061. db 69h ; i
2062. db 0B4h ; ´
2063. db 2Bh ; +
2064. db 0CBh ; Ë
2065. db 99h ; ™
2066. db 1Eh
2067. db 0ACh ; ¬
2068. db 72h ; r
2069. db 1Bh
2070. db 26h ; &
2071. db 4Dh ; M
2072. db 71h ; q
2073. db 1Fh
2074. db 0B1h ; ±
2075. db 31h ; 1
2076. db 0DDh ; Ý
2077. db 0FBh ; û
2078. db 51h ; Q
2079. db 61h ; a
2080. db 2
2081. db 53h ; S
2082. db 0A6h ; ¦
2083. db 0AAh ; ª
2084. db 0F5h ; õ
2085. db 49h ; I
2086. db 2Ch ; ,
2087. db 5
2088. db 78h ; x
2089. db 45h ; E
2090. db 0A5h ; ¥
2091. db 2Fh ; /
2092. db 89h ; ‰
2093. db 0CEh ; Î
2094. db 0E7h ; ç
2095. db 99h ; ™
2096. db 0E7h ; ç
2097. db 0FEh ; þ
2098. db 8Ch ; Œ
2099. db 0E2h ; â
2100. db 57h ; W
2101. db 3Fh ; ?
2102. db 3Dh ; =
2103. db 0C6h ; Æ
2104. db 92h ; ’
2105. db 0DCh ; Ü
2106. db 4Ah ; J
2107. db 0F8h ; ø
2108. db 7Bh ; {
2109. db 33h ; 3
2110. db 0E4h ; ä
2111. db 79h ; y
2112. db 0Ah
2113. db 0FBh ; û
2114. db 0F0h ; ð
2115. db 75h ; u
2116. db 88h ; ˆ
2117. db 41h ; A
2118. db 9Ch ; œ
2119. db 0FFh
2120. db 0C5h ; Å
2121. db 3
2122. db 51h ; Q
2123. db 99h ; ™
2124. db 0AAh ; ª
2125. db 0D7h ; ×
2126. db 6Ch ; l
2127. db 9Fh ; Ÿ
2128. db 93h ; “
2129. db 69h ; i
2130. db 87h ; ‡
2131. db 65h ; e
2132. db 29h ; )
2133. db 83h ; ƒ
2134. db 85h ; …
2135. db 0C2h ; Â
2136. db 60h ; `
2137. db 14h
2138. db 0C4h ; Ä
2139. db 0C8h ; È
2140. db 0C9h ; É
2141. db 3Bh ; ;
2142. db 14h
2143. db 0DAh ; Ú
2144. db 0C0h ; À
2145. db 81h ; 
2146. db 0F0h ; ð
2147. db 1Fh
2148. db 0Dh
2149. db 74h ; t
2150. db 0DEh ; Þ
2151. db 92h ; ’
2152. db 22h ; "
2153. db 0ABh ; «
2154. db 0CAh ; Ê
2155. db 0F7h ; ÷
2156. db 0FBh ; û
2157. db 74h ; t
2158. db 7Ch ; |
2159. db 27h ; '
2160. db 0E6h ; æ
2161. db 0F7h ; ÷
2162. db 4Ah ; J
2163. db 1Bh
2164. db 7Fh ; 
2165. db 0A7h ; §
2166. db 0C3h ; Ã
2167. db 9Eh ; ž
2168. db 2Dh ; -
2169. db 0AEh ; ®
2170. db 8Ah ; Š
2171. db 0EAh ; ê
2172. db 0A6h ; ¦
2173. db 0E6h ; æ
2174. db 0AAh ; ª
2175. db 27h ; '
2176. db 16h
2177. db 7Dh ; }
2178. db 61h ; a
2179. db 0F7h ; ÷
2180. db 98h ; ˜
2181. db 71h ; q
2182. db 11h
2183. db 0BCh ; ¼
2184. db 0E2h ; â
2185. db 50h ; P
2186. db 0A1h ; ¡
2187. db 4Bh ; K
2188. db 0E5h ; å
2189. db 5Dh ; ]
2190. db 0FAh ; ú
2191. db 0E5h ; å
2192. db 0Eh
2193. db 0A7h ; §
2194. db 2Ch ; ,
2195. db 9Fh ; Ÿ
2196. db 0AAh ; ª
2197. db 65h ; e
2198. db 20h
2199. db 0D3h ; Ó
2200. db 0D8h ; Ø
2201. db 96h ; –
2202. db 0E8h ; è
2203. db 0C8h ; È
2204. db 7Ch ; |
2205. db 0A5h ; ¥
2206. db 4Eh ; N
2207. db 48h ; H
2208. db 44h ; D
2209. db 0FFh
2210. db 19h
2211. db 0E2h ; â
2212. db 44h ; D
2213. db 7
2214. db 92h ; ’
2215. db 0Bh
2216. db 0D7h ; ×
2217. db 68h ; h
2218. db 84h ; „
2219. db 80h ; €
2220. db 5Dh ; ]
2221. db 6Ah ; j
2222. db 78h ; x
2223. db 64h ; d
2224. db 45h ; E
2225. db 0CDh ; Í
2226. db 60h ; `
2227. db 46h ; F
2228. db 7Eh ; ~
2229. db 54h ; T
2230. db 0C1h ; Á
2231. db 13h
2232. db 7Ch ; |
2233. db 0C5h ; Å
2234. db 79h ; y
2235. db 0F1h ; ñ
2236. db 0C9h ; É
2237. db 0C1h ; Á
2238. db 71h ; q
2239. db 2
2240. db 3
2241. db 1
2242. db 0
2243. db 1
2244. db 0A3h ; £
2245. db 81h ; 
2246. db 0FAh ; ú
2247. db 30h ; 0
2248. db 81h ; 
2249. db 0F7h ; ÷
2250. db 30h ; 0
2251. db 1Dh
2252. db 6
2253. db 3
2254. db 55h ; U
2255. db 1Dh
2256. db 0Eh
2257. db 4
2258. db 16h
2259. db 4
2260. db 14h
2261. db 5Fh ; _
2262. db 9Ah ; š
2263. db 0F5h ; õ
2264. db 6Eh ; n
2265. db 5Ch ; \
2266. db 0CCh ; Ì
2267. db 0CCh ; Ì
2268. db 74h ; t
2269. db 9Ah ; š
2270. db 0D4h ; Ô
2271. db 0DDh ; Ý
2272. db 7Dh ; }
2273. db 0EFh ; ï
2274. db 3Fh ; ?
2275. db 0DBh ; Û
2276. db 0ECh ; ì
2277. db 4Ch ; L
2278. db 80h ; €
2279. db 2Eh ; .
2280. db 0DDh ; Ý
2281. db 30h ; 0
2282. db 32h ; 2
2283. db 6
2284. db 8
2285. db 2Bh ; +
2286. db 6
2287. db 1
2288. db 5
2289. db 5
2290. db 7
2291. db 1
2292. db 1
2293. db 4
2294. db 26h ; &
2295. db 30h ; 0
2296. db 24h ; $
2297. db 30h ; 0
2298. db 22h ; "
2299. db 6
2300. db 8
2301. db 2Bh ; +
2302. db 6
2303. db 1
2304. db 5
2305. db 5
2306. db 7
2307. db 30h ; 0
2308. db 1
2309. db 86h ; †
2310. db 16h
2311. db 68h ; h
2312. db 74h ; t
2313. db 74h ; t
2314. db 70h ; p
2315. db 3Ah ; :
2316. db 2Fh ; /
2317. db 2Fh ; /
2318. db 6Fh ; o
2319. db 63h ; c
2320. db 73h ; s
2321. db 70h ; p
2322. db 2Eh ; .
2323. db 74h ; t
2324. db 68h ; h
2325. db 61h ; a
2326. db 77h ; w
2327. db 74h ; t
2328. db 65h ; e
2329. db 2Eh ; .
2330. db 63h ; c
2331. db 6Fh ; o
2332. db 6Dh ; m
2333. db 30h ; 0
2334. db 12h
2335. db 6
2336. db 3
2337. db 55h ; U
2338. db 1Dh
2339. db 13h
2340. db 1
2341. db 1
2342. db 0FFh
2343. db 4
2344. db 8
2345. db 30h ; 0
2346. db 6
2347. db 1
2348. db 1
2349. db 0FFh
2350. db 2
2351. db 1
2352. db 0
2353. db 30h ; 0
2354. db 3Fh ; ?
2355. db 6
2356. db 3
2357. db 55h ; U
2358. db 1Dh
2359. db 1Fh
2360. db 4
2361. db 38h ; 8
2362. db 30h ; 0
2363. db 36h ; 6
2364. db 30h ; 0
2365. db 34h ; 4
2366. db 0A0h ;  
2367. db 32h ; 2
2368. db 0A0h ;  
2369. db 30h ; 0
2370. db 86h ; †
2371. db 2Eh ; .
2372. db 68h ; h
2373. db 74h ; t
2374. db 74h ; t
2375. db 70h ; p
2376. db 3Ah ; :
2377. db 2Fh ; /
2378. db 2Fh ; /
2379. db 63h ; c
2380. db 72h ; r
2381. db 6Ch ; l
2382. db 2Eh ; .
2383. db 74h ; t
2384. db 68h ; h
2385. db 61h ; a
2386. db 77h ; w
2387. db 74h ; t
2388. db 65h ; e
2389. db 2Eh ; .
2390. db 63h ; c
2391. db 6Fh ; o
2392. db 6Dh ; m
2393. db 2Fh ; /
2394. db 54h ; T
2395. db 68h ; h
2396. db 61h ; a
2397. db 77h ; w
2398. db 74h ; t
2399. db 65h ; e
2400. db 54h ; T
2401. db 69h ; i
2402. db 6Dh ; m
2403. db 65h ; e
2404. db 73h ; s
2405. db 74h ; t
2406. db 61h ; a
2407. db 6Dh ; m
2408. db 70h ; p
2409. db 69h ; i
2410. db 6Eh ; n
2411. db 67h ; g
2412. db 43h ; C
2413. db 41h ; A
2414. db 2Eh ; .
2415. db 63h ; c
2416. db 72h ; r
2417. db 6Ch ; l
2418. db 30h ; 0
2419. db 13h
2420. db 6
2421. db 3
2422. db 55h ; U
2423. db 1Dh
2424. db 25h ; %
2425. db 4
2426. db 0Ch
2427. db 30h ; 0
2428. db 0Ah
2429. db 6
2430. db 8
2431. db 2Bh ; +
2432. db 6
2433. db 1
2434. db 5
2435. db 5
2436. db 7
2437. db 3
2438. db 8
2439. db 30h ; 0
2440. db 0Eh
2441. db 6
2442. db 3
2443. db 55h ; U
2444. db 1Dh
2445. db 0Fh
2446. db 1
2447. db 1
2448. db 0FFh
2449. db 4
2450. db 4
2451. db 3
2452. db 2
2453. db 1
2454. db 6
2455. db 30h ; 0
2456. db 28h ; (
2457. db 6
2458. db 3
2459. db 55h ; U
2460. db 1Dh
2461. db 11h
2462. db 4
2463. db 21h ; !
2464. db 30h ; 0
2465. db 1Fh
2466. db 0A4h ; ¤
2467. db 1Dh
2468. db 30h ; 0
2469. db 1Bh
2470. db 31h ; 1
2471. db 19h
2472. db 30h ; 0
2473. db 17h
2474. db 6
2475. db 3
2476. db 55h ; U
2477. db 4
2478. db 3
2479. db 13h
2480. db 10h
2481. db 54h ; T
2482. db 69h ; i
2483. db 6Dh ; m
2484. db 65h ; e
2485. db 53h ; S
2486. db 74h ; t
2487. db 61h ; a
2488. db 6Dh ; m
2489. db 70h ; p
2490. db 2Dh ; -
2491. db 32h ; 2
2492. db 30h ; 0
2493. db 34h ; 4
2494. db 38h ; 8
2495. db 2Dh ; -
2496. db 31h ; 1
2497. db 30h ; 0
2498. db 0Dh
2499. db 6
2500. db 9
2501. db 2Ah ; *
2502. db 86h ; †
2503. db 48h ; H
2504. db 86h ; †
2505. db 0F7h ; ÷
2506. db 0Dh
2507. db 1
2508. db 1
2509. db 5
2510. db 5
2511. db 0
2512. db 3
2513. db 81h ; 
2514. db 81h ; 
2515. db 0
2516. db 3
2517. db 9
2518. db 9Bh ; ›
2519. db 8Fh ; 
2520. db 79h ; y
2521. db 0EFh ; ï
2522. db 7Fh ; 
2523. db 59h ; Y
2524. db 30h ; 0
2525. db 0AAh ; ª
2526. db 0EFh ; ï
2527. db 68h ; h
2528. db 0B5h ; µ
2529. GAP ends
2530.  
2531.  
2532. end DriverEntry