Nagra Hex block Decryption

onsitbin said:

your bloc 0000016C is offfset (01EBA8)
regards

Click to expand...

Oops! We ran into some problems.
You do not have permission to view this page or perform this action.

onsitbin said:

your bloc 0000016C is offfset (01EBA8)
regards

Click to expand...

Oops! We ran into some problems.
You do not have permission to view this page or perform this action.

dear friend your dump is tampered with , (mainly in block 00016c) see come who did you that job

hug

bejiis said:

Oops! We ran into some problems.
You do not have permission to view this page or perform this action.

Click to expand...

Provider is Arabe 01E0+Arabesque +decoder = DSR2231/59

onsitbin said:

hello dear #dognaldo or your dump was badly made, or tampered with, or something is wrong,ad block 016c (|DSR2231/59) the rodata goes well with the keys mods block 017C ( adress (00023690) is OK block 000097 (adress 000244C8 ) is OK
checks (Pm)

Click to expand...

Hi, thanks for replay, and...
Taking advantage of your expertisse, in this dump ( MEGA ) can you show me 016c encrypted offset ?

dognaldo said:

Hi, thanks for replay, and...
Taking advantage of your expertisse, in this dump ( MEGA ) can you show me 016c encrypted offset ?

Click to expand...

yes your bloco 016c

someone has altered it, what you have is false since block 017c and block 0097 are good, so I repeat someone adulteoru that dump or dump was poorly done, please send me via pm the cais_id that e is on the label below the decoder to take a doubt

Click to expand...

Please look again , this link is for another dump, stb.bin

stb.bin --- > MEGA
and how do you know that the encrypted block 016C starts at this offset?

dognaldo said:

Please look again , this link is for another dump, stb.bin

stb.bin --- > MEGA
and how do you know that the encrypted block 016C starts at this offset?

Click to expand...

What I can tell you is that this dump is adulterated and poorly done.
Point 1 :. There are two blocks 00017C in (offset 0007F9D4)
another repetitive in (offset 002CF9B4)

Point 2:. The block indicates that block 016c is in (offset 00C00000

Point 3:. As you can see this offset does not exist in this dump

In summary it can be concluded that both this dump (stb.bin)
like the one above (mystb.bin)
were adulterated, ie do not deserve any credibility for studies.
I regret to say that I already have these dumps in my possession about a year, and concludes, that they are nothing more than a farce.
So I'm sorry but it's not worth putting here in the forum (trash of adulterated dumps) to confuse the participants in a possible study of them.
I know who is the author of the change, but I will not divulge it here.
it's unfortunate to put garbage here
take care

Click to expand...

dognaldo said:

Please look again , this link is for another dump, stb.bin

stb.bin --- > MEGA
and how do you know that the encrypted block 016C starts at this offset?

Click to expand...

Well, without FPK no party, rest is bullshit, block 016c is encrypted in AES, well maybe they use too 3DES(not sure)...

onsitbin said:

Click to expand...

Hi (boas),
These dumps are not mine and were originally posted by users in post #510 and #524. I just try to learn from those posted dumps.
About the stb.bin I beg you to look at post #517, of Braza user.
According to him the encrypted block 16c starts at offset 0x000073F0 and repeats at 0x002573D0.
That was the reason for the question.
When you say "The block indicates that block 016c is in (offset 00C00000", I know this offset does not exist. But could you explain this, how to get the offset of the beginning of encrypted block 016c? Could you explain this?

[ ] ´s

dognaldo said:

Hi (boas),
These dumps are not mine and were originally posted by users in post #510 and #524. I just try to learn from those posted dumps.
About the stb.bin I beg you to look at post #517, of Braza user.
According to him the encrypted block 16c starts at offset 0x000073F0 and repeats at 0x002573D0.
That was the reason for the question.
When you say "The block indicates that block 016c is in (offset 00C00000", I know this offset does not exist. But could you explain this, how to get the offset of the beginning of encrypted block 016c? Could you explain this?

[ ] ´s

Click to expand...

Maybe this offset 00C00000 point to ram!
I saw the same thing on a Samsung dump, point to 9E0000!LOL

Benfica200 said:

Maybe this offset 00C00000 point to ram!
I saw the same thing on a Samsung dump, point to 9E0000!LOL

Click to expand...

Vamos la a ver.

Umas lições também te fazem bem, se estivesses atento as fotos que eu coloquei.
em primeiro lugar o coração de um dump eu chamo-lhe bloco 017C, e como não estas atento eu vou-te explicar, com todo o gosto, tu até falas em ram e nesse aspecto estás a falar correto, mas com o raciocínio errado, como sabes, e eu já afimei estuda um pouco os dois dumps e saberás que estão adulterado, e porquê.
Pegas num dump correto, e vai ao que eu lhe chamo coração (bloco 0000017C) que esteja correto e fazes assim como te vou explicar neste vídeo, que vou pegar num dump que aqui tenho normal, para tu entenderes ok?? e verificarás que esses dois dumps estão adulterados de propósito, alias eu tenho esses dois dumps aqui á mais de um ano.

Click to expand...

Abraço e diverte-te e faz o mesmo nos dumps acima citados é claro que existem blocos protegidos com Aes_key e 3Des, que não é só o caso dos Samsungs,

Link para o filme:. hxxps://3w.sendspace.com/file/tq7ybr
*****************************************************************************************************************************
Let's see her.

Some lessons also do you good, if you were aware of the photos I put.

first of all the heart of a dump I call it block 017C, and as you are not aware I will explain to you, with all the gusto, you even speak in ram and in that aspect you are speaking correct, but with the wrong reasoning, as you know, and I've already fondled study the two dumps a little and you'll know they're tampered with, and why.

You pick up a correct dump, and go to what I call heart (block 0000017C) that is correct and you do as I will explain in this video, that I will get a dump that I have normal, so you understand ok ?? and you will find that these two dumps are purposely tampered with, alias I've had those two dumps here for over a year.

Click to expand...

Hug and amuse yourself and do the same in the above dumps of course there are blocks protected with Aes_key and 3Des, which is not only the case of the Samsungs,

Link to filme:. hxxps://3w.sendspace.com/file/tq7ybr

onsitbin said:

Vamos la a ver.

Abraço e diverte-te e faz o mesmo nos dumps acima citados é claro que existem blocos protegidos com Aes_key e 3Des, que não é só o caso dos Samsungs,

Link para o filme:. hxxps://3w.sendspace.com/file/tq7ybr
*****************************************************************************************************************************
Let's see her.




Hug and amuse yourself and do the same in the above dumps of course there are blocks protected with Aes_key and 3Des, which is not only the case of the Samsungs,

Link to filme:. hxxps://3w.sendspace.com/file/tq7ybr

Click to expand...

GREAT LOL
What a joke!
Was seasoned without pepper and parsley...
All dumps is OK...

onsitbin said:

Vamos la a ver.

Abraço e diverte-te e faz o mesmo nos dumps acima citados é claro que existem blocos protegidos com Aes_key e 3Des, que não é só o caso dos Samsungs,

Link para o filme:. hxxps://3w.sendspace.com/file/tq7ybr

Click to expand...

Hi (boas),
I got it, thanks !
I tested most of my crypotograted dumps or not and I was able to identify the blocks.
More questions to ask. I'll think about them!

[ ]´s

Boa tarde ... nos últimos meses eu vi uma enorme procura sobre um arquivo ( firmware ntb ). Bom pedi para que me enviasse o tal arquivo para analise . Eu testei em varias plataformas e linguagem desde assembly a c++ ou seja desde linguagem de baixo nível a linguagem de alto nível. usando linguagem de baixo nível foi possível sanicar e fazer as devidas comparações em assembly :

dados de um arquivo comprado e ativo

"Endereço Thread Command;"
"754E845E Main RETN 10;"
754E16A0 Main PUSH KERNELBA.755006BD
754E16A5 Main PUSH DWORD PTR FS: [0]
"754E16AC Main MOV EAX,DWORD PTR SS:[ESP+10] ;"
754E16B0 Main MOV DWORD PTR SS:[ESP+10],EBP
"754E16B4 Main LEA EBP,DWORD PTR SS:[ESP+10] ;"
754E16B8 Main SUB ESP,EAX
754E16BA Main PUSH EBX
754E16BB Main PUSH ESI
754E16BC Main PUSH EDI
"754E16BD Principal MOV EAX, DWORD PTR DS: [755259A0];"
754E16C2 Principal XOR DWORD PTR SS: [EBP-4], EAX
"754E16C5 Principal XOR EAX, EBP;"
754E16C7 Main PUSH EAX
754E16C8 Main MOV DWORD PTR SS:[EBP-18],ESP
754E16CB Main PUSH DWORD PTR SS: [EBP-8]
"754E16CE Principal MOV EAX, DWORD PTR SS: [EBP-4];"
754E16D1 Principal MOV DWORD PTR SS: [EBP-4], - 2
754E16D8 Principal MOV DWORD PTR SS: [EBP-8], EAX
"754E16DB Principal LEA EAX, DWORD PTR SS: [EBP-10];"
754E16DE Principal MOV DWORD PTR FS: [0], EAX
"754E16E4 Main RETN;"
754E7B1E Main CMP BYTE PTR SS: [EBP-19], 0
754E7B22 Principal JE SHORT KERNELBA.754E7B2F
754E7B24 Main PUSH DWORD PTR SS: [EBP-24]
754E7B27 Main PUSH 1
754E7B29 Principal CALL DWORD PTR DS: [<& ntdll.LdrUnlockLoaderL
"754E7B2F Main RETN;"
"754E17F0 Principal MOV ECX, DWORD PTR SS: [EBP-10];"
754E17F3 Principal MOV DWORD PTR FS: [0], ECX
"754E17FA Main POP ECX;"
"754E17FB POP EDI principal;"
"754E17FC POP POP EDI;"
"754E17FD Main POP ESI;"
"754E17FE Main POP EBX;"
754E17FF Main MOV ESP,EBP
"754E1801 Main POP EBP;"
754E1802 Main PUSH ECX
"754E1803 Main RETN;"
"GetCurrentThreadI> MOV EAX, DWORD PTR FS: [18];"
"754E6831 Principal MOV EAX, DWORD PTR DS: [EAX + 24];"
"754E6834 Main RETN;"
754E6C51 Main PUSH KERNELBA.755006BD
754E6C56 Main PUSH DWORD PTR FS: [0]
"754E6C5D Main MOV EAX,DWORD PTR SS:[ESP+10] ;"
754E6C61 Main MOV DWORD PTR SS:[ESP+10],EBP
"754E6C65 Main LEA EBP,DWORD PTR SS:[ESP+10] ;"
754E6C69 Main SUB ESP,EAX
754E6C6B Main PUSH EBX
754E6C6C Main PUSH ESI
754E6C6D Main PUSH EDI
"754E6C6E Principal MOV EAX, DWORD PTR DS: [755259A0];"
754E6C73 Principal XOR DWORD PTR SS: [EBP-4], EAX
"754E6C76 Principal XOR EAX, EBP;"
754E6C78 Principal MOV DWORD PTR SS: [EBP-1C], EAX
754E6C7B Main PUSH EAX
754E6C7C Main MOV DWORD PTR SS:[EBP-18],ESP
754E6C7F Main PUSH DWORD PTR SS: [EBP-8]
"754E6C82 Principal MOV EAX, DWORD PTR SS: [EBP-4];"
754E6C85 Principal MOV DWORD PTR SS: [EBP-4], - 2
754E6C8C Principal MOV DWORD PTR SS: [EBP-8], EAX
"754E6C8F LEA principal EAX, DWORD PTR SS: [EBP-10];"
754E6C92 Principal MOV DWORD PTR FS: [0], EAX
"754E6C98 Main RETN;"
"KernelBaseGetGlob> MOV EAX, KERNELBA.755250F0;"
"754E68A0 Main RETN;"
"GetProcessHeap MOV EAX, DWORD PTR FS: [18];"
"754E68EF 00000DA8 MOV EAX, DWORD PTR DS: [EAX + 30];"
"754E68F2 00000DA8 MOV EAX, DWORD PTR DS: [EAX + 18];"
"754E68F5 00000DA8 RETN;"
"IsDebuggerPresent MOV EAX, DWORD PTR FS: [18];"
"754EFC6C Principal MOV EAX, DWORD PTR DS: [EAX + 30];"
"754EFC6F Principal MOVZX EAX, BYTE PTR DS: [EAX + 2];"
"754EFC73 Main RETN;"
754E6BA5 00000DA8 MOV EDI, EDI
754E6BA7 00000DA8 PUSH EBP
"754E6BA8 00000DA8 MOV EBP,ESP ;"
754E6BAA 00000DA8 PUSH ESI
754E6BAB 00000DA8 PUSH DWORD PTR SS: [EBP + 8]
754E6BAE 00000DA8 CALL DWORD PTR DS: [<& ntdll.RtlNtStatusToDos
"754E6BB4 00000DA8 MOV ESI, EAX;"
754E6BB6 00000DA8 PUSH ESI
754E6BB7 00000DA8 CALL DWORD PTR DS: [<& ntdll.RtlSetLastWin32E
"754E6BBD 00000DA8 MOV EAX, ESI;"
"754E6BBF 00000DA8 POP ESI;"
"754E6BC0 00000DA8 POP EBP;"
"754E6BC1 00000DA8 RETN 4;"
"GetLastError MOV EAX, DWORD PTR FS: [18];"
"754E68BE 00000DA8 MOV EAX, DWORD PTR DS: [EAX + 34];"
"754E68C1 00000DA8 RETN;"
GetSystemInfo MOI EDI, EDI
754EA855 00000DA8 PUSH EBP
"754EA856 00000DA8 MOV EBP,ESP ;"
754EA858 00000DA8 SUB ESP, 38
754EA85B 00000DA8 PUSH ESI
754EA85C 00000DA8 MOV ESI, DWORD PTR DS: [<& ntdll.NtQuerySystem
"754EA862 00000DA8 PUSH 0;"
"754EA864 00000DA8 PUSH 2C;"
"754EA866 00000DA8 LEA EAX, DWORD PTR SS: [EBP-38];"
"754EA869 00000DA8 PUSH EAX;"
"754EA86A 00000DA8 PUSH 0;"
"754EA86C 00000DA8 CALL ESI;"
754EA86E 00000DA8 TEST EAX, EAX
754EA870 00000DA8 JL SHORT KERNELBA.754EA892
"754EA872 00000DA8 PUSH 0;"
"754EA874 00000DA8 PUSH 0C;"
"754EA876 00000DA8 LEA EAX, DWORD PTR SS: [EBP-C];"
"754EA879 00000DA8 PUSH EAX;"
"754EA87A 00000DA8 PUSH 1;"
"754EA87C 00000DA8 CALL ESI;"
754EA87E 00000DA8 TEST EAX, EAX
754EA880 00000DA8 JL SHORT KERNELBA.754EA892
754EA882 00000DA8 PUSH DWORD PTR SS: [EBP + 8]
"754EA885 00000DA8 LEA EAX, DWORD PTR SS: [EBP-C];"
754EA888 00000DA8 PUSH EAX
"754EA889 00000DA8 LEA EAX, DWORD PTR SS: [EBP-38];"
754EA88C 00000DA8 PUSH EAX
"754EA88D 00000DA8 CALL KERNELBA.754EA89C;"
"754EA892 00000DA8 POP ESI;"
"754EA893 00000DA8 LEAVE;"
"754EA894 00000DA8 RETN 4;"
754EBF3F Main PUSH EBP
"754EBF40 Main MOV EBP,ESP ;"
"754EBF42 Main PUSH DWORD PTR SS: [EBP + 10];"
"754EBF45 Main PUSH DWORD PTR SS: [EBP + C];"
"754EBF48 Main PUSH DWORD PTR SS: [EBP + 8];"
"754EBF4B Main PUSH -1;"
"754EBF4D Main CALL KERNELBA.VirtualQueryEx ;"
"754EBF52 Main POP EBP;"
"754EBF53 Main RETN 0C;"
"GetCurrentProcess OU EAX, FFFFFFFF;"
"754E693A Main RETN;"
GetCurrentThread PUSH -2
"754E6942 Main POP EAX;"
754E6943 Main RETN
754E74B8 Main PUSH EBP
"754E74B9 Main MOV EBP,ESP ;"
754E74BB Main PUSH DWORD PTR SS: [EBP + 14]
754E74BE Main PUSH DWORD PTR SS: [EBP + 10]
754E74C1 Main PUSH DWORD PTR SS: [EBP + C]
754E74C4 Main PUSH DWORD PTR SS: [EBP + 8]
754E74C7 Main CALL DWORD PTR DS: [<& ntdll.NtOpenThreadToke
754E74CD TEST EAX principal, EAX
754E74CF Principal JGE SHORT KERNELBA.754E74DD
"754E74D1 Main PUSH EAX;"
"754E74D2 Main CALL KERNELBA.754E6BA5;"
"754E74D7 Main XOR EAX, EAX;"
"754E74D9 Main POP EBP;"
"754E74DA Main RETN 10;"
"GetCurrentProcess> MOV EAX, DWORD PTR FS: [18];"
"754E6988 Principal MOV EAX, DWORD PTR DS: [EAX + 20];"
"754E698B Main RETN;"
754E79A9 Main PUSH EBP
"754E79AA Main MOV EBP,ESP ;"
754E79AC Main PUSH DWORD PTR SS: [EBP + 14]
754E79AF Main PUSH DWORD PTR SS: [EBP + 10]
754E79B2 Main PUSH DWORD PTR SS: [EBP + C]
754E79B5 Main PUSH DWORD PTR SS: [EBP + 8]
754E79B8 Main PUSH -1
"754E79BA Main CALL KERNELBA.VirtualAllocEx ;"
"754E79BF Main POP EBP;"
"754E79C0 Main RETN 10;"
754E7A1E Main PUSH EBP
"754E7A1F Main MOV EBP,ESP ;"
754E7A21 Main PUSH DWORD PTR SS: [EBP + 10]
754E7A24 Main PUSH DWORD PTR SS: [EBP + C]
754E7A27 Main PUSH DWORD PTR SS: [EBP + 8]
754E7A2A Main PUSH -1
"754E7A2C Main CALL KERNELBA.VirtualFreeEx ;"
"754E7A31 Main POP EBP;"
"754E7A32 Main RETN 0C;"
75513B81 EDI MOV principal, EDI
75513B83 Main PUSH EBP
"75513B84 Main MOV EBP,ESP ;"
75513B86 Main PUSH ECX
"75513B87 Principal LEA EAX, DWORD PTR SS: [EBP-4];"
75513B8A Main PUSH EAX
75513B8B Main PUSH DWORD PTR SS: [EBP + 8]
"75513B8E Main CALL KERNELBA.754EB67A;"
75513B93 Main PUSH DWORD PTR SS: [EBP + 10]
75513B96 Main PUSH DWORD PTR SS: [EBP + C]
75513B99 Main PUSH DWORD PTR SS: [EBP-4]
75513B9C Main PUSH EAX
75513B9D Main PUSH DWORD PTR SS: [EBP + 8]
75513BA0 Main PUSH KERNELBA.754F20AC
75513BA5 Main PUSH KERNELBA.75525880
"75513BAA Main CALL KERNELBA.754EB5CB;"
"75513BAF Main LEAVE;"
"75513BB0 Main RETN 0C;"
"KiFastSystemCallR> RETN;"
7551388F EDI MOV principal, EDI
75513891 Main PUSH EBP
"75513892 Main MOV EBP,ESP ;"
75513894 Main CMP DWORD PTR SS: [EBP + C], - 1
75513898 Main JNZ SHORT KERNELBA.755138A8
755138A8 Main PUSH DWORD PTR SS: [EBP + C]
755138AB Main PUSH KERNELBA.75525880
"755138B0 Main CALL KERNELBA.754EB4E5;"
"755138B5 Main POP EBP;"
"755138B6 Main RETN 8;"
"KiFastSystemCallR> RETN;"
"774F658C Main RETN 8;"
754E7135 EDI MOV principal, EDI
"754E7137 Main PUSH EBP;"
754F0660 00000DEC MOV EDI, EDI
754F0662 00000DEC PUSH EBP
"754F0663 00000DEC MOV EBP,ESP ;"
754F0665 00000DEC PUSH ESI
754F0666 00000DEC MOV ESI, DWORD PTR SS: [EBP + 14]
"754F0669 00000DEC MOV EAX, DWORD PTR DS: [ESI];"
754F066B 00000DEC PUSH EDI
754F066C 00000DEC MOV EDI, DWORD PTR SS: [EBP + 10]
"754F066F 00000DEC ADICIONAR EAX, EAX;"
754F0671 00000DEC MOV DWORD PTR SS: [EBP + 14], EAX
"754F0674 00000DEC LEA EAX, DWORD PTR SS: [EBP + 14];"
754F0677 00000DEC PUSH EAX
754F0678 00000DEC PUSH EDI
754F0679 00000DEC PUSH DWORD PTR SS: [EBP + C]
754F067C 00000DEC PUSH DWORD PTR SS: [EBP + 8]
"754F067F 00000DEC CALL KERNELBA.754F06B0;"
"754E7138 Main MOV EBP,ESP ;"
"754E713A Principal MOV ECX, DWORD PTR SS: [EBP + 8];"
754E713D Main PUSH 0C
"754E713F Main POP EDX;"
754E7140 TEST PRINCIPAL ECX, ECX
754E7142 Principal JE SHORT KERNELBA.754E7163
754E7144 Main PUSH ESI
754E7145 Main PUSH 0A
"754E7147 Main POP ESI;"
754E7148 Principal MOVZX EAX, WORD PTR DS: [ECX]
754E714B Main TEST AX, AX
754E714E Principal JE SHORT KERNELBA.754E7162
754E7150 PRINCIPAL TEST ESI, ESI
754E7152 Principal JE SHORT KERNELBA.754E7162
"754E7154 Main AND EAX, 0DF;"
"754E7159 ADD principal EDX, EDX;"
"754E715B Main XOR EDX, EAX;"
"754E715D Main INC ECX;"
"754E715E Main INC ECX;"
"754E715F Main DEC ESI;"
"754E7160 Main JMP SHORT KERNELBA.754E7148;"
"754E7162 Main POP ESI;"
"754E7163 MOV principal EAX, DWORD PTR SS: [EBP + C];"
"754E7166 Main SHR EAX, 8;"
"754E7169 Main XOR EDX, EAX;"
"754E716B MOV principal EAX, EDX;"
"754E716D SAR EAX principal, 8;"
"754E7170 ADD EAX, EDX;"
"754E7172 Main AND EAX, 7F;"
"754E7175 Main POP EBP;"
"754E7176 Main RETN 8;"
754ED049 EDI MOV principal, EDI
754ED04B Main PUSH EBP
"754ED04C Main MOV EBP,ESP ;"
754ED04E Principal MOV ECX, DWORD PTR SS: [EBP + 8]
754ED051 Main PUSH 0C
"754ED053 Main POP EDX;"
754ED054 TEST principal ECX, ECX
754ED056 Principal JE SHORT KERNELBA.754ED077
754ED058 Main PUSH ESI
754ED059 Main PUSH 0A
"754ED05B Main POP ESI;"
"754ED05C Principal MOVZX EAX, WORD PTR DS: [ECX];"
754ED05F Main TEST AX, AX
754ED062 Principal JE SHORT KERNELBA.754ED076
754ED064 Principal TEST ESI, ESI
754ED066 Principal JE SHORT KERNELBA.754ED076
"754ED068 Main AND EAX, 0DF;"
"754ED06D Main ADD EDX, EDX;"
"754ED06F Principal XOR EDX, EAX;"
"754ED071 Main INC ECX;"
"754ED072 Main INC ECX;"
"754ED073 Main DEC ESI;"
"754ED074 Main JMP SHORT KERNELBA.754ED05C;"
"754ED076 Main POP ESI;"
"754ED077 Principal MOV EAX, EDX;"
"754ED079 Principal SAR EAX, 8;"
"754ED07C ADD EAX, EDX;"
"754ED07E Main AND EAX, 7F;"
"754ED081 Main POP EBP;"
"754ED082 Main RETN 4;"
75521434 EDI MOV principal, EDI
75521436 Main PUSH EBX
"75521437 Main MOV EBX,ESP ;"
75521439 Main PUSH ECX
7552143A Main PUSH ECX
7552143B Principal E ESP, FFFFFFE0
7552143E ADD PRINCIPAL ESP, 4
75521441 Main PUSH EBP
"75521442 Principal MOV EBP, DWORD PTR DS: [EBX + 4];"
75521445 Main MOV DWORD PTR SS:[ESP+4],EBP
"75521449 Main MOV EBP,ESP ;"
7552144B Main SUB ESP,458
"75521451 Principal MOV EAX, DWORD PTR DS: [755259A0];"
"75521456 Main XOR EAX, EBP;"
75521458 Principal MOV DWORD PTR SS: [EBP-4], EAX
7552145B Main PUSH ESI
"7552145C Principal MOV ESI, DWORD PTR DS: [EBX + 8];"
7552145F Main PUSH EDI
"75521460 MOV Principal EDI, DWORD PTR DS: [EBX + C];"
"75521463 Main CALL KERNELBA.754F393A;"
75521468 TEST EAX principal, EAX
7552146A Main JNZ SHORT KERNELBA.75521473
75521473 Main PUSH 104
"75521478 Principal LEA EAX, DWORD PTR SS: [EBP-210];"
7552147E Main PUSH EAX
7552147F Main PUSH 8
75521481 Main PUSH 10
75521483 Main PUSH DWORD PTR DS: [ESI + 4]
"75521486 Main CALL KERNELBA.754F4ABE;"
754ECF95 EDI MOV principal, EDI
754ECF97 Main PUSH EBP
"754ECF98 Main MOV EBP,ESP ;"
"754ECF9A MOV principal EDX, DWORD PTR SS: [EBP + C];"
"754ECF9D Principal XOR EAX, EAX;"
754ECF9F Main TEST EDX, EDX
754ECFA1 Principal JE SHORT KERNELBA.754ECFC5
754ECFA3 Main CMP EDX, 7FFFFFFF
754ECFA9 Main JA SHORT KERNELBA.754ECFC5
754ECFAB Principal TEST EAX, EAX
754ECFAD Principal JL SHORT KERNELBA.754ECFC1
"754ECFAF MOV principal EAX, DWORD PTR SS: [EBP + 10];"
754ECFB2 Principal MOV ECX, DWORD PTR SS: [EBP + 8]
754ECFB5 Main PUSH 7FFFFFFE
754ECFBA Main PUSH 0
"754ECFBC Main CALL KERNELBA.754ECF3C;"
"754ECFC1 Main POP EBP;"
"754ECFC2 Main RETN 0C;"
7552148B TEST EAX principal, EAX
7552148D Main JNZ SHORT KERNELBA.7552146C
7552148F Main PUSH 2E
"75521491 Main POP EAX;"
75521492 Main PUSH 0FB
75521497 Main MOV WORD PTR SS: [EBP-200], AX
"7552149E Principal LEA EAX, DWORD PTR SS: [EBP-1FE];"
755214A4 Main PUSH EAX
755214A5 Main PUSH 8
755214A7 Main PUSH 10
755214A9 Main PUSH DWORD PTR DS: [ESI + 8]
"755214AC Main CALL KERNELBA.754F4ABE;"
755214B1 TEST EAX principal, EAX
755214B3 Principal JNZ SHORT KERNELBA.7552146C
"755214B5 Principal XOR ESI, ESI;"
755214B7 Main PUSH ESI
755214B8 Main PUSH 1
"755214BA Principal LEA EAX, DWORD PTR SS: [EBP-440];"
755214C0 Principal MOV DWORD PTR SS: [EBP-444], EAX
755214C6 Main PUSH 214
"755214CB Principal LEA EAX, DWORD PTR SS: [EBP-444];"
755214D1 Main PUSH EAX
"755214D2 Principal LEA EAX, DWORD PTR SS: [EBP-210];"
755214D8 Main PUSH EAX
755214D9 Main PUSH DWORD PTR DS: [75525944]
"755214DF Main CALL KERNELBA.754ED2F0;"
755214E4 TEST EAX principal, EAX
755214E6 Main JNZ SHORT KERNELBA.7552146C
"7552146C Principal XOR EAX, EAX;"
7552146E Principal JMP KERNELBA.7552151D
"7552151D Principal MOV ECX, DWORD PTR SS: [EBP-4];"
"75521520 POP EDI principal;"
"75521521 Principal XOR ECX, EBP;"
"75521523 Main POP ESI;"
75521524 Principal CALL KERNELBA.754E68A6
75521529 Main MOV ESP,EBP
"7552152B Main POP EBP;"
7552152C Main MOV ESP,EBX
"7552152E Main POP EBX;"
7552152F Main RETN 0C
754E7030 Main PUSH EBP
"754E7031 Main MOV EBP,ESP ;"
754E7033 Main PUSH ESI
"754E7034 Principal MOV ESI, DWORD PTR SS: [EBP + 8];"
754E7037 TEST PRINCIPAL ESI, ESI
754E7039 Principal JE SHORT KERNELBA.754E7050
"754E703B Main CALL KERNELBA.754E6EA8;"
"754E7040 Principal MOV ECX, DWORD PTR DS: [EAX + 8];"
754E7043 Main CMP ECX, DWORD PTR DS: [ESI + 8]
754E7046 Main JNZ SHORT KERNELBA.754E7058
"754E7048 Principal MOV EAX, DWORD PTR DS: [EAX + 4];"
754E704B Principal CMP EAX, DWORD PTR DS: [ESI + 4]
754E704E Main JNZ SHORT KERNELBA.754E7058
"754E7050 Main XOR EAX, EAX;"
"754E7052 Main INC EAX;"
"754E7053 Main POP ESI;"
"754E7054 Main POP EBP;"
"754E7055 Main RETN 4;"
754F2B4F EDI MOV principal, EDI
754F2B51 Main PUSH EBP
"754F2B52 Main MOV EBP,ESP ;"
754F2B54 Principal XOR EAX, EAX
754F2B56 Main CMP DWORD PTR DS: [EAX * 4 + 75525E80], 0
754F2B5E Main JNZ SHORT KERNELBA.754F2B78
"754F2B78 Principal INC EAX;"
754F2B79 Principal CMP EAX, 0A
"754F2B7C Main JGE SHORT KERNELBA.754F2B6A;"
"754F0684 00000DEC MOV ECX, DWORD PTR SS: [EBP + 14];"
"754F0687 00000DEC SHR ECX, 1;"
754F0689 00000DEC MOV DWORD PTR DS: [ESI], ECX
754F068B 00000DEC TEST EAX, EAX
754F068D 00000DEC JL SHORT KERNELBA.754F069E
754F068F 00000DEC TEST ECX, ECX
754F0691 00000DEC JBE SHORT KERNELBA.754F06A4
754F0693 00000DEC CMP WORD PTR DS: [EDI + ECX * 2-2], 0
754F0699 00000DEC JNZ SHORT KERNELBA.754F06A4
"754F069B 00000DEC DEC ECX;"
754F069C 00000DEC MOV DWORD PTR DS: [ESI], ECX
754F069E 00000DEC POP EDI
754F069F 00000DEC POP ESI
"754F06A0 00000DEC POP EBP;"
"754F06A1 00000DEC RETN 10;"
754F2B7E Main JMP SHORT KERNELBA.754F2B56
"754F2B60 Principal MOV ECX, DWORD PTR SS: [EBP + 8];"
754F2B63 Principal MOV DWORD PTR DS: [EAX * 4 + 75525E80], ECX
"754F2B6A Principal XOR ECX, ECX;"
754F2B6C Principal CMP EAX, 0A
"754F2B6F Main SETNE CL;"
754F2B72 Principal MOV EAX, ECX
"754F2B74 Main POP EBP;"
"754F2B75 Main RETN 4;"
754EB89E Main PUSH EBP
"754EB89F Main MOV EBP,ESP ;"
"754EB8A1 Principal MOV EDX, DWORD PTR SS: [EBP + 8];"
"754EB8A4 Principal MOV ECX, DWORD PTR DS: [754EB8E0];"
754EB8AA Principal MOVZX EAX, DL
"754EB8AD Main SHR EDX, 8;"
754EB8B0 Principal MOVZX EDX, DL
754EB8B3 Main PUSH ESI
"754EB8B4 Principal MOV ESI, DWORD PTR DS: [ECX + 30];"
"754EB8B7 Principal MOVZX EDX, WORD PTR DS: [ESI + EDX * 2];"
754EB8BB Main PUSH EDI
"754EB8BC MOV Principal EDI, EAX;"
"754EB8BE Main SHR EDX, 1;"
"754EB8C0 Main SHR EDI, 4;"
"754EB8C3 Main ADD EDX, EDI;"
"754EB8C5 Principal MOVZX EDX, WORD PTR DS: [ESI + EDX * 2];"
"754EB8C9 Main AND EAX, 0F;"
"754EB8CC Main ADD EDX, ESI;"
"754EB8CE Principal MOVZX EAX, BYTE PTR DS: [EAX + EDX];"
"754EB8D2 Principal IMUL EAX, EAX, 6;"
"754EB8D5 ADD principal EAX, DWORD PTR DS: [ECX + 2C];"
"754EB8D8 POP EDI principal;"
"754EB8D9 Main POP ESI;"
"754EB8DA Main POP EBP;"
"754EB8DB Main RETN 4;"
EqualSid MOV EDI, EDI
754EAC74 00000DEC PUSH EBP
"754EAC75 00000DEC MOV EBP,ESP ;"
754EAC77 00000DEC PUSH 0
754EAC79 00000DEC CALL DWORD PTR DS: [<& ntdll.RtlSetLastWin32E
754EAC7F 00000DEC PUSH DWORD PTR SS: [EBP + C]
754EAC82 00000DEC PUSH DWORD PTR SS: [EBP + 8]
"754EAC85 00000DEC CALL DWORD PTR DS: [<& ntdll.RtlEqualSid>];"
754EAC8B 00000DEC MOVZX EAX, AL
"754EAC8E 00000DEC POP EBP;"
"754EAC8F 00000DEC RETN 8;"
FindFirstFileW MOV EDI, EDI
754EB451 Main PUSH EBP
"754EB452 Main MOV EBP,ESP ;"
"754EB454 Principal XOR EAX, EAX;"
754EB456 Main PUSH EAX
754EB457 Main PUSH EAX
754EB458 Main PUSH EAX
754EB459 Main PUSH DWORD PTR SS: [EBP + C]
754EB45C Main PUSH EAX
754EB45D Main PUSH DWORD PTR SS: [EBP + 8]
"754EB460 Main CALL KERNELBA.FindFirstFileExW;"
"754EB465 Main POP EBP;"
"754EB466 Main RETN 8;"
"754EE014 Principal MOV EAX, DWORD PTR SS: [EBP + 8];"
"754EE017 Main ADD EAX, 1C;"
754EE01A Main PUSH EAX
754EE01B Principal CALL DWORD PTR DS: [<& ntdll.RtlLeaveCritical
"754EE021 Main RETN;"
"KiFastSystemCallR> RETN;"
754F1B31 Main PUSH EBP
"754F1B32 Main MOV EBP,ESP ;"
"754F1B34 Main PUSH DWORD PTR SS: [EBP + 14];"
"754F1B37 Main PUSH DWORD PTR SS: [EBP + 10];"
"754F1B3A Main PUSH DWORD PTR SS: [EBP + C];"
"754F1B3D Main PUSH DWORD PTR SS: [EBP + 8];"
"754F1B40 Main PUSH -1;"
"754F1B42 Main CALL KERNELBA.VirtualProtectEx ;"
"754F1B47 Main POP EBP;"
"754F1B48 Main RETN 10;"
"7551389A Principal MOV EAX, DWORD PTR SS: [EBP + 8];"
"7551389D ADD principal EAX, -0C;"
"755138A0 Main PUSH EAX;"
755138A1 Principal CALL KERNELBA.754E8E9D
754E8E9D EDI MOV principal, EDI
754E8E9F Main PUSH EBP
"754E8EA0 Main MOV EBP,ESP ;"
754E8EA2 Main PUSH DWORD PTR SS: [EBP + 8]
"754E8EA5 Principal MOV EAX, DWORD PTR FS: [18];"
"754E8EAB Principal MOV EAX, DWORD PTR DS: [EAX + 30];"
754E8EAE Main PUSH 0
754E8EB0 Main PUSH DWORD PTR DS: [EAX + 18]
"754E8EB3 Principal CALL DWORD PTR DS: [<& ntdll.RtlFreeHeap>];"
"754E8EB9 Main POP EBP;"
754E8EBA Main RETN 4
"755138A6 Main JMP SHORT KERNELBA.755138B5;"
754EBDC1 Main PUSH EBP
"754EBDC2 Main MOV EBP,ESP ;"
754EBDC4 Main PUSH ECX
754EBDC5 Main PUSH ECX
754EBDC6 Main PUSH DWORD PTR SS: [EBP + 8]
"754EBDC9 Principal LEA EAX, DWORD PTR SS: [EBP-8];"
754EBDCC Main PUSH EAX
"754EBDCD Main CALL KERNELBA.754E8745;"
754EBDD2 TEST EAX principal, EAX
754EBDD4 Principal JE SHORT KERNELBA.754EBDF4
754EBDD6 Main PUSH ESI
"754EBDD7 Main PUSH DWORD PTR SS: [EBP + 10];"
"754EBDDA Main PUSH DWORD PTR SS: [EBP + C];"
"754EBDDD Main PUSH DWORD PTR SS: [EBP-4];"
"754EBDE0 Main CALL KERNELBA.LoadLibraryExW;"
"754EBDE5 Principal MOV ESI, EAX;"
"754EBDE7 Main LEA EAX, DWORD PTR SS: [EBP-8];"
754EBDEA Main PUSH EAX
754EBDEB Main CALL DWORD PTR DS: [<& ntdll.RtlFreeUnicodeSt
"754EBDF1 Principal MOV EAX, ESI;"
"754EBDF3 Main POP ESI;"
"754EBDF4 Main LEAVE;"
"754EBDF5 Main RETN 0C;"
754EE623 Main PUSH EBP
"754EE624 Main MOV EBP,ESP ;"
754EE626 Main PUSH ESI
754EE627 Main PUSH DWORD PTR SS: [EBP + 10]
754EE62A Principal XOR ESI, ESI
754EE62C Main PUSH DWORD PTR SS: [EBP + C]
754EE62F Main PUSH DWORD PTR SS: [EBP + 8]
"754EE632 Main CALL KERNELBA.754EE597;"
"754EE637 Main DEC EAX;"
754EE638 Principal JE SHORT KERNELBA.754EE653
"754EE63A Principal DEC EAX;"
754EE63B Principal JE SHORT KERNELBA.754EE650
754EE63D Main PUSH DWORD PTR SS: [EBP + 10]
754EE640 Main PUSH DWORD PTR SS: [EBP + C]
754EE643 Main PUSH DWORD PTR SS: [EBP + 8]
754EE646 Main PUSH ESI
"754EE647 Main CALL KERNELBA.754E8512;"
"754EBE7F Main PUSH DWORD PTR SS: [EBP-24];"
"754EBE82 Main PUSH DWORD PTR SS: [EBP-28];"
754EBE85 Main CALL KERNELBA.BaseReleaseProcessDllPath
BaseReleaseProces> MOV EDI, EDI
754EB544 Main PUSH EBP
"754EB545 Main MOV EBP,ESP ;"
"754EB547 Main PUSH DWORD PTR SS: [EBP + C];"
"754EB54A Principal MOV EAX, DWORD PTR SS: [EBP + 8];"
"754EB54D Main ADD EAX, -4;"
"754EB550 Main PUSH EAX;"
"754EB551 Main CALL KERNELBA.7551388F;"
"754EB556 Main POP EBP;"
754EB557 Main RETN 8
"754EBE8A Main RETN;"
754EE64C TEST EAX principal, EAX
754EE64E Principal JE SHORT KERNELBA.754EE653
754EE653 Principal MOV EAX, ESI
754EE655 Main POP ESI
"754EE656 Main POP EBP;"
"754EE657 Main RETN 0C;"
"KiFastSystemCallR> RETN;"
"754E8A72 Principal MOV EAX, ECX;"
"754E8A74 Principal XOR ECX, ECX;"
754E8A76 Main PUSH ESI
754E8A77 Principal MOV ESI, EAX
754E8A79 Main CMP WORD PTR DS:[EAX],CX
754E8A7C Principal JE SHORT KERNELBA.754E8AF1
754E8A7E Main PUSH 2
"754E8A80 Main POP EDX;"
"754E8A81 ADD EAX, EDX;"
754E8A83 Main CMP WORD PTR DS:[EAX],CX
754E8A86 Principal JE SHORT KERNELBA.754E8AF1
"754E8A88 ADD EAX, EDX;"
754E8A8A Main CMP WORD PTR DS:[EAX],CX
754E8A8D Principal JE SHORT KERNELBA.754E8AF1
"754E8A8F ADD EAX, EDX;"
754E8A91 Main CMP WORD PTR DS:[EAX],CX
754E8A94 Principal JE SHORT KERNELBA.754E8AF1
"754E8A96 ADD principal EAX, EDX;"
754E8A98 Main CMP WORD PTR DS:[EAX],CX
754E8A9B Principal JE SHORT KERNELBA.754E8AF1
"754E8A9D Main ADD EAX, EDX;"
754E8A9F Main CMP WORD PTR DS:[EAX],CX
754E8AA2 Principal JE SHORT KERNELBA.754E8AF1
"754E8AA4 ADD EAX, EDX;"
754E8AA6 Main CMP WORD PTR DS:[EAX],CX
754E8AA9 Principal JE SHORT KERNELBA.754E8AF1
"754E8AAB ADD EAX, EDX;"
754E8AAD Main CMP WORD PTR DS:[EAX],CX
754E8AB0 Principal JE SHORT KERNELBA.754E8AF1
"754E8AB2 ADD EAX, EDX;"
754E8AB4 Main CMP WORD PTR DS:[EAX],CX
754E8AB7 Principal JE SHORT KERNELBA.754E8AF1
"754E8AB9 Main ADD EAX, EDX;"
754E8ABB Main CMP WORD PTR DS:[EAX],CX
754E8ABE Principal JE SHORT KERNELBA.754E8AF1
"754E8AC0 ADD EAX, EDX;"
754E8AC2 Main CMP WORD PTR DS:[EAX],CX
754E8AC5 Principal JE SHORT KERNELBA.754E8AF1
"754E8AC7 ADD EAX, EDX;"
754E8AC9 Main CMP WORD PTR DS:[EAX],CX
754E8ACC Principal JE SHORT KERNELBA.754E8AF1
"754E8ACE Main ADD EAX, EDX;"
754E8AD0 Main CMP WORD PTR DS:[EAX],CX
754E8AD3 Principal JE SHORT KERNELBA.754E8AF1
"754E8AD5 ADD EAX, EDX;"
754E8AD7 Main CMP WORD PTR DS:[EAX],CX
754E8ADA Principal JE SHORT KERNELBA.754E8AF1
"754E8ADC ADD EAX, EDX;"
754E8ADE Main CMP WORD PTR DS:[EAX],CX
754E8AE1 Principal JE SHORT KERNELBA.754E8AF1
"754E8AE3 ADD EAX, EDX;"
754E8AE5 Main CMP WORD PTR DS:[EAX],CX
754E8AE8 Principal JE SHORT KERNELBA.754E8AF1
"754E8AEA ADD EAX, EDX;"
754E8AEC Main CMP WORD PTR DS:[EAX],CX
754E8AEF Main JNZ SHORT KERNELBA.754E8A81
"754E8AF1 Principal SUB EAX, ESI;"
"754E8AF3 SAR principal EAX, 1;"
754E8AF5 Principal POP ESI
"754E8AF6 Main RETN;"
754EE650 Principal XOR ESI, ESI
"754EE652 Main INC ESI;"
75513C21 EDI MOV principal, EDI
75513C23 Main PUSH EBP
"75513C24 Main MOV EBP,ESP ;"
75513C26 Main PUSH EBX
"75513C27 Principal MOV EBX, DWORD PTR SS: [EBP + 10];"
75513C2A Main PUSH ESI
75513C2B Main PUSH EDI
"75513C2C MOV principal EDI, 1000;"
75513C31 Main CMP DWORD PTR SS: [EBP + C], EDI
75513C34 Main JNZ SHORT KERNELBA.75513C7B
75513C7B Main PUSH DWORD PTR SS: [EBP + C]
75513C7E Main PUSH DWORD PTR SS: [EBP + 8]
75513C81 Principal CALL KERNELBA.75513A7B
75513A7B Main PUSH 30
75513A7D Main PUSH KERNELBA.75513B60
"75513A82 Main CALL KERNELBA.754E16A0;"
"75513A87 Principal MOV ECX, DWORD PTR SS: [EBP + C];"
75513A8A TEST ECX principal, 1000
75513A90 Principal JE SHORT KERNELBA.75513A98
"75513A98 Principal XOR EBX, EBX;"
"75513A9A Principal XOR EAX, EAX;"
"75513A9C Principal XOR EDX, EDX;"
"75513A9E Main INC EDX;"
75513A9F TEST ECX principal, 100
75513AA5 Principal JE SHORT KERNELBA.75513AB0
75513AB0 TEST ECX principal, 200
75513AB6 Principal JE SHORT KERNELBA.75513AC1
75513AC1 TEST ECX principal, 400
75513AC7 Principal JE SHORT KERNELBA.75513ADC
75513ADC Principal MOV DWORD PTR SS: [EBP + C], EBX
75513ADF TEST ECX principal, 800
75513AE5 Principal JE SHORT KERNELBA.75513AF0
75513AE7 Main MOV DWORD PTR SS: [EBP + EAX * 4-40], 9
"75513AEF Main INC EAX;"
75513AF0 Principal MOV DWORD PTR SS: [EBP + EAX * 4-40], EBX
"75513AF4 Principal XOR EDI, EDI;"
"75513AF6 Principal MOV ESI, DWORD PTR SS: [EBP + 8];"
75513AF9 Principal CMP ESI, EBX
75513AFB Principal JE SHORT KERNELBA.75513B0F
75513B0F Main CMP DWORD PTR SS: [EBP + C], EBX
75513B12 Principal JE SHORT KERNELBA.75513B1F
75513B1F Main MOV DWORD PTR SS: [EBP-4], EBX
75513B22 Main PUSH EDI
75513B23 Main PUSH ESI
75513B24 Main PUSH EBX
"75513B25 Principal LEA EAX, DWORD PTR SS: [EBP-40];"
75513B28 Main PUSH EAX
"75513B29 Main CALL KERNELBA.754F1C7F;"
"75513B2E Principal MOV ESI, EAX;"
75513B30 Main PUSH -2
"75513B32 Main LEA EAX, DWORD PTR SS: [EBP-10];"
75513B35 Main PUSH EAX
75513B36 Main PUSH KERNELBA.755259A0
75513B3B Main CALL KERNELBA.755088B4
755088B4 Main PUSH EBX
755088B5 Main PUSH ESI
755088B6 Main PUSH EDI
"755088B7 Main MOV EDX,DWORD PTR SS:[ESP+10] ;"
755088BB Main MOV EAX,DWORD PTR SS:[ESP+14]
"755088BF Main MOV ECX,DWORD PTR SS:[ESP+18] ;"
755088C3 Main PUSH EBP
755088C4 Main PUSH EDX
755088C5 Main PUSH EAX
755088C6 Main PUSH ECX
755088C7 Main PUSH ECX
755088C8 Main PUSH KERNELBA.75508944
755088CD Main PUSH DWORD PTR FS: [0]
"755088D4 Principal MOV EAX, DWORD PTR DS: [755259A0];"
"755088D9 Main XOR EAX,ESP ;"
755088DB Main MOV DWORD PTR SS:[ESP+8],EAX
755088DF Main MOV DWORD PTR FS:[0],ESP
"755088E6 Main MOV EAX,DWORD PTR SS:[ESP+30] ;"
"755088EA Principal MOV EBX, DWORD PTR DS: [EAX + 8];"
"755088ED Main MOV ECX,DWORD PTR SS:[ESP+2C] ;"
"755088F1 Principal XOR EBX, DWORD PTR DS: [ECX];"
"755088F3 Principal MOV ESI, DWORD PTR DS: [EAX + C];"
755088F6 Principal CMP ESI, -2
755088F9 Principal JE SHORT KERNELBA.75508936
"755088FB Main MOV EDX,DWORD PTR SS:[ESP+34] ;"
755088FF Principal CMP EDX, -2
75508902 Mão I SHORT KERNELBA.75508908
75508908 Principal LEA ESI, DWORD PTR DS: [ESI + ESI * 2]
"7550890B Principal LEA EBX, DWORD PTR DS: [EBX + ESI * 4 + 10];"
"7550890F Principal MOV ECX, DWORD PTR DS: [EBX];"
75508911 Principal MOV DWORD PTR DS: [EAX + C], ECX
75508914 Main CMP DWORD PTR DS: [EBX + 4], 0
75508918 Principal JNZ SHORT KERNELBA.755088E6
7550891A Main PUSH 101
"7550891F MOV Principal EAX, DWORD PTR DS: [EBX + 8];"
75508922 Principal CALL KERNELBA.755007D4
755007D4 Main PUSH EBX
755007D5 Main PUSH ECX
"755007D6 Principal MOV EBX, KERNELBA.75525790;"
"755007DB Main MOV ECX,DWORD PTR SS:[ESP+C] ;"
755007DF Principal MOV DWORD PTR DS: [EBX + 8], ECX
755007E2 Principal MOV DWORD PTR DS: [EBX + 4], EAX
755007E5 Principal MOV DWORD PTR DS: [EBX + C], EBP
755007E8 Main PUSH EBP
755007E9 Main PUSH ECX
755007EA Main PUSH EAX
755007EB Main EAX POP
755007EC Main POP ECX
755007ED Principal POP EBP
"755007EE Main POP ECX;"
"755007EF Main POP EBX;"
755007F0 Main RETN 4
"75508927 Principal MOV ECX, 1;"
7550892C Principal MOV EAX, DWORD PTR DS: [EBX + 8]
7550892F Principal CALL KERNELBA.755089A1
755089A1 Principal CALL EAX
75513B4D Main CMP DWORD PTR SS: [EBP + C], 0
755089A3 Main RETN
"75508934 Main JMP SHORT KERNELBA.755088E6;"
75508936 Main POP DWORD PTR FS: [0]
7550893D Principal ADD ESP, 18
75508940 POP EDI principal
"75508941 Main POP ESI;"
"75508942 Main POP EBX;"
75508943 Main RETN
75513B40 Main ADD ESP,0C
"75513B43 Principal MOV EAX, ESI;"
"75513B45 Main CALL KERNELBA.754E17F0;"
75513B4A Main RETN 8
75513C86 Main OR DWORD PTR DS: [EBX], FFFFFFFF
"75513C89 ADD EAX principal, 0C;"
"75513C8C POP POP principal;"
75513C8D Main POP ESI
"75513C8E Main POP EBX;"
"75513C8F Main POP EBP;"
"75513C90 Main RETN 0C;"
"KiFastSystemCallR> RETN;"
7551391C EDI principal MOV, EDI
7551391E Main PUSH EBP
"7551391F Main MOV EBP,ESP ;"
75513921 Main CMP DWORD PTR SS: [EBP + C], - 1
75513925 Main JNZ SHORT KERNELBA.75513935
"75513927 Principal MOV EAX, DWORD PTR SS: [EBP + 8];"
"7551392A ADD EAX, -0C;"
"7551392D Main PUSH EAX;"
"7551392E Main CALL KERNELBA.754E8E9D;"
75513933 Principal JMP SHORT KERNELBA.75513942
"75513942 Main POP EBP;"
"75513943 Main RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
NlsIsUserDefaultL> MOV EDI, EDI
754F8277 Main PUSH EBP
"754F8278 Main MOV EBP,ESP ;"
"754F827A Main CALL KERNELBA.754E6FB9;"
"754F827F MOV principal EDX, DWORD PTR SS: [EBP + 8];"
"754F8282 Main XOR ECX, ECX;"
754F8284 Main CMP EDX, DWORD PTR DS: [EAX + 8]
754F8287 Main SETE CL
"754F828A MOV principal EAX, ECX;"
"754F828C Main POP EBP;"
"754F828D Main RETN 4;"
754EF62C Main PUSH EBP
"754EF62D Main MOV EBP,ESP ;"
"754EF62F Principal MOV ECX, DWORD PTR SS: [EBP + 8];"
"754EF632 Main XOR EDX, EDX;"
"754EF634 Main CALL KERNELBA.GetNamedLocaleHashNode;"
"754EF639 Main POP EBP;"
"754EF63A Main RETN 4;"
7551971B Main PUSH EBP
"7551971C Main MOV EBP,ESP ;"
"7551971E Principal LEA EAX, DWORD PTR SS: [EBP + C];"
75519721 Main PUSH EAX
75519722 Main PUSH DWORD PTR SS: [EBP + C]
"75519725 Main CALL KERNELBA.755018D8;"
7551972A TEST EAX principal, EAX
7551972C Principal JGE SHORT KERNELBA.75519739
"75519739 Main CALL KERNELBA.754E6FB9;"
7551973E Main PUSH DWORD PTR DS: [EAX + 8]
"75519741 Main CALL KERNELBA.754E6EE0;"
"75519746 Main PUSH EAX;"
"75519747 Main PUSH DWORD PTR SS: [EBP + C];"
"7551974A Main PUSH DWORD PTR SS: [EBP + 8];"
"7551974D Main CALL KERNELBA.754ECF95;"
75519752 TEST EAX principal, EAX
75519754 Main JGE SHORT KERNELBA.7551975D
"7551975D Principal LEA EAX, DWORD PTR SS: [EBP + 8];"
75519760 Main PUSH EAX
75519761 Main PUSH 55
75519763 Main PUSH DWORD PTR SS: [EBP + 8]
"75519766 Main CALL KERNELBA.754FA018;"
"7551976B Main LEA EAX, DWORD PTR SS: [EBP + 8];"
7551976E Main PUSH EAX
7551976F Main PUSH DWORD PTR SS: [EBP + 8]
"75519772 Main CALL KERNELBA.754E700B;"
"75519777 Main MOV EAX, DWORD PTR SS: [EBP + 8];"
"7551977A Principal INC EAX;"
"7551977B Main POP EBP;"
"7551977C Main RETN 8;"
754ECFD1 EDI principal MOV, EDI
754ECFD3 Main PUSH EBP
"754ECFD4 Main MOV EBP,ESP ;"
"754ECFD6 MOV principal EDX, DWORD PTR SS: [EBP + C];"
754ECFD9 Main PUSH EBX
"754ECFDA Principal XOR EAX, EAX;"
754ECFDC Main PUSH EDI
"754ECFDD Principal MOV EBX, 7FFFFFFF;"
754ECFE2 TEST principal EDX, EDX
754ECFE4 Principal JE SHORT KERNELBA.754ED030
754ECFE6 Main CMP EDX, EBX
754ECFE8 Main JA SHORT KERNELBA.754ED030
"754ECFEA MOV PRINCIPAL EDI, DWORD PTR SS: [EBP + 8];"
754ECFED Principal TEST EAX, EAX
754ECFEF Principal JL SHORT KERNELBA.754ED040
754ECFF1 Main AND DWORD PTR SS: [EBP + C], 0
754ECFF5 Principal XOR ECX, ECX
754ECFF7 Main PUSH ESI
"754ECFF8 Principal MOV ESI, EDX;"
"754ECFFA Principal MOV EAX, EDI;"
754ECFFC Main CMP EDX, ECX
754ECFFE Principal JE SHORT KERNELBA.754ED037
754ED000 Main CMP WORD PTR DS:[EAX],CX
754ED003 Principal JE SHORT KERNELBA.754ED00A
"754ED005 Main INC EAX;"
"754ED006 Principal INC EAX;"
"754ED007 Main DEC ESI;"
"754ED008 Main JNZ SHORT KERNELBA.754ED000;"
754ED00A Principal CMP ESI, ECX
754ED00C Principal JE SHORT KERNELBA.754ED037
"754ED00E Principal MOV ECX, EDX;"
"754ED010 Principal SUB ECX, ESI;"
"754ED012 Principal MOV EAX, DWORD PTR SS: [EBP + C];"
"754ED015 Main POP ESI;"
754ED016 TEST principal EAX, EAX
754ED018 Main JL SHORT KERNELBA.754ED02A
"754ED01A Principal MOV EAX, DWORD PTR SS: [EBP + 10];"
754ED01D Main PUSH EBX
"754ED01E Principal SUB EDX, ECX;"
754ED020 Main PUSH 0
"754ED022 Principal LEA ECX, DWORD PTR DS: [EDI + ECX * 2];"
"754ED025 Main CALL KERNELBA.754ECF3C;"
"754ED02A POP EDI principal;"
"754ED02B Main POP EBX;"
"754ED02C Main POP EBP;"
"754ED02D Main RETN 0C;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C Main RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
754E7342 Main PUSH EBP
"754E7343 Main MOV EBP,ESP ;"
754E7345 Main PUSH DWORD PTR SS: [EBP + C]
754E7348 Main PUSH DWORD PTR SS: [EBP + 8]
754E734B Main CALL DWORD PTR DS: [<& ntdll.RtlInitializeCri
754E7351 Principal XOR EAX, EAX
"754E7353 Main INC EAX;"
"754E7354 Main POP EBP;"
"754E7355 Main RETN 8;"
"GetCommandLineA MOV EAX, DWORD PTR DS: [7552578C];"
"754F194C Main RETN;"
754F1954 Main PUSH EBP
"754F1955 Main MOV EBP,ESP ;"
754F1957 Main PUSH DWORD PTR SS: [EBP + 8]
"754F195A MOV principal EAX, DWORD PTR FS: [18];"
"754F1960 Principal MOV EAX, DWORD PTR DS: [EAX + 30];"
754F1963 Main PUSH 0
754F1965 Main PUSH DWORD PTR DS: [EAX + 18]
"754F1968 Main CALL DWORD PTR DS: [<& ntdll.RtlFreeHeap>];"
754F196E Principal MOVZX EAX, AL
"754F1971 Main POP EBP;"
"754F1972 Main RETN 4;"
"GetACP MOV EAX, DWORD PTR DS: [75525054];"
"754E92F8 Main RETN;"
"KiFastSystemCallR> RETN;"
754F9241 EDI MOV principal, EDI
754F9243 Main PUSH EBP
"754F9244 Main MOV EBP,ESP ;"
"754F9246 Principal MOV AX, WORD PTR SS: [EBP + 8];"
754F924A Main CMP AX, WORD PTR SS: [EBP + 10]
754F924E Main JA SHORT KERNELBA.754F925D
754F9250 Main CMP AX, WORD PTR SS: [EBP + C]
754F9254 Principal MOVZX EAX, AX
754F9257 Main JB SHORT KERNELBA.754F925D
"754F9259 Main POP EBP;"
"754F925A Main RETN 0C;"
"KiFastSystemCallR> RETN;"
"GetVersion MOV EAX, DWORD PTR FS: [18];"
"754EC20D Principal MOV ECX, DWORD PTR DS: [EAX + 30];"
"754EC210 Principal MOV EAX, DWORD PTR DS: [ECX + B0];"
"754EC216 Principal MOVZX EDX, WORD PTR DS: [ECX + AC];"
"754EC21D Principal XOR EAX, FFFFFFFE;"
"754EC220 Main SHL EAX, 0E;"
"754EC223 Main OR EAX, EDX;"
"754EC225 Main SHL EAX, 8;"
"754EC228 Main OR EAX, DWORD PTR DS: [ECX + A8];"
"754EC22E Main SHL EAX, 8;"
"754EC231 Main OR EAX, DWORD PTR DS: [ECX + A4];"
"754EC237 Main RETN;"
"754E7058 Principal XOR EAX, EAX;"
"754E705A Main JMP SHORT KERNELBA.754E7053;"
754ED5D5 Main PUSH DWORD PTR SS: [EBP-30]
754ED5D8 Principal CALL KERNELBA.BaseDllFreeResourceId
754ED5DD Main PUSH DWORD PTR SS: [EBP-2C]
754ED5E0 Principal CALL KERNELBA.BaseDllFreeResourceId
"754ED5E5 Main RETN;"
SetHandleCount MOV EDI, EDI
754E92E4 Main PUSH EBP
"754E92E5 Main MOV EBP,ESP ;"
754E92E7 MOV principal EAX, DWORD PTR SS: [EBP + 8]
"754E92EA Main POP EBP;"
"754E92EB Main RETN 4;"
"KiFastSystemCallR> RETN;"
754E9ADF 00000360 PUSH EBP
"754E9AE0 00000360 MOV EBP,ESP ;"
754E9AE2 00000360 PUSH DWORD PTR SS: [EBP + 10]
754E9AE5 00000360 PUSH 2
754E9AE7 00000360 PUSH DWORD PTR SS: [EBP + C]
754E9AEA 00000360 PUSH 0
754E9AEC 00000360 PUSH 0C
754E9AEE 00000360 PUSH DWORD PTR SS: [EBP + 8]
"754E9AF1 00000360 CALL KERNELBA.DuplicateTokenEx ;"
"754E9AF6 00000360 POP EBP;"
"754E9AF7 00000360 RETN 0C;"
"GetOEMCP MOV EAX, DWORD PTR DS: [75525048];"
"754ED9B4 Main RETN;"
"NlsGetCacheUpdate> MOV EAX, DWORD PTR DS: [7552504C];"
"754E9308 Principal MOV EAX, DWORD PTR DS: [EAX + 5C8];"
"754E930E Main RETN;"
754F4628 Main PUSH EBP
"754F4629 Main MOV EBP,ESP ;"
754F462B Main PUSH 0
"754F462D Principal LEA EAX, DWORD PTR SS: [EBP + 8];"
754F4630 Main PUSH EAX
"754F4631 Main CALL KERNELBA.NlsValidateLocale;"
754F4636 TEST principal EAX, EAX
754F4638 Principal JE SHORT KERNELBA.754F4640
"754F463A Principal MOV EAX, DWORD PTR DS: [EAX];"
"754F463C Main POP EBP;"
"754F463D Main RETN 4;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"GetCommandLineW MOV EAX, DWORD PTR DS: [7552506C];"
"754ED9A9 Main RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
754F0C45 EDI MOV principal, EDI
754F0C47 Main PUSH EBP
"754F0C48 Main MOV EBP,ESP ;"
754F0C4A Main PUSH ECX
754F0C4B Main AND DWORD PTR SS: [EBP-4], 0
754F0C4F Main PUSH EDI
"754F0C50 Principal XOR EDI, EDI;"
754F0C52 Main PUSH EDI
754F0C53 Main PUSH 20019
754F0C58 Main PUSH DWORD PTR SS: [EBP + C]
"754F0C5B Principal LEA EAX, DWORD PTR SS: [EBP-4];"
754F0C5E Main PUSH KERNELBA.754ED3C0
754F0C63 Main PUSH EAX
"754F0C64 Main CALL KERNELBA.OpenRegKey;"
754F0C69 TEST EAX principal, EAX
754F0C6B Main JL SHORT KERNELBA.754F0C9C
754F0C6D Main PUSH EDI
754F0C6E Main PUSH 1
754F0C70 Main PUSH 214
"754F0C75 Principal LEA EAX, DWORD PTR SS: [EBP + 10];"
754F0C78 Main PUSH EAX
754F0C79 Main PUSH DWORD PTR SS: [EBP + 8]
754F0C7C Main PUSH DWORD PTR SS: [EBP-4]
"754F0C7F Main CALL KERNELBA.754ED2F0;"
"754F0C84 Main XOR ECX, ECX;"
754F0C86 TEST principal EAX, EAX
754F0C88 Main SETGE CL
754F0C8B Main CMP DWORD PTR SS: [EBP-4], 0
754F0C8F MOV Principal EDI, ECX
754F0C91 Principal JE SHORT KERNELBA.754F0C9C
"754F0C93 Main PUSH DWORD PTR SS: [EBP-4];"
"754F0C96 Main CALL DWORD PTR DS: [<& ntdll.NtClose>];"
754F0C9C Principal MOV EAX, EDI
"754F0C9E POP EDI principal;"
"754F0C9F Main LEAVE;"
"754F0CA0 Main RETN 0C;"
754F252B Main PUSH EBP
"754F252C Main MOV EBP,ESP ;"
"754F252E Principal MOV EAX, DWORD PTR FS: [18];"
"754F2534 Principal MOV EAX, DWORD PTR DS: [EAX + 30];"
754F2537 Main PUSH 30
754F2539 Main PUSH 8
754F253B Main PUSH DWORD PTR DS: [EAX + 18]
754F253E Main CALL DWORD PTR DS: [<& ntdll.RtlAllocateHeap>
754F2544 Principal TEST EAX, EAX
754F2546 Principal JE SHORT KERNELBA.754F254D
"754F2548 Principal MOV ECX, DWORD PTR SS: [EBP + 8];"
754F254B Principal MOV DWORD PTR DS: [EAX], ECX
"754F254D Main POP EBP;"
"754F254E Main RETN 4;"
754E74DD Principal XOR EAX, EAX
"754E74DF Main INC EAX;"
"754E74E0 Main JMP SHORT KERNELBA.754E74D9;"
754EACBB Main PUSH EBP
"754EACBC Main MOV EBP,ESP ;"
754EACBE Principal MOVZX EAX, BYTE PTR SS: [EBP + 8]
754EACC2 Main PUSH EAX
754EACC3 Principal CALL DWORD PTR DS: [<& ntdll.RtlLengthRequire
"754EACC9 Main POP EBP;"
"754EACCA Main RETN 4;"
OpenEventA MOV EDI, EDI
754EE697 Main PUSH EBP
"754EE698 Main MOV EBP,ESP ;"
754EE69A Main PUSH ECX
754EE69B Main PUSH ECX
754EE69C Main CMP DWORD PTR SS: [EBP + 10], 0
754EE6A0 Principal JE SHORT KERNELBA.754EE6DA
754EE6A2 Main PUSH DWORD PTR SS: [EBP + 10]
"754EE6A5 Principal LEA EAX, DWORD PTR SS: [EBP-8];"
754EE6A8 Main PUSH EAX
"754EE6A9 Main CALL KERNELBA.754E8745;"
754EE6AE TEST EAX principal, EAX
754EE6B0 Principal JE SHORT KERNELBA.754EE6D6
754EE6B2 Main PUSH ESI
"754EE6B3 Main PUSH DWORD PTR SS: [EBP-4];"
"754EE6B6 Main PUSH DWORD PTR SS: [EBP + C];"
"754EE6B9 Main PUSH DWORD PTR SS: [EBP + 8];"
"754EE6BC Main CALL KERNELBA.OpenEventW;"
754EE6C1 Main CMP DWORD PTR SS: [EBP + 10], 0
"754EE6C5 Principal MOV ESI, EAX;"
754EE6C7 Principal JE SHORT KERNELBA.754EE6D3
"754EE6C9 Principal LEA EAX, DWORD PTR SS: [EBP-8];"
754EE6CC Main PUSH EAX
754EE6CD Main CALL DWORD PTR DS: [<& ntdll.RtlFreeUnicodeSt
754EE6D3 Principal MOV EAX, ESI
"754EE6D5 Main POP ESI;"
"754EE6D6 Main LEAVE;"
"754EE6D7 Main RETN 0C;"
"KiFastSystemCallR> RETN;"
75513BED EDI MOV principal, EDI
75513BEF Main PUSH EBP
"75513BF0 Main MOV EBP,ESP ;"
75513BF2 Main PUSH ECX
"75513BF3 Principal LEA EAX, DWORD PTR SS: [EBP-4];"
75513BF6 Main PUSH EAX
75513BF7 Main PUSH 0
"75513BF9 Main CALL KERNELBA.754EB67A;"
75513BFE Main PUSH DWORD PTR SS: [EBP + 8]
75513C01 Main PUSH 0
75513C03 Main PUSH DWORD PTR SS: [EBP-4]
75513C06 Main PUSH EAX
75513C07 Main PUSH 0
75513C09 Main PUSH KERNELBA.754F2473
75513C0E Main PUSH KERNELBA.75525800
"75513C13 Main CALL KERNELBA.754EB5CB;"
754F1BC8 Main CMP DWORD PTR SS: [EBP + C], EBX
754F1BCB Main JNZ SHORT KERNELBA.754F1BD3
754F1BCD Main CALL DWORD PTR DS: [<& ntdll.RtlReleasePebLoc
"754F1BD3 Main RETN;"
"75513C18 LEA PRINCIPAL;"
"75513C19 Main RETN 4;"
754F2458 Main PUSH EBP
"754F2459 Main MOV EBP,ESP ;"
"754F245B Main PUSH DWORD PTR SS: [EBP + C];"
"754F245E Principal MOV EAX, DWORD PTR SS: [EBP + 8];"
"754F2461 Main ADD EAX, -4;"
"754F2464 Main PUSH EAX;"
754F2465 Principal CHAMADA KERNELBA.755138ED
755138ED EDI MOV principal, EDI
755138EF Main PUSH EBP
"755138F0 Main MOV EBP,ESP ;"
755138F2 Main CMP DWORD PTR SS: [EBP + C], - 1
755138F6 Main JNZ SHORT KERNELBA.75513906
75513906 Main PUSH DWORD PTR SS: [EBP + C]
75513909 Main PUSH KERNELBA.75525800
"7551390E Main CALL KERNELBA.754EB4E5;"
"75513913 Main POP EBP;"
75513914 Main RETN 8
"754F246A Main POP EBP;"
"754F246B Main RETN 8;"
"KiFastSystemCallR> RETN;"
754F5048 EDI MOV principal, EDI
754F504A Main PUSH EBP
"754F504B Main MOV EBP,ESP ;"
"754F504D MOV principal EAX, DWORD PTR SS: [EBP + C];"
"754F5050 Principal MOVZX EAX, BYTE PTR DS: [EAX];"
"754F5053 Principal MOV ECX, DWORD PTR SS: [EBP + 8];"
"754F5056 Main MOV CX,WORD PTR DS:[ECX+EAX*2] ;"
"754F505A MOV principal EAX, DWORD PTR SS: [EBP + 10];"
754F505D Main PUSH DWORD PTR SS: [EBP + 14]
754F5060 Main MOV WORD PTR DS:[EAX],CX
754F5063 Main PUSH EAX
"754F5064 Main CALL KERNELBA.754F5072;"
"754F5069 Main POP EBP;"
"754F506A Main RETN 10;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C Main RETN 8;"
754E180B 00000630 PUSH EBP
"754E180C 00000630 MOV EBP,ESP ;"
"754E180E 00000630 PUSH 0;"
"754E1810 00000630 PUSH DWORD PTR SS: [EBP + 8];"
"754E1813 00000630 CHAMAR KERNELBA.SleepEx;"
GetTimeZoneInform> MOI EDI, EDI
754F6E3C Main PUSH EBP
"754F6E3D Main MOV EBP,ESP ;"
754F6E3F Main PUSH 1
754F6E41 Main PUSH DWORD PTR SS: [EBP + 8]
"754F6E44 Main CALL KERNELBA.754F6E52;"
"754E71E4 Principal MOV EAX, DWORD PTR DS: [75525044];"
"754E71E9 Principal MOV EAX, DWORD PTR DS: [EAX + 91C];"
754E71EF Principal XOR ECX, ECX
754E71F1 Principal CMP EAX, -1
754E71F4 Main SETNE CL
"754E71F7 Principal MOV EAX, ECX;"
"754E71F9 Main RETN;"
754F6F80 EDI MOV principal, EDI
754F6F82 Main PUSH EBP
"754F6F83 Main MOV EBP,ESP ;"
754F6F85 Main SUB ESP,218
"754F6F8B MOV principal EAX, DWORD PTR DS: [755259A0];"
"754F6F90 Principal XOR EAX, EBP;"
754F6F92 Principal MOV DWORD PTR SS: [EBP-4], EAX
754F6F95 Main PUSH EBX
"754F6F96 Principal MOV EBX, DWORD PTR SS: [EBP + C];"
754F6F99 Main PUSH EDI
"754F6F9A MOV Principal EDI, DWORD PTR SS: [EBP + 8];"
754F6F9D Main PUSH EDI
754F6F9E Main PUSH 20
754F6FA0 Main PUSH EBX
"754F6FA1 Main CALL <JMP. & Ntdll.wcscpy_s>;"
754F6FA6 Main ADD ESP,0C
754F6FA9 Main CMP WORD PTR DS: [EDI], 40
754F6FAD Main JNZ KERNELBA.754F707F
754F6FB3 Main PUSH ESI
"754F6FB4 Principal MOV ESI, DWORD PTR DS: [<& ntdll.wcschr>];"
"754F6FBA Main PUSH 5C;"
"754F6FBC Main PUSH EDI;"
"754F6FBD Main CALL ESI;"
"754F6FBF Main POP ECX;"
"754F6FC0 Main POP ECX;"
754F6FC1 TEST EAX principal, EAX
754F6FC3 Main JNZ KERNELBA.754F707E
754F6FC9 Main PUSH 2F
754F6FCB Main PUSH EDI
"754F6FCC Main CALL ESI;"
"754F6FCE Main POP ECX;"
"754F6FCF Main POP ECX;"
754F6FD0 TEST principal EAX, EAX
754F6FD2 Main JNZ KERNELBA.754F707E
754F6FD8 Main PUSH 2C
754F6FDA Main PUSH EDI
"754F6FDB Main CALL ESI;"
"754F6FDD Principal MOV ESI, EAX;"
"754F6FDF Main POP ECX;"
"754F6FE0 Main POP ECX;"
754F6FE1 Principal TEST ESI, ESI
754F6FE3 Principal JE KERNELBA.754F707E
754F6FE9 Main CMP WORD PTR DS: [ESI + 2], 2D
754F6FEE Main JNZ KERNELBA.754F707E
"754F6FF4 Principal LEA EAX, DWORD PTR DS: [ESI + 4];"
754F6FF7 Main PUSH EAX
"754F6FF8 Principal LEA EAX, DWORD PTR SS: [EBP-218];"
754F6FFE Main PUSH EAX
754F6FFF Main CALL DWORD PTR DS: [<& ntdll.RtlInitUnicodeSt
"754F7005 Principal LEA EAX, DWORD PTR SS: [EBP-210];"
754F700B Main PUSH EAX
754F700C Main PUSH 0A
"754F700E Principal LEA EAX, DWORD PTR SS: [EBP-218];"
754F7014 Main PUSH EAX
754F7015 Main CALL DWORD PTR DS: [<& ntdll.RtlUnicodeString
754F701B TEST EAX principal, EAX
754F701D Main JL SHORT KERNELBA.754F707E
"754F701F Main CALL KERNELBA.KernelBaseGetGlobalData;"
"754F7024 Principal SUB ESI, EDI;"
"754F7026 Main ADD EAX, 3C;"
"754F7029 Principal LEA ECX, DWORD PTR DS: [EDI + 2];"
754F702C Main PUSH ECX
"754F702D Principal SAR ESI, 1;"
"754F702F Main DEC ESI;"
754F7030 Main PUSH ESI
754F7031 Main PUSH DWORD PTR DS: [EAX + 4]
"754F7034 Principal LEA EAX, DWORD PTR SS: [EBP-20C];"
754F703A Main PUSH KERNELBA.754F7090
754F703F Main PUSH 208
754F7044 Main PUSH EAX
"754F7045 Main CALL KERNELBA.754ED42B;"
754F704A Main ADD ESP,18
754F704D TEST EAX principal, EAX
754F704F Main JL SHORT KERNELBA.754F707E
"754F7051 Main PUSH 2;"
"754F7053 Main PUSH 0;"
"754F7055 Principal LEA EAX, DWORD PTR SS: [EBP-20C];"
"754F705B Main PUSH EAX;"
"754F705C Main CALL KERNELBA.LoadLibraryExW;"
"754F7061 Principal MOV ESI, EAX;"
754F7063 TEST Principal ESI, ESI
754F7065 Principal JE SHORT KERNELBA.754F707E
754F7067 Main PUSH 0
754F7069 Main PUSH 20
754F706B Main PUSH EBX
754F706C Main PUSH DWORD PTR SS: [EBP-210]
754F7072 Main PUSH ESI
"754F7073 Main CALL KERNELBA.LoadStringBaseExW;"
"754F7078 Main PUSH ESI;"
"754F7079 Main CALL KERNELBA.FreeLibrary;"
"754F707E Main POP ESI;"
"754F707F MOV principal ECX, DWORD PTR SS: [EBP-4];"
"754F7082 Main POP EDI;"
"754F7083 Main XOR ECX, EBP;"
"754F7085 Main POP EBX;"
754F7086 Principal CALL KERNELBA.754E68A6
"754F708B Main LEAVE;"
"754F708C Main RETN 8;"
"754F6E49 Main POP EBP;"
"754F6E4A Main RETN 4;"
754FAEA0 Main PUSH EBP
"754FAEA1 Main MOV EBP,ESP ;"
754FAEA3 Main PUSH 1
754FAEA5 Main PUSH DWORD PTR SS: [EBP + 8]
"754FAEA8 Main CALL KERNELBA.754FC37C;"
754FC3F5 EDI principal MOV, EDI
754FC3F7 Main PUSH EBP
"754FC3F8 Main MOV EBP,ESP ;"
754FC3FA Main PUSH ESI
754FC3FB Main PUSH EDI
754FC3FC Principal MOV EAX, DWORD PTR SS: [EBP + 8]
"754FC3FF Principal MOV ECX, DWORD PTR DS: [EAX];"
"754FC401 Principal MOV EDX, DWORD PTR SS: [EBP + C];"
754FC404 Principal MOV DWORD PTR DS: [EDX], ECX
"754FC406 Principal MOV ECX, DWORD PTR DS: [EAX + 54];"
754FC409 Principal MOV DWORD PTR DS: [EDX + 54], ECX
"754FC40C Principal MOV ECX, DWORD PTR DS: [EAX + A8];"
754FC412 Principal MOV DWORD PTR DS: [EDX + A8], ECX
"754FC418 Main MOV CX,WORD PTR DS:[EAX+44] ;"
754FC41C Main MOV WORD PTR DS:[EDX+44],CX
"754FC420 Main MOV CX,WORD PTR DS:[EAX+46] ;"
754FC424 Main MOV WORD PTR DS:[EDX+46],CX
"754FC428 Main MOV CX,WORD PTR DS:[EAX+52] ;"
754FC42C Main MOV WORD PTR DS:[EDX+48],CX
"754FC430 Main MOV CX,WORD PTR DS:[EAX+48] ;"
754FC434 Main MOV WORD PTR DS:[EDX+4A],CX
"754FC438 Main MOV CX,WORD PTR DS:[EAX+4A] ;"
754FC43C Main MOV WORD PTR DS:[EDX+4C],CX
"754FC440 Main MOV CX,WORD PTR DS:[EAX+4C] ;"
754FC444 Main MOV WORD PTR DS:[EDX+4E],CX
754FC448 Main MOV CX,WORD PTR DS:[EAX+4E]
754FC44C Main MOV WORD PTR DS:[EDX+50],CX
"754FC450 Main MOV CX,WORD PTR DS:[EAX+50] ;"
754FC454 Main MOV WORD PTR DS:[EDX+52],CX
"754FC458 Main MOV CX,WORD PTR DS:[EAX+98] ;"
754FC45F Main MOV WORD PTR DS:[EDX+98],CX
"754FC466 Main MOV CX,WORD PTR DS:[EAX+9A] ;"
754FC46D Main MOV WORD PTR DS:[EDX+9A],CX
"754FC474 Main MOV CX,WORD PTR DS:[EAX+A6] ;"
754FC47B Main MOV WORD PTR DS:[EDX+9C],CX
"754FC482 Main MOV CX,WORD PTR DS:[EAX+9C] ;"
754FC489 Main MOV WORD PTR DS:[EDX+9E],CX
"754FC490 Main MOV CX,WORD PTR DS:[EAX+9E] ;"
754FC497 Main MOV WORD PTR DS:[EDX+A0],CX
"754FC49E Main MOV CX,WORD PTR DS:[EAX+A0] ;"
754FC4A5 Main MOV WORD PTR DS:[EDX+A2],CX
754FC4AC Main MOV CX,WORD PTR DS:[EAX+A2]
754FC4B3 Main MOV WORD PTR DS:[EDX+A4],CX
"754FC4BA Main MOV CX,WORD PTR DS:[EAX+A4] ;"
754FC4C1 Main PUSH 40
754FC4C3 Main MOV WORD PTR DS:[EDX+A6],CX
"754FC4CA Main POP ECX;"
"754FC4CB Principal LEA ESI, DWORD PTR DS: [EAX + AC];"
"754FC4D1 Principal LEA EDI, DWORD PTR DS: [EDX + AC];"
754FC4D7 Main REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[E
"754FC4D9 Principal MOV AL, BYTE PTR DS: [EAX + 1AC];"
"754FC4DF Main POP EDI;"
754FC4E0 Principal MOV BYTE PTR DS: [EDX + 1AC], AL
"754FC4E6 Main POP ESI;"
"754FC4E7 Main POP EBP;"
"754FC4E8 Main RETN 8;"
"754FAEAD Main POP EBP;"
"754FAEAE Main RETN 4;"
755045D4 Main PUSH EBP
"755045D5 Main MOV EBP,ESP ;"
755045D7 Main PUSH ESI
755045D8 Main PUSH DWORD PTR SS: [EBP + 20]
"755045DB Principal XOR ESI, ESI;"
755045DD Main PUSH DWORD PTR SS: [EBP + 1C]
"755045E0 Principal INC ESI;"
755045E1 Main PUSH DWORD PTR SS: [EBP + 18]
755045E4 Main PUSH DWORD PTR SS: [EBP + 14]
755045E7 Main PUSH DWORD PTR SS: [EBP + 10]
755045EA Main PUSH DWORD PTR SS: [EBP + C]
755045ED Main PUSH DWORD PTR SS: [EBP + 8]
755045F0 Main CALL DWORD PTR DS: [<& ntdll.RtlGetFileMUIPat
755045F6 Principal TEST EAX, EAX
755045F8 Main JL SHORT KERNELBA.75504601
"755045FA Principal MOV EAX, ESI;"
"755045FC Main POP ESI;"
"755045FD Main POP EBP;"
"755045FE Main RETN 1C;"
754FC14D Main PUSH EBP
"754FC14E Main MOV EBP,ESP ;"
754FC150 Principal XOR EAX, EAX
754FC152 TEST principal ECX, ECX
754FC154 Principal JE SHORT KERNELBA.754FC15F
754FC156 Main CMP ECX, DWORD PTR SS: [EBP + 8]
754FC159 Main JA SHORT KERNELBA.754FC15F
"754FC15B Main POP EBP;"
"754FC15C Main RETN 4;"
754FC0CE Main PUSH EBP
"754FC0CF Main MOV EBP,ESP ;"
754FC0D1 Main PUSH EBX
"754FC0D2 Principal MOV EBX, DWORD PTR SS: [EBP + C];"
754FC0D5 Main PUSH ESI
754FC0D6 Principal MOV ESI, EAX
754FC0D8 Main PUSH EDI
"754FC0D9 Principal XOR EAX, EAX;"
"754FC0DB Principal XOR EDI, EDI;"
754FC0DD TEST PRINCIPAL ESI, ESI
754FC0DF Principal JE SHORT KERNELBA.754FC117
754FC0E1 Main CMP DWORD PTR SS: [EBP + 10], EAX
754FC0E4 Principal JE SHORT KERNELBA.754FC0FE
"754FC0E6 Principal MOVZX EDX, WORD PTR DS: [EBX];"
754FC0E9 TEST principal DX, DX
754FC0EC Principal JE SHORT KERNELBA.754FC0FE
754FC0EE Main MOV WORD PTR DS: [ECX], DX
"754FC0F1 Main INC ECX;"
"754FC0F2 Main INC ECX;"
"754FC0F3 Principal INC EBX;"
"754FC0F4 Main INC EBX;"
"754FC0F5 Main DEC ESI;"
754FC0F6 Principal DEC DWORD PTR SS: [EBP + 10]
"754FC0F9 Principal INC EDI;"
754FC0FA Main TEST ESI, ESI
"754FC0FC Main JNZ SHORT KERNELBA.754FC0E1;"
754FC0FE Main TEST ESI, ESI
754FC100 Principal JE SHORT KERNELBA.754FC117
754FC102 Principal XOR EDX, EDX
754FC104 Main MOV WORD PTR DS: [ECX], DX
"754FC107 Principal MOV ECX, DWORD PTR SS: [EBP + 8];"
754FC10A TEST principal ECX, ECX
754FC10C Principal JE SHORT KERNELBA.754FC110
754FC10E Principal MOV DWORD PTR DS: [ECX], EDI
"754FC110 Main POP EDI;"
"754FC111 Main POP ESI;"
"754FC112 Main POP EBX;"
"754FC113 Main POP EBP;"
"754FC114 Main RETN 0C;"
754F798C Main PUSH DWORD PTR DS: [75525034]
"754F7992 Main CALL DWORD PTR DS: [<& ntdll.RtlUnlockHeap>];"
"754F7998 Main RETN;"
"KiFastSystemCallR> RETN;"
"GetThreadLocale MOV EAX, DWORD PTR FS: [18];"
"754E9218 Principal MOV EAX, DWORD PTR DS: [EAX + C4];"
"754E921E Main RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
754EFC49 Main PUSH DWORD PTR DS: [75525034]
"754EFC4F Principal CALL DWORD PTR DS: [<& ntdll.RtlUnlockHeap>];"
"754EFC55 Main RETN;"
754EFA9D Main PUSH DWORD PTR DS: [75525034]
"754EFAA3 Main CALL DWORD PTR DS: [<& ntdll.RtlUnlockHeap>];"
"754EFAA9 Main RETN;"
754EFAAF Main PUSH DWORD PTR DS: [75525034]
"754EFAB5 Main CALL DWORD PTR DS: [<& ntdll.RtlUnlockHeap>];"
"754EFABB Main RETN;"
754EE815 Main PUSH DWORD PTR DS: [75525034]
"754EE81B Main CALL DWORD PTR DS: [<& ntdll.RtlUnlockHeap>];"
"754EE821 Main RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
lstrlenA PUSH 8
754E7375 Main PUSH KERNELBA.754E73B0
"754E737A Main CALL KERNELBA.754E16A0;"
"754E737F MOV principal EAX, DWORD PTR SS: [EBP + 8];"
754E7382 TEST principal EAX, EAX
754E7384 Principal JE SHORT KERNELBA.754E73A5
754E7386 Main AND DWORD PTR SS: [EBP-4], 0
"754E738A Principal LEA EDX, DWORD PTR DS: [EAX + 1];"
"754E738D Principal MOV CL, BYTE PTR DS: [EAX];"
"754E738F Main INC EAX;"
754E7390 Main TEST CL, CL
"754E7392 Main JNZ SHORT KERNELBA.754E738D;"
"754E7394 Principal SUB EAX, EDX;"
754E7396 Principal MOV DWORD PTR SS: [EBP-4], - 2
"754E739D Main CALL KERNELBA.754E17F0;"
"754E73A2 Main RETN 4;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
754EC1CA Main PUSH DWORD PTR DS: [75525034]
"754EC1D0 Main CALL DWORD PTR DS: [<& ntdll.RtlUnlockHeap>];"
"754EC1D6 Main RETN;"
SwitchToThread CALL DWORD PTR DS: [<& ntdll.NtYieldExecution
"ZwYieldExecution MOV EAX, 190;"
"754EC2D4 00000DEC XOR ECX, ECX;"
754EC2D6 00000DEC CMP EAX, 40000024
"754EC2DB 00000DEC SETNE CL;"
"754EC2DE 00000DEC MOV EAX, ECX;"
"754EC2E0 00000DEC RETN;"
"KiFastSystemCallR> RETN;"
754EE32D Main PUSH EBP
"754EE32E Main MOV EBP,ESP ;"
754EE330 Main PUSH DWORD PTR SS: [EBP + 18]
754EE333 Main PUSH DWORD PTR SS: [EBP + 14]
754EE336 Main PUSH DWORD PTR SS: [EBP + 10]
754EE339 Main PUSH DWORD PTR SS: [EBP + C]
754EE33C Main PUSH DWORD PTR SS: [EBP + 8]
754EE33F Main CALL DWORD PTR DS: [<& ntdll.NtQuerySecurityO
754EE345 TEST EAX principal, EAX
754EE347 Main JGE SHORT KERNELBA.754EE355
"754EE349 Main PUSH EAX;"
"754EE34A Main CALL KERNELBA.754E6BA5;"
"754EE34F Principal XOR EAX, EAX;"
"754EE351 Main POP EBP;"
"754EE352 Main RETN 14;"
754EE355 Principal XOR EAX, EAX
"754EE357 Main INC EAX;"
"754EE358 Main JMP SHORT KERNELBA.754EE351;"
"KiFastSystemCallR> RETN;"
"754E1818 00000630 POP EBP;"
"754E1819 00000630 RETN 4;"
[17:50:18] Thread 000005A4 encerrado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:50:48] Thread 00000630 encerrado, código de saída 0
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
754F41BA Main PUSH EBP
"754F41BB Main MOV EBP,ESP ;"
754F41BD Main PUSH DWORD PTR SS: [EBP + C]
"754F41C0 Principal MOV EAX, DWORD PTR SS: [EBP + 8];"
"754F41C3 ADD EAX, EAX;"
754F41C5 Main PUSH EAX
754F41C6 Principal CALL DWORD PTR DS: [<& ntdll.RtlGetCurrentDir
"754F41CC Main SHR EAX, 1;"
"754F41CE Main POP EBP;"
"754F41CF Main RETN 8;"
"FreeResource XOR EAX, EAX;"
"754E917A Main RETN 4;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C Main RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C Main RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
754FCAA4 EDI principal MOV, EDI
754FCAA6 Main PUSH EBP
"754FCAA7 Main MOV EBP,ESP ;"
754FCAA9 Principal MOV EAX, DWORD PTR SS: [EBP + 8]
"754FCAAC Principal MOV ECX, DWORD PTR DS: [EAX];"
"754FCAAE Principal MOV EDX, DWORD PTR SS: [EBP + C];"
754FCAB1 Principal MOV DWORD PTR DS: [EDX], ECX
"754FCAB3 Principal MOV ECX, DWORD PTR DS: [EAX + 54];"
754FCAB6 Principal MOV DWORD PTR DS: [EDX + 54], ECX
"754FCAB9 Principal MOV ECX, DWORD PTR DS: [EAX + A8];"
754FCABF Principal MOV DWORD PTR DS: [EDX + A8], ECX
754FCAC5 Main PUSH ESI
754FCAC6 Main PUSH EDI
754FCAC7 Main PUSH 10
"754FCAC9 Main POP ECX;"
754FCACA Main PUSH 10
"754FCACC Main LEA ESI, DWORD PTR DS: [EAX + 4];"
"754FCACF Main LEA EDI, DWORD PTR DS: [EDX + 4];"
754FCAD2 Main REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[E
"754FCAD4 Main POP ECX;"
"754FCAD5 Principal LEA ESI, DWORD PTR DS: [EAX + 58];"
"754FCAD8 Principal LEA EDI, DWORD PTR DS: [EDX + 58];"
754FCADB Main REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[E
754FCADD Main MOV CX,WORD PTR DS:[EAX+44]
754FCAE1 Main MOV WORD PTR DS:[EDX+44],CX
"754FCAE5 Main MOV CX,WORD PTR DS:[EAX+46] ;"
754FCAE9 Main MOV WORD PTR DS:[EDX+46],CX
"754FCAED Main MOV CX,WORD PTR DS:[EAX+48] ;"
754FCAF1 Main MOV WORD PTR DS:[EDX+52],CX
"754FCAF5 Main MOV CX,WORD PTR DS:[EAX+4A] ;"
754FCAF9 Main MOV WORD PTR DS:[EDX+48],CX
"754FCAFD Main MOV CX,WORD PTR DS:[EAX+4C] ;"
754FCB01 Main MOV WORD PTR DS:[EDX+4A],CX
"754FCB05 Main MOV CX,WORD PTR DS:[EAX+4E] ;"
754FCB09 Main MOV WORD PTR DS:[EDX+4C],CX
754FCB0D Main MOV CX,WORD PTR DS:[EAX+50]
754FCB11 Main MOV WORD PTR DS:[EDX+4E],CX
"754FCB15 Main MOV CX,WORD PTR DS:[EAX+52] ;"
754FCB19 Main MOV WORD PTR DS:[EDX+50],CX
"754FCB1D Main MOV CX,WORD PTR DS:[EAX+98] ;"
754FCB24 Main MOV WORD PTR DS:[EDX+98],CX
"754FCB2B Main MOV CX,WORD PTR DS:[EAX+9A] ;"
754FCB32 Main MOV WORD PTR DS:[EDX+9A],CX
"754FCB39 Main MOV CX,WORD PTR DS:[EAX+9C] ;"
754FCB40 Main MOV WORD PTR DS:[EDX+A6],CX
"754FCB47 Main MOV CX,WORD PTR DS:[EAX+9E] ;"
754FCB4E Main MOV WORD PTR DS:[EDX+9C],CX
"754FCB55 Main MOV CX,WORD PTR DS:[EAX+A0] ;"
754FCB5C Main MOV WORD PTR DS:[EDX+9E],CX
"754FCB63 Main MOV CX,WORD PTR DS:[EAX+A2] ;"
754FCB6A Main MOV WORD PTR DS:[EDX+A0],CX
754FCB71 Main MOV CX,WORD PTR DS:[EAX+A4]
754FCB78 Main MOV WORD PTR DS:[EDX+A2],CX
"754FCB7F Main MOV CX,WORD PTR DS:[EAX+A6] ;"
754FCB86 Main PUSH 40
754FCB88 Main MOV WORD PTR DS:[EDX+A4],CX
"754FCB8F Main POP ECX;"
"754FCB90 Main LEA ESI, DWORD PTR DS: [EAX + AC];"
"754FCB96 Principal LEA EDI, DWORD PTR DS: [EDX + AC];"
754FCB9C Main REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[E
"754FCB9E Principal MOV AL, BYTE PTR DS: [EAX + 1AC];"
"754FCBA4 Main POP EDI;"
754FCBA5 Principal MOV BYTE PTR DS: [EDX + 1AC], AL
"754FCBAB Main POP ESI;"
"754FCBAC Main POP EBP;"
"754FCBAD Main RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C Main RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C Main RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C Main RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
754EF25F Main PUSH EBP
"754EF260 Main MOV EBP,ESP ;"
754EF262 Main PUSH 0
754EF264 Main PUSH DWORD PTR SS: [EBP + 14]
754EF267 Main PUSH DWORD PTR SS: [EBP + 10]
754EF26A Main PUSH DWORD PTR SS: [EBP + C]
754EF26D Main PUSH DWORD PTR SS: [EBP + 8]
"754EF270 Main CALL KERNELBA.LoadStringBaseExW;"
"754EF275 Main POP EBP;"
"754EF276 Main RETN 10;"
754F818C Main PUSH EBP
"754F818D Main MOV EBP,ESP ;"
754F818F Main PUSH DWORD PTR SS: [EBP + 8]
754F8192 Main PUSH 1
754F8194 Main CALL DWORD PTR DS: [<& ntdll.RtlWow64EnableFs
754F819A TEST EAX principal, EAX
754F819C Principal JGE SHORT KERNELBA.754F81AA
"754F819E Main PUSH EAX;"
"754F819F Main CALL KERNELBA.754E6BA5;"
"754F81A4 Principal XOR EAX, EAX;"
"754F81A6 Main POP EBP;"
"754F81A7 Main RETN 4;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C 000005D8 RETN 8;"
"KiFastSystemCallR> RETN;"
FormatMessageW MOV EDI,EDI
754EECA2 Main PUSH EBP
"754EECA3 Main MOV EBP,ESP ;"
754EECA5 Main PUSH DWORD PTR SS: [EBP + 20]
754EECA8 Main PUSH DWORD PTR SS: [EBP + 1C]
754EECAB Main PUSH DWORD PTR SS: [EBP + 18]
754EECAE Main PUSH DWORD PTR SS: [EBP + 14]
754EECB1 Main PUSH DWORD PTR SS: [EBP + 10]
754EECB4 Main PUSH DWORD PTR SS: [EBP + C]
754EECB7 Main PUSH DWORD PTR SS: [EBP + 8]
754EECBA Main PUSH 0
"754EECBC Main CALL KERNELBA.754EEACC;"
"754EECC1 Main POP EBP;"
"754EECC2 Main RETN 1C;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
[17:51:37] Exceção 000006BA
754E845D 00000124 LEAVE
"774F6BC9 00000124 MOV ECX,DWORD PTR SS:[ESP+4] ;"
75504E5F Main PUSH EBP
"75504E60 Main MOV EBP,ESP ;"
75504E62 Main PUSH 1
75504E64 Main PUSH DWORD PTR SS: [EBP + 10]
75504E67 Main PUSH DWORD PTR SS: [EBP + C]
75504E6A Main PUSH DWORD PTR SS: [EBP + 8]
"75504E6D Main CALL KERNELBA.754FC63A;"
"75504E72 Main POP EBP;"
"75504E73 Main RETN 0C;"
754FFE14 EDI MOV principal, EDI
754FFE16 Main PUSH EBP
"754FFE17 Main MOV EBP,ESP ;"
754FFE19 Main PUSH ESI
"754FFE1A Principal MOV ESI, DWORD PTR SS: [EBP + 8];"
"754FFE1D Principal MOV ECX, DWORD PTR DS: [ESI];"
754FFE1F CMP principal ECX, 9
754FFE22 Main JA SHORT KERNELBA.754FFE71
754FFE24 Main CMP DWORD PTR DS: [ESI + 4], 1
754FFE28 Main JA SHORT KERNELBA.754FFE71
754FFE2A Main CMP DWORD PTR DS: [ESI + 8], 270F
754FFE31 Main JA SHORT KERNELBA.754FFE71
754FFE33 Main CMP DWORD PTR DS: [ESI + 14], 4
754FFE37 Main JA SHORT KERNELBA.754FFE71
"754FFE39 Principal MOV EAX, DWORD PTR DS: [ESI + C];"
754FFE3C TEST EAX principal, EAX
754FFE3E Principal JE SHORT KERNELBA.754FFE71
"754FFE40 Main XOR EDX, EDX;"
754FFE42 TEST PRINCIPAL ECX, ECX
754FFE44 Main SETNE DL
754FFE47 Main PUSH EDX
754FFE48 Main PUSH 4
754FFE4A Main PUSH EAX
"754FFE4B Main CALL KERNELBA.754FFE7A;"
754FFE50 TEST EAX principal, EAX
754FFE52 Principal JE SHORT KERNELBA.754FFE71
"754FFE54 Principal MOV ESI, DWORD PTR DS: [ESI + 10];"
754FFE57 TEST PRINCIPAL ESI, ESI
754FFE59 Principal JE SHORT KERNELBA.754FFE71
754FFE5B Main PUSH 0
754FFE5D Main PUSH 4
754FFE5F Main PUSH ESI
754FFE60 Main CALL KERNELBA.754FFE7A
754FFE65 TEST EAX principal, EAX
754FFE67 Principal JE SHORT KERNELBA.754FFE71
"754FFE69 Principal XOR EAX, EAX;"
"754FFE6B Main INC EAX;"
"754FFE6C Main POP ESI;"
"754FFE6D Main POP EBP;"
"754FFE6E Main RETN 4;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C 00000124 RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C 00000124 RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C Main RETN 8;"
[17:51:46] Thread 00000E78 encerrado, código de saída 0
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C 00000CB0 RETN 8;"
KiFastSystemCallR> DIR
"774F658C 00000CB0 RETN 8;"
KiFastSystemCallR> DIR
"774F658C 00000CB0 RETN 8;"
"KiFastSystemCallR> RETN;"
"774F658C 00000CB0 RETN 8;"
[17:51:51] Thread 00000C48 encerrado, código de saída 0
[17:52:43] Thread 00000C3C encerrado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:52:53] Thread 000008D8 terminou, exit code 0
"KiFastSystemCallR> RETN;"
[17:52:53] Thread 00000770 encerrado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:52:53] Thread 00000124 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:52:53] Thread 000005D8 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:52:53] Thread 00000CB0 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:52:55] Thread 00000FA0 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:53:51] Thread 00000A04 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:55:21] Thread 000007C0 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:56:04] Thread 00000FF8 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:56:46] Thread 00000710 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:58:21] Thread 00000AD0 encerrado, código de saída 0
KiFastSystemCallR> DIR
Executar o traçado fechado

dados de um arquivo comprado mas com outro mac

"Endereço Thread Command;"
"754E845E Main RETN 10;"
754E16A0 Main PUSH KERNELBA.755006BD
754E16A5 Main PUSH DWORD PTR FS: [0]
"754E16AC Main MOV EAX,DWORD PTR SS:[ESP+10] ;"
754E16B0 Main MOV DWORD PTR SS:[ESP+10],EBP
"754E16B4 Main LEA EBP,DWORD PTR SS:[ESP+10] ;"
754E16B8 Main SUB ESP,EAX
754E16BA Main PUSH EBX
754E16BB Main PUSH ESI
754E16BC Main PUSH EDI
"754E16BD Principal MOV EAX, DWORD PTR DS: [755259A0];"
754E16C2 Principal XOR DWORD PTR SS: [EBP-4], EAX
"754E16C5 Principal XOR EAX, EBP;"
754E16C7 Main PUSH EAX
754E16C8 Main MOV DWORD PTR SS:[EBP-18],ESP
754E16CB Main PUSH DWORD PTR SS: [EBP-8]
"754E16CE Principal MOV EAX, DWORD PTR SS: [EBP-4];"
754E16D1 Principal MOV DWORD PTR SS: [EBP-4], - 2
754E16D8 Principal MOV DWORD PTR SS: [EBP-8], EAX
"754E16DB Principal LEA EAX, DWORD PTR SS: [EBP-10];"
754E16DE Principal MOV DWORD PTR FS: [0], EAX
"754E16E4 Main RETN;"
754E7B1E Main CMP BYTE PTR SS: [EBP-19], 0
754E7B22 Principal JE SHORT KERNELBA.754E7B2F
754E7B24 Main PUSH DWORD PTR SS: [EBP-24]
754E7B27 Main PUSH 1
754E7B29 Principal CALL DWORD PTR DS: [<& ntdll.LdrUnlockLoaderL
"754E7B2F Main RETN;"
"754E17F0 Principal MOV ECX, DWORD PTR SS: [EBP-10];"
754E17F3 Principal MOV DWORD PTR FS: [0], ECX
"754E17FA Main POP ECX;"
"754E17FB POP EDI principal;"
"754E17FC POP POP EDI;"
"754E17FD Main POP ESI;"
"754E17FE Main POP EBX;"
754E17FF Main MOV ESP,EBP
"754E1801 Main POP EBP;"
754E1802 Main PUSH ECX
"754E1803 Main RETN;"
"GetCurrentThreadI> MOV EAX, DWORD PTR FS: [18];"
"754E6831 Principal MOV EAX, DWORD PTR DS: [EAX + 24];"
"754E6834 Main RETN;"
754E6C51 Main PUSH KERNELBA.755006BD
754E6C56 Main PUSH DWORD PTR FS: [0]
"754E6C5D Main MOV EAX,DWORD PTR SS:[ESP+10] ;"
754E6C61 Main MOV DWORD PTR SS:[ESP+10],EBP
"754E6C65 Main LEA EBP,DWORD PTR SS:[ESP+10] ;"
754E6C69 Main SUB ESP,EAX
754E6C6B Main PUSH EBX
754E6C6C Main PUSH ESI
754E6C6D Main PUSH EDI
"754E6C6E Principal MOV EAX, DWORD PTR DS: [755259A0];"
754E6C73 Principal XOR DWORD PTR SS: [EBP-4], EAX
"754E6C76 Principal XOR EAX, EBP;"
754E6C78 Principal MOV DWORD PTR SS: [EBP-1C], EAX
754E6C7B Main PUSH EAX
754E6C7C Main MOV DWORD PTR SS:[EBP-18],ESP
754E6C7F Main PUSH DWORD PTR SS: [EBP-8]
"754E6C82 Principal MOV EAX, DWORD PTR SS: [EBP-4];"
754E6C85 Principal MOV DWORD PTR SS: [EBP-4], - 2
754E6C8C Principal MOV DWORD PTR SS: [EBP-8], EAX
"754E6C8F LEA principal EAX, DWORD PTR SS: [EBP-10];"
754E6C92 Principal MOV DWORD PTR FS: [0], EAX
"754E6C98 Main RETN;"
"KernelBaseGetGlob> MOV EAX, KERNELBA.755250F0;"
"754E68A0 Main RETN;"
"IsDebuggerPresent MOV EAX, DWORD PTR FS: [18];"
"754EFC6C Principal MOV EAX, DWORD PTR DS: [EAX + 30];"
"754EFC6F Principal MOVZX EAX, BYTE PTR DS: [EAX + 2];"
"754EFC73 Main RETN;"
"GetProcessHeap MOV EAX, DWORD PTR FS: [18];"
"754E68EF 000009E8 MOV EAX, DWORD PTR DS: [EAX + 30];"
"754E68F2 000009E8 MOV EAX, DWORD PTR DS: [EAX + 18];"
"754E68F5 000009E8 RETN;"
754E6BA5 000009E8 MOV EDI, EDI
754E6BA7 000009E8 PUSH EBP
"754E6BA8 000009E8 MOV EBP,ESP ;"
754E6BAA 000009E8 PUSH ESI
754E6BAB 000009E8 PUSH DWORD PTR SS: [EBP + 8]
754E6BAE 000009E8 CALL DWORD PTR DS: [<& ntdll.RtlNtStatusToDos
"754E6BB4 000009E8 MOV ESI, EAX;"
754E6BB6 000009E8 PUSH ESI
754E6BB7 000009E8 CALL DWORD PTR DS: [<& ntdll.RtlSetLastWin32E
"754E6BBD 000009E8 MOV EAX, ESI;"
"754E6BBF 000009E8 POP ESI;"
"754E6BC0 000009E8 POP EBP ;"
"754E6BC1 000009E8 RETN 4 ;"
"GetLastError MOV EAX,DWORD PTR FS:[18] ;"
"754E68BE 000009E8 MOV EAX,DWORD PTR DS:[EAX+34] ;"
"754E68C1 000009E8 RETN ;"
GetSystemInfo MOV EDI,EDI
754EA855 000009E8 PUSH EBP
"754EA856 000009E8 MOV EBP,ESP ;"
754EA858 000009E8 SUB ESP,38
754EA85B 000009E8 PUSH ESI
754EA85C 000009E8 MOV ESI,DWORD PTR DS:[<&ntdll.NtQuerySystem
"754EA862 000009E8 PUSH 0 ;"
"754EA864 000009E8 PUSH 2C ;"
"754EA866 000009E8 LEA EAX,DWORD PTR SS:[EBP-38] ;"
"754EA869 000009E8 PUSH EAX ;"
"754EA86A 000009E8 PUSH 0 ;"
"754EA86C 000009E8 CALL ESI ;"
754EA86E 000009E8 TEST EAX,EAX
754EA870 000009E8 JL SHORT KERNELBA.754EA892
"754EA872 000009E8 PUSH 0 ;"
"754EA874 000009E8 PUSH 0C ;"
"754EA876 000009E8 LEA EAX,DWORD PTR SS:[EBP-C] ;"
"754EA879 000009E8 PUSH EAX ;"
"754EA87A 000009E8 PUSH 1 ;"
"754EA87C 000009E8 CALL ESI ;"
754EA87E 000009E8 TEST EAX,EAX
754EA880 000009E8 JL SHORT KERNELBA.754EA892
754EA882 000009E8 PUSH DWORD PTR SS:[EBP+8]
"754EA885 000009E8 LEA EAX,DWORD PTR SS:[EBP-C] ;"
754EA888 000009E8 PUSH EAX
"754EA889 000009E8 LEA EAX, DWORD PTR SS: [EBP-38];"
754EA88C 000009E8 PUSH EAX
"754EA88D 000009E8 CHAMADA KERNELBA.754EA89C;"
"754EA892 000009E8 POP ESI;"
"754EA893 000009E8 LEAVE;"
"754EA894 000009E8 RETN 4;"
754EBF3F Main PUSH EBP
"754EBF40 Main MOV EBP,ESP ;"
"754EBF42 Main PUSH DWORD PTR SS: [EBP + 10];"
"754EBF45 Main PUSH DWORD PTR SS: [EBP + C];"
"754EBF48 Main PUSH DWORD PTR SS: [EBP + 8];"
"754EBF4B Main PUSH -1;"
"754EBF4D Main CALL KERNELBA.VirtualQueryEx ;"
"754EBF52 Main POP EBP;"
"754EBF53 Main RETN 0C;"
"GetCurrentProcess OU EAX, FFFFFFFF;"
"754E693A Main RETN;"
GetCurrentThread PUSH -2
"754E6942 Main POP EAX;"
754E6943 Main RETN
754E74B8 Main PUSH EBP
"754E74B9 Main MOV EBP,ESP ;"
754E74BB Main PUSH DWORD PTR SS: [EBP + 14]
754E74BE Main PUSH DWORD PTR SS: [EBP + 10]
754E74C1 Main PUSH DWORD PTR SS: [EBP + C]
754E74C4 Main PUSH DWORD PTR SS: [EBP + 8]
754E74C7 Main CALL DWORD PTR DS: [<& ntdll.NtOpenThreadToke
754E74CD TEST EAX principal, EAX
754E74CF Principal JGE SHORT KERNELBA.754E74DD
"754E74D1 Main PUSH EAX;"
"754E74D2 Main CALL KERNELBA.754E6BA5;"
"754E74D7 Main XOR EAX, EAX;"
"754E74D9 Main POP EBP;"
"754E74DA Main RETN 10;"
"GetCurrentProcess> MOV EAX, DWORD PTR FS: [18];"
"754E6988 Principal MOV EAX, DWORD PTR DS: [EAX + 20];"
"754E698B Main RETN;"
754E79A9 Main PUSH EBP
"754E79AA Main MOV EBP,ESP ;"
754E79AC Main PUSH DWORD PTR SS: [EBP + 14]
754E79AF Main PUSH DWORD PTR SS: [EBP + 10]
754E79B2 Main PUSH DWORD PTR SS: [EBP + C]
754E79B5 Main PUSH DWORD PTR SS: [EBP + 8]
754E79B8 Main PUSH -1
"754E79BA Main CALL KERNELBA.VirtualAllocEx ;"
"754E79BF Main POP EBP;"
"754E79C0 Main RETN 10;"
754E7A1E Main PUSH EBP
"754E7A1F Main MOV EBP,ESP ;"
754E7A21 Main PUSH DWORD PTR SS: [EBP + 10]
754E7A24 Main PUSH DWORD PTR SS: [EBP + C]
754E7A27 Main PUSH DWORD PTR SS: [EBP + 8]
754E7A2A Main PUSH -1
"754E7A2C Main CALL KERNELBA.VirtualFreeEx ;"
"754E7A31 Main POP EBP;"
"754E7A32 Main RETN 0C;"
75513B81 EDI MOV principal, EDI
75513B83 Main PUSH EBP
"75513B84 Main MOV EBP,ESP ;"
75513B86 Main PUSH ECX
"75513B87 Principal LEA EAX, DWORD PTR SS: [EBP-4];"
75513B8A Main PUSH EAX
75513B8B Main PUSH DWORD PTR SS: [EBP + 8]
"75513B8E Main CALL KERNELBA.754EB67A;"
75513B93 Main PUSH DWORD PTR SS: [EBP + 10]
75513B96 Main PUSH DWORD PTR SS: [EBP + C]
75513B99 Main PUSH DWORD PTR SS: [EBP-4]
75513B9C Main PUSH EAX
75513B9D Main PUSH DWORD PTR SS: [EBP + 8]
75513BA0 Main PUSH KERNELBA.754F20AC
75513BA5 Main PUSH KERNELBA.75525880
"75513BAA Main CALL KERNELBA.754EB5CB;"
"75513BAF Main LEAVE;"
"75513BB0 Main RETN 0C;"
"KiFastSystemCallR> RETN;"
7551388F EDI MOV principal, EDI
75513891 Main PUSH EBP
"75513892 Main MOV EBP,ESP ;"
75513894 Main CMP DWORD PTR SS: [EBP + C], - 1
75513898 Main JNZ SHORT KERNELBA.755138A8
755138A8 Main PUSH DWORD PTR SS: [EBP + C]
755138AB Main PUSH KERNELBA.75525880
"755138B0 Main CALL KERNELBA.754EB4E5;"
"755138B5 Main POP EBP;"
"755138B6 Main RETN 8;"
"KiFastSystemCallR> RETN;"
"774F658C Main RETN 8;"
754F0660 00000A28 MOV EDI, EDI
754F0662 00000A28 PUSH EBP
"754F0663 00000A28 MOV EBP,ESP ;"
754F0665 00000A28 PUSH ESI
754F0666 00000A28 MOV ESI, DWORD PTR SS: [EBP + 14]
"754F0669 00000A28 MOV EAX, DWORD PTR DS: [ESI];"
754F066B 00000A28 PUSH EDI
754F066C 00000A28 MOV EDI, DWORD PTR SS: [EBP + 10]
"754F066F 00000A28 ADICIONAR EAX, EAX;"
754F0671 00000A28 MOV DWORD PTR SS: [EBP + 14], EAX
"754F0674 00000A28 LEA EAX, DWORD PTR SS: [EBP + 14];"
754F0677 00000A28 PUSH EAX
754F0678 00000A28 PUSH EDI
754F0679 00000A28 PUSH DWORD PTR SS: [EBP + C]
754F067C 00000A28 PUSH DWORD PTR SS: [EBP + 8]
"754F067F 00000A28 CHAMAR KERNELBA.754F06B0;"
"754F0684 00000A28 MOV ECX, DWORD PTR SS: [EBP + 14];"
"754F0687 00000A28 SHR ECX, 1;"
754F0689 00000A28 MOV DWORD PTR DS: [ESI], ECX
754F068B 00000A28 TEST EAX, EAX
754F068D 00000A28 JL SHORT KERNELBA.754F069E
754F068F 00000A28 TEST ECX, ECX
754F0691 00000A28 JBE SHORT KERNELBA.754F06A4
754F0693 00000A28 CMP WORD PTR DS: [EDI + ECX * 2-2], 0
754F0699 00000A28 JNZ SHORT KERNELBA.754F06A4
"754F069B 00000A28 DEC ECX;"
754F069C 00000A28 MOV DWORD PTR DS: [ESI], ECX
754F069E 00000A28 POP EDI
754F069F 00000A28 POP ESI
"754F06A0 00000A28 POP EBP;"
"754F06A1 00000A28 RETN 10;"
EqualSid MOV EDI, EDI
754EAC74 00000A28 PUSH EBP
"754EAC75 00000A28 MOV EBP,ESP ;"
754EAC77 00000A28 PUSH 0
754EAC79 00000A28 CALL DWORD PTR DS: [<& ntdll.RtlSetLastWin32E
754EAC7F 00000A28 PUSH DWORD PTR SS: [EBP + C]
754EAC82 00000A28 PUSH DWORD PTR SS: [EBP + 8]
"754EAC85 00000A28 CALL DWORD PTR DS: [<& ntdll.RtlEqualSid>];"
754EAC8B 00000A28 MOVZX EAX, AL
"754EAC8E 00000A28 POP EBP;"
"754EAC8F 00000A28 RETN 8;"
754E7135 EDI MOV principal, EDI
754E7137 Main PUSH EBP
"754E7138 Main MOV EBP,ESP ;"
"754E713A Principal MOV ECX, DWORD PTR SS: [EBP + 8];"
754E713D Main PUSH 0C
"754E713F Main POP EDX;"
754E7140 TEST PRINCIPAL ECX, ECX
754E7142 Principal JE SHORT KERNELBA.754E7163
754E7144 Main PUSH ESI
754E7145 Main PUSH 0A
"754E7147 Main POP ESI;"
754E7148 Principal MOVZX EAX, WORD PTR DS: [ECX]
754E714B Main TEST AX, AX
754E714E Principal JE SHORT KERNELBA.754E7162
754E7150 PRINCIPAL TEST ESI, ESI
754E7152 Principal JE SHORT KERNELBA.754E7162
"754E7154 Main AND EAX, 0DF;"
"754E7159 ADD principal EDX, EDX;"
"754E715B Main XOR EDX, EAX;"
"754E715D Main INC ECX;"
"754E715E Main INC ECX;"
"754E715F Main DEC ESI;"
"754E7160 Main JMP SHORT KERNELBA.754E7148;"
"754E7162 Main POP ESI;"
"754E7163 MOV principal EAX, DWORD PTR SS: [EBP + C];"
"754E7166 Main SHR EAX, 8;"
"754E7169 Main XOR EDX, EAX;"
"754E716B MOV principal EAX, EDX;"
"754E716D SAR EAX principal, 8;"
"754E7170 ADD EAX, EDX;"
"754E7172 Main AND EAX, 7F;"
"754E7175 Main POP EBP;"
"754E7176 Main RETN 8;"
754ED049 EDI MOV principal, EDI
754ED04B Main PUSH EBP
"754ED04C Main MOV EBP,ESP ;"
754ED04E Principal MOV ECX, DWORD PTR SS: [EBP + 8]
754ED051 Main PUSH 0C
"754ED053 Main POP EDX;"
754ED054 TEST principal ECX, ECX
754ED056 Principal JE SHORT KERNELBA.754ED077
754ED058 Main PUSH ESI
754ED059 Main PUSH 0A
"754ED05B Main POP ESI;"
"754ED05C Principal MOVZX EAX, WORD PTR DS: [ECX];"
754ED05F Main TEST AX, AX
754ED062 Principal JE SHORT KERNELBA.754ED076
754ED064 Principal TEST ESI, ESI
754ED066 Principal JE SHORT KERNELBA.754ED076
"754ED068 Main AND EAX, 0DF;"
"754ED06D Main ADD EDX, EDX;"
"754ED06F Principal XOR EDX, EAX;"
"754ED071 Main INC ECX;"
"754ED072 Main INC ECX;"
"754ED073 Main DEC ESI;"
"754ED074 Main JMP SHORT KERNELBA.754ED05C;"
"754ED076 Main POP ESI;"
"754ED077 Principal MOV EAX, EDX;"
"754ED079 Principal SAR EAX, 8;"
"754ED07C ADD EAX, EDX;"
"754ED07E Main AND EAX, 7F;"
"754ED081 Main POP EBP;"
"754ED082 Main RETN 4;"
75521434 EDI MOV principal, EDI
75521436 Main PUSH EBX
"75521437 Main MOV EBX,ESP ;"
75521439 Main PUSH ECX
7552143A Main PUSH ECX
7552143B Principal E ESP, FFFFFFE0
7552143E ADD PRINCIPAL ESP, 4
75521441 Main PUSH EBP
"75521442 Principal MOV EBP, DWORD PTR DS: [EBX + 4];"
75521445 Main MOV DWORD PTR SS:[ESP+4],EBP
"75521449 Main MOV EBP,ESP ;"
7552144B Main SUB ESP,458
"75521451 Principal MOV EAX, DWORD PTR DS: [755259A0];"
"75521456 Main XOR EAX, EBP;"
75521458 Principal MOV DWORD PTR SS: [EBP-4], EAX
7552145B Main PUSH ESI
"7552145C Principal MOV ESI, DWORD PTR DS: [EBX + 8];"
7552145F Main PUSH EDI
"75521460 MOV Principal EDI, DWORD PTR DS: [EBX + C];"
"75521463 Main CALL KERNELBA.754F393A;"
75521468 TEST EAX principal, EAX
7552146A Main JNZ SHORT KERNELBA.75521473
75521473 Main PUSH 104
"75521478 Principal LEA EAX, DWORD PTR SS: [EBP-210];"
7552147E Main PUSH EAX
7552147F Main PUSH 8
75521481 Main PUSH 10
75521483 Main PUSH DWORD PTR DS: [ESI + 4]
"75521486 Main CALL KERNELBA.754F4ABE;"
754ECF95 EDI MOV principal, EDI
754ECF97 Main PUSH EBP
"754ECF98 Main MOV EBP,ESP ;"
"754ECF9A MOV principal EDX, DWORD PTR SS: [EBP + C];"
"754ECF9D Principal XOR EAX, EAX;"
754ECF9F Main TEST EDX, EDX
754ECFA1 Principal JE SHORT KERNELBA.754ECFC5
754ECFA3 Main CMP EDX, 7FFFFFFF
754ECFA9 Main JA SHORT KERNELBA.754ECFC5
754ECFAB Principal TEST EAX, EAX
754ECFAD Principal JL SHORT KERNELBA.754ECFC1
"754ECFAF MOV principal EAX, DWORD PTR SS: [EBP + 10];"
754ECFB2 Principal MOV ECX, DWORD PTR SS: [EBP + 8]
754ECFB5 Main PUSH 7FFFFFFE
754ECFBA Main PUSH 0
"754ECFBC Main CALL KERNELBA.754ECF3C;"
"754ECFC1 Main POP EBP;"
"754ECFC2 Main RETN 0C;"
7552148B TEST EAX principal, EAX
7552148D Main JNZ SHORT KERNELBA.7552146C
7552148F Main PUSH 2E
"75521491 Main POP EAX;"
75521492 Main PUSH 0FB
75521497 Main MOV WORD PTR SS: [EBP-200], AX
"7552149E Principal LEA EAX, DWORD PTR SS: [EBP-1FE];"
755214A4 Main PUSH EAX
755214A5 Main PUSH 8
755214A7 Main PUSH 10
755214A9 Main PUSH DWORD PTR DS: [ESI + 8]
"755214AC Main CALL KERNELBA.754F4ABE;"
755214B1 TEST EAX principal, EAX
755214B3 Principal JNZ SHORT KERNELBA.7552146C
"755214B5 Principal XOR ESI, ESI;"
755214B7 Main PUSH ESI
755214B8 Main PUSH 1
"755214BA Principal LEA EAX, DWORD PTR SS: [EBP-440];"
755214C0 Principal MOV DWORD PTR SS: [EBP-444], EAX
755214C6 Main PUSH 214
"755214CB Principal LEA EAX, DWORD PTR SS: [EBP-444];"
755214D1 Main PUSH EAX
"755214D2 Principal LEA EAX, DWORD PTR SS: [EBP-210];"
755214D8 Main PUSH EAX
755214D9 Main PUSH DWORD PTR DS: [75525944]
"755214DF Main CALL KERNELBA.754ED2F0;"
755214E4 TEST EAX principal, EAX
755214E6 Main JNZ SHORT KERNELBA.7552146C
"7552146C Principal XOR EAX, EAX;"
7552146E Principal JMP KERNELBA.7552151D
"7552151D Principal MOV ECX, DWORD PTR SS: [EBP-4];"
"75521520 POP EDI principal;"
"75521521 Principal XOR ECX, EBP;"
"75521523 Main POP ESI;"
75521524 Principal CALL KERNELBA.754E68A6
75521529 Main MOV ESP,EBP
"7552152B Main POP EBP;"
7552152C Main MOV ESP,EBX
"7552152E Main POP EBX;"
7552152F Main RETN 0C
754E7030 Main PUSH EBP
"754E7031 Main MOV EBP,ESP ;"
754E7033 Main PUSH ESI
"754E7034 Principal MOV ESI, DWORD PTR SS: [EBP + 8];"
754E7037 TEST PRINCIPAL ESI, ESI
754E7039 Principal JE SHORT KERNELBA.754E7050
"754E703B Main CALL KERNELBA.754E6EA8;"
"754E7040 Principal MOV ECX, DWORD PTR DS: [EAX + 8];"
754E7043 Main CMP ECX, DWORD PTR DS: [ESI + 8]
754E7046 Main JNZ SHORT KERNELBA.754E7058
"754E7048 Principal MOV EAX, DWORD PTR DS: [EAX + 4];"
754E704B Principal CMP EAX, DWORD PTR DS: [ESI + 4]
754E704E Main JNZ SHORT KERNELBA.754E7058
"754E7050 Main XOR EAX, EAX;"
"754E7052 Main INC EAX;"
"754E7053 Main POP ESI;"
"754E7054 Main POP EBP;"
"754E7055 Main RETN 4;"
754F2B4F EDI MOV principal, EDI
754F2B51 Main PUSH EBP
"754F2B52 Main MOV EBP,ESP ;"
754F2B54 Principal XOR EAX, EAX
754F2B56 Main CMP DWORD PTR DS: [EAX * 4 + 75525E80], 0
754F2B5E Main JNZ SHORT KERNELBA.754F2B78
"754F2B78 Principal INC EAX;"
754F2B79 Principal CMP EAX, 0A
754F2B7C Main JGE SHORT KERNELBA.754F2B6A
754F2B7E Main JMP SHORT KERNELBA.754F2B56
"754F2B60 Principal MOV ECX, DWORD PTR SS: [EBP + 8];"
754F2B63 Principal MOV DWORD PTR DS: [EAX * 4 + 75525E80], ECX
"754F2B6A Principal XOR ECX, ECX;"
754F2B6C Principal CMP EAX, 0A
"754F2B6F Main SETNE CL;"
754F2B72 Principal MOV EAX, ECX
"754F2B74 Main POP EBP;"
"754F2B75 Main RETN 4;"
754EB89E Main PUSH EBP
"754EB89F Main MOV EBP,ESP ;"
"754EB8A1 Principal MOV EDX, DWORD PTR SS: [EBP + 8];"
"754EB8A4 Principal MOV ECX, DWORD PTR DS: [754EB8E0];"
754EB8AA Principal MOVZX EAX, DL
"754EB8AD Main SHR EDX, 8;"
754EB8B0 Principal MOVZX EDX, DL
754EB8B3 Main PUSH ESI
"754EB8B4 Principal MOV ESI, DWORD PTR DS: [ECX + 30];"
"754EB8B7 Principal MOVZX EDX, WORD PTR DS: [ESI + EDX * 2];"
754EB8BB Main PUSH EDI
"754EB8BC MOV Principal EDI, EAX;"
"754EB8BE Main SHR EDX, 1;"
"754EB8C0 Main SHR EDI, 4;"
"754EB8C3 Main ADD EDX, EDI;"
"754EB8C5 Principal MOVZX EDX, WORD PTR DS: [ESI + EDX * 2];"
"754EB8C9 Main AND EAX, 0F;"
"754EB8CC Main ADD EDX, ESI;"
"754EB8CE Principal MOVZX EAX, BYTE PTR DS: [EAX + EDX];"
"754EB8D2 Principal IMUL EAX, EAX, 6;"
"754EB8D5 ADD principal EAX, DWORD PTR DS: [ECX + 2C];"
"754EB8D8 POP EDI principal;"
"754EB8D9 Main POP ESI;"
"754EB8DA Main POP EBP;"
"754EB8DB Main RETN 4;"
FindFirstFileW MOV EDI, EDI
754EB451 Main PUSH EBP
"754EB452 Main MOV EBP,ESP ;"
"754EB454 Principal XOR EAX, EAX;"
754EB456 Main PUSH EAX
754EB457 Main PUSH EAX
754EB458 Main PUSH EAX
754EB459 Main PUSH DWORD PTR SS: [EBP + C]
754EB45C Main PUSH EAX
754EB45D Main PUSH DWORD PTR SS: [EBP + 8]
"754EB460 Main CALL KERNELBA.FindFirstFileExW;"
"754EB465 Main POP EBP;"
"754EB466 Main RETN 8;"
"754EE014 Principal MOV EAX, DWORD PTR SS: [EBP + 8];"
"754EE017 Main ADD EAX, 1C;"
754EE01A Main PUSH EAX
754EE01B Principal CALL DWORD PTR DS: [<& ntdll.RtlLeaveCritical
"754EE021 Main RETN;"
"KiFastSystemCallR> RETN;"
754F1B31 Main PUSH EBP
"754F1B32 Main MOV EBP,ESP ;"
"754F1B34 Main PUSH DWORD PTR SS: [EBP + 14];"
"754F1B37 Main PUSH DWORD PTR SS: [EBP + 10];"
"754F1B3A Main PUSH DWORD PTR SS: [EBP + C];"
"754F1B3D Main PUSH DWORD PTR SS: [EBP + 8];"
"754F1B40 Main PUSH -1;"
"754F1B42 Main CALL KERNELBA.VirtualProtectEx ;"
"754F1B47 Main POP EBP;"
"754F1B48 Main RETN 10;"
"7551389A Principal MOV EAX, DWORD PTR SS: [EBP + 8];"
"7551389D ADD principal EAX, -0C;"
"755138A0 Main PUSH EAX;"
755138A1 Principal CALL KERNELBA.754E8E9D
754E8E9D EDI MOV principal, EDI
754E8E9F Main PUSH EBP
"754E8EA0 Main MOV EBP,ESP ;"
754E8EA2 Main PUSH DWORD PTR SS: [EBP + 8]
"754E8EA5 Principal MOV EAX, DWORD PTR FS: [18];"
"754E8EAB Principal MOV EAX, DWORD PTR DS: [EAX + 30];"
754E8EAE Main PUSH 0
754E8EB0 Main PUSH DWORD PTR DS: [EAX + 18]
"754E8EB3 Principal CALL DWORD PTR DS: [<& ntdll.RtlFreeHeap>];"
"754E8EB9 Main POP EBP;"
754E8EBA Main RETN 4
"755138A6 Main JMP SHORT KERNELBA.755138B5;"
754EBDC1 Main PUSH EBP
"754EBDC2 Main MOV EBP,ESP ;"
754EBDC4 Main PUSH ECX
754EBDC5 Main PUSH ECX
754EBDC6 Main PUSH DWORD PTR SS: [EBP + 8]
"754EBDC9 Principal LEA EAX, DWORD PTR SS: [EBP-8];"
754EBDCC Main PUSH EAX
"754EBDCD Main CALL KERNELBA.754E8745;"
754EBDD2 TEST EAX principal, EAX
754EBDD4 Principal JE SHORT KERNELBA.754EBDF4
754EBDD6 Main PUSH ESI
"754EBDD7 Main PUSH DWORD PTR SS: [EBP + 10];"
"754EBDDA Main PUSH DWORD PTR SS: [EBP + C];"
"754EBDDD Main PUSH DWORD PTR SS: [EBP-4];"
"754EBDE0 Main CALL KERNELBA.LoadLibraryExW;"
"754EBDE5 Principal MOV ESI, EAX;"
"754EBDE7 Main LEA EAX, DWORD PTR SS: [EBP-8];"
754EBDEA Main PUSH EAX
754EBDEB Main CALL DWORD PTR DS: [<& ntdll.RtlFreeUnicodeSt
"754EBDF1 Principal MOV EAX, ESI;"
"754EBDF3 Main POP ESI;"
"754EBDF4 Main LEAVE;"
"754EBDF5 Main RETN 0C;"
754EE623 Main PUSH EBP
"754EE624 Main MOV EBP,ESP ;"
754EE626 Main PUSH ESI
754EE627 Main PUSH DWORD PTR SS: [EBP + 10]
754EE62A Principal XOR ESI, ESI
754EE62C Main PUSH DWORD PTR SS: [EBP + C]
754EE62F Main PUSH DWORD PTR SS: [EBP + 8]
"754EE632 Main CALL KERNELBA.754EE597;"
"754EE637 Main DEC EAX;"
754EE638 Principal JE SHORT KERNELBA.754EE653
"754EE63A Principal DEC EAX;"
754EE63B Principal JE SHORT KERNELBA.754EE650
754EE63D Main PUSH DWORD PTR SS: [EBP + 10]
754EE640 Main PUSH DWORD PTR SS: [EBP + C]
754EE643 Main PUSH DWORD PTR SS: [EBP + 8]
754EE646 Main PUSH ESI
"754EE647 Main CALL KERNELBA.754E8512;"
"754EBE7F Main PUSH DWORD PTR SS: [EBP-24];"
"754EBE82 Main PUSH DWORD PTR SS: [EBP-28];"
754EBE85 Main CALL KERNELBA.BaseReleaseProcessDllPath
BaseReleaseProces> MOV EDI, EDI
754EB544 Main PUSH EBP
"754EB545 Main MOV EBP,ESP ;"
"754EB547 Main PUSH DWORD PTR SS: [EBP + C];"
"754EB54A Principal MOV EAX, DWORD PTR SS: [EBP + 8];"
"754EB54D Main ADD EAX, -4;"
"754EB550 Main PUSH EAX;"
"754EB551 Main CALL KERNELBA.7551388F;"
"754EB556 Main POP EBP;"
754EB557 Main RETN 8
"754EBE8A Main RETN;"
754EE64C TEST EAX principal, EAX
754EE64E Principal JE SHORT KERNELBA.754EE653
754EE653 Principal MOV EAX, ESI
754EE655 Main POP ESI
"754EE656 Main POP EBP;"
"754EE657 Main RETN 0C;"
"KiFastSystemCallR> RETN;"
"754E8A72 Principal MOV EAX, ECX;"
"754E8A74 Principal XOR ECX, ECX;"
754E8A76 Main PUSH ESI
754E8A77 Principal MOV ESI, EAX
754E8A79 Main CMP WORD PTR DS:[EAX],CX
754E8A7C Principal JE SHORT KERNELBA.754E8AF1
754E8A7E Main PUSH 2
"754E8A80 Main POP EDX;"
"754E8A81 ADD EAX, EDX;"
754E8A83 Main CMP WORD PTR DS:[EAX],CX
754E8A86 Principal JE SHORT KERNELBA.754E8AF1
"754E8A88 ADD EAX, EDX;"
754E8A8A Main CMP WORD PTR DS:[EAX],CX
754E8A8D Principal JE SHORT KERNELBA.754E8AF1
"754E8A8F ADD EAX, EDX;"
754E8A91 Main CMP WORD PTR DS:[EAX],CX
754E8A94 Principal JE SHORT KERNELBA.754E8AF1
"754E8A96 ADD principal EAX, EDX;"
754E8A98 Main CMP WORD PTR DS:[EAX],CX
754E8A9B Principal JE SHORT KERNELBA.754E8AF1
"754E8A9D Main ADD EAX, EDX;"
754E8A9F Main CMP WORD PTR DS:[EAX],CX
754E8AA2 Principal JE SHORT KERNELBA.754E8AF1
"754E8AA4 ADD EAX, EDX;"
754E8AA6 Main CMP WORD PTR DS:[EAX],CX
754E8AA9 Principal JE SHORT KERNELBA.754E8AF1
"754E8AAB ADD EAX, EDX;"
754E8AAD Main CMP WORD PTR DS:[EAX],CX
754E8AB0 Principal JE SHORT KERNELBA.754E8AF1
"754E8AB2 ADD EAX, EDX;"
754E8AB4 Main CMP WORD PTR DS:[EAX],CX
754E8AB7 Principal JE SHORT KERNELBA.754E8AF1
"754E8AB9 Main ADD EAX, EDX;"
754E8ABB Main CMP WORD PTR DS:[EAX],CX
754E8ABE Principal JE SHORT KERNELBA.754E8AF1
"754E8AC0 ADD EAX, EDX;"
754E8AC2 Main CMP WORD PTR DS:[EAX],CX
754E8AC5 Principal JE SHORT KERNELBA.754E8AF1
"754E8AC7 ADD EAX, EDX;"
754E8AC9 Main CMP WORD PTR DS:[EAX],CX
754E8ACC Principal JE SHORT KERNELBA.754E8AF1
"754E8ACE Main ADD EAX, EDX;"
754E8AD0 Main CMP WORD PTR DS:[EAX],CX
754E8AD3 Principal JE SHORT KERNELBA.754E8AF1
"754E8AD5 ADD EAX, EDX;"
754E8AD7 Main CMP WORD PTR DS:[EAX],CX
754E8ADA Principal JE SHORT KERNELBA.754E8AF1
"754E8ADC ADD EAX, EDX;"
754E8ADE Main CMP WORD PTR DS:[EAX],CX
754E8AE1 Principal JE SHORT KERNELBA.754E8AF1
"754E8AE3 ADD EAX, EDX;"
754E8AE5 Main CMP WORD PTR DS:[EAX],CX
754E8AE8 Principal JE SHORT KERNELBA.754E8AF1
"754E8AEA ADD EAX, EDX;"
754E8AEC Main CMP WORD PTR DS:[EAX],CX
754E8AEF Main JNZ SHORT KERNELBA.754E8A81
"754E8AF1 Principal SUB EAX, ESI;"
"754E8AF3 SAR principal EAX, 1;"
754E8AF5 Principal POP ESI
"754E8AF6 Main RETN;"
754EE650 Principal XOR ESI, ESI
"754EE652 Main INC ESI;"
75513C21 EDI MOV principal, EDI
75513C23 Main PUSH EBP
"75513C24 Main MOV EBP,ESP ;"
75513C26 Main PUSH EBX
"75513C27 Principal MOV EBX, DWORD PTR SS: [EBP + 10];"
75513C2A Main PUSH ESI
75513C2B Main PUSH EDI
"75513C2C MOV principal EDI, 1000;"
75513C31 Main CMP DWORD PTR SS: [EBP + C], EDI
75513C34 Main JNZ SHORT KERNELBA.75513C7B
75513C7B Main PUSH DWORD PTR SS: [EBP + C]
75513C7E Main PUSH DWORD PTR SS: [EBP + 8]
75513C81 Principal CALL KERNELBA.75513A7B
75513A7B Main PUSH 30
75513A7D Main PUSH KERNELBA.75513B60
"75513A82 Main CALL KERNELBA.754E16A0;"
"75513A87 Principal MOV ECX, DWORD PTR SS: [EBP + C];"
75513A8A TEST ECX principal, 1000
75513A90 Principal JE SHORT KERNELBA.75513A98
"75513A98 Principal XOR EBX, EBX;"
"75513A9A Principal XOR EAX, EAX;"
"75513A9C Principal XOR EDX, EDX;"
"75513A9E Main INC EDX;"
75513A9F TEST ECX principal, 100
75513AA5 Principal JE SHORT KERNELBA.75513AB0
75513AB0 TEST ECX principal, 200
75513AB6 Principal JE SHORT KERNELBA.75513AC1
75513AC1 TEST ECX principal, 400
75513AC7 Principal JE SHORT KERNELBA.75513ADC
75513ADC Principal MOV DWORD PTR SS: [EBP + C], EBX
75513ADF TEST ECX principal, 800
75513AE5 Principal JE SHORT KERNELBA.75513AF0
75513AE7 Main MOV DWORD PTR SS: [EBP + EAX * 4-40], 9
"75513AEF Main INC EAX;"
75513AF0 Principal MOV DWORD PTR SS: [EBP + EAX * 4-40], EBX
"75513AF4 Principal XOR EDI, EDI;"
"75513AF6 Principal MOV ESI, DWORD PTR SS: [EBP + 8];"
75513AF9 Principal CMP ESI, EBX
75513AFB Principal JE SHORT KERNELBA.75513B0F
75513B0F Main CMP DWORD PTR SS: [EBP + C], EBX
75513B12 Principal JE SHORT KERNELBA.75513B1F
75513B1F Main MOV DWORD PTR SS: [EBP-4], EBX
75513B22 Main PUSH EDI
75513B23 Main PUSH ESI
75513B24 Main PUSH EBX
"75513B25 Principal LEA EAX, DWORD PTR SS: [EBP-40];"
75513B28 Main PUSH EAX
"75513B29 Main CALL KERNELBA.754F1C7F;"
"75513B2E Principal MOV ESI, EAX;"
75513B30 Main PUSH -2
"75513B32 Main LEA EAX, DWORD PTR SS: [EBP-10];"
75513B35 Main PUSH EAX
75513B36 Main PUSH KERNELBA.755259A0
75513B3B Main CALL KERNELBA.755088B4
755088B4 Main PUSH EBX
755088B5 Main PUSH ESI
755088B6 Main PUSH EDI
"755088B7 Main MOV EDX,DWORD PTR SS:[ESP+10] ;"
755088BB Main MOV EAX,DWORD PTR SS:[ESP+14]
"755088BF Main MOV ECX,DWORD PTR SS:[ESP+18] ;"
755088C3 Main PUSH EBP
755088C4 Main PUSH EDX
755088C5 Main PUSH EAX
755088C6 Main PUSH ECX
755088C7 Main PUSH ECX
755088C8 Main PUSH KERNELBA.75508944
755088CD Main PUSH DWORD PTR FS: [0]
"755088D4 Principal MOV EAX, DWORD PTR DS: [755259A0];"
"755088D9 Main XOR EAX,ESP ;"
755088DB Main MOV DWORD PTR SS:[ESP+8],EAX
755088DF Main MOV DWORD PTR FS:[0],ESP
"755088E6 Main MOV EAX,DWORD PTR SS:[ESP+30] ;"
"755088EA Principal MOV EBX, DWORD PTR DS: [EAX + 8];"
"755088ED Main MOV ECX,DWORD PTR SS:[ESP+2C] ;"
"755088F1 Principal XOR EBX, DWORD PTR DS: [ECX];"
"755088F3 Principal MOV ESI, DWORD PTR DS: [EAX + C];"
755088F6 Principal CMP ESI, -2
755088F9 Principal JE SHORT KERNELBA.75508936
"755088FB Main MOV EDX,DWORD PTR SS:[ESP+34] ;"
755088FF Principal CMP EDX, -2
75508902 Mão I SHORT KERNELBA.75508908
75508908 Principal LEA ESI, DWORD PTR DS: [ESI + ESI * 2]
"7550890B Principal LEA EBX, DWORD PTR DS: [EBX + ESI * 4 + 10];"
"7550890F Principal MOV ECX, DWORD PTR DS: [EBX];"
75508911 Principal MOV DWORD PTR DS: [EAX + C], ECX
75508914 Main CMP DWORD PTR DS: [EBX + 4], 0
75508918 Principal JNZ SHORT KERNELBA.755088E6
7550891A Main PUSH 101
"7550891F MOV Principal EAX, DWORD PTR DS: [EBX + 8];"
75508922 Principal CALL KERNELBA.755007D4
755007D4 Main PUSH EBX
755007D5 Main PUSH ECX
"755007D6 Principal MOV EBX, KERNELBA.75525790;"
"755007DB Main MOV ECX,DWORD PTR SS:[ESP+C] ;"
755007DF Principal MOV DWORD PTR DS: [EBX + 8], ECX
755007E2 Principal MOV DWORD PTR DS: [EBX + 4], EAX
755007E5 Principal MOV DWORD PTR DS: [EBX + C], EBP
755007E8 Main PUSH EBP
755007E9 Main PUSH ECX
755007EA Main PUSH EAX
755007EB Main EAX POP
755007EC Main POP ECX
755007ED Principal POP EBP
"755007EE Main POP ECX;"
"755007EF Main POP EBX;"
755007F0 Main RETN 4
"75508927 Principal MOV ECX, 1;"
7550892C Principal MOV EAX, DWORD PTR DS: [EBX + 8]
7550892F Principal CALL KERNELBA.755089A1
755089A1 Principal CALL EAX
75513B4D Main CMP DWORD PTR SS: [EBP + C], 0
755089A3 Main RETN
"75508934 Main JMP SHORT KERNELBA.755088E6;"
75508936 Main POP DWORD PTR FS: [0]
7550893D Principal ADD ESP, 18
75508940 POP EDI principal
"75508941 Main POP ESI;"
"75508942 Main POP EBX;"
75508943 Main RETN
75513B40 Main ADD ESP,0C
"75513B43 Principal MOV EAX, ESI;"
"75513B45 Main CALL KERNELBA.754E17F0;"
75513B4A Main RETN 8
75513C86 Main OR DWORD PTR DS: [EBX], FFFFFFFF
"75513C89 ADD EAX principal, 0C;"
"75513C8C POP POP principal;"
75513C8D Main POP ESI
"75513C8E Main POP EBX;"
"75513C8F Main POP EBP;"
"75513C90 Main RETN 0C;"
"KiFastSystemCallR> RETN;"
7551391C EDI principal MOV, EDI
7551391E Main PUSH EBP
"7551391F Main MOV EBP,ESP ;"
75513921 Main CMP DWORD PTR SS: [EBP + C], - 1
75513925 Main JNZ SHORT KERNELBA.75513935
"75513927 Principal MOV EAX, DWORD PTR SS: [EBP + 8];"
"7551392A ADD EAX, -0C;"
"7551392D Main PUSH EAX;"
"7551392E Main CALL KERNELBA.754E8E9D;"
75513933 Principal JMP SHORT KERNELBA.75513942
"75513942 Main POP EBP;"
"75513943 Main RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
NlsIsUserDefaultL> MOV EDI, EDI
754F8277 Main PUSH EBP
"754F8278 Main MOV EBP,ESP ;"
"754F827A Main CALL KERNELBA.754E6FB9;"
"754F827F MOV principal EDX, DWORD PTR SS: [EBP + 8];"
"754F8282 Main XOR ECX, ECX;"
754F8284 Main CMP EDX, DWORD PTR DS: [EAX + 8]
754F8287 Main SETE CL
"754F828A MOV principal EAX, ECX;"
"754F828C Main POP EBP;"
"754F828D Main RETN 4;"
754EF62C Main PUSH EBP
"754EF62D Main MOV EBP,ESP ;"
"754EF62F Principal MOV ECX, DWORD PTR SS: [EBP + 8];"
"754EF632 Main XOR EDX, EDX;"
"754EF634 Main CALL KERNELBA.GetNamedLocaleHashNode;"
"754EF639 Main POP EBP;"
"754EF63A Main RETN 4;"
7551971B Main PUSH EBP
"7551971C Main MOV EBP,ESP ;"
"7551971E Principal LEA EAX, DWORD PTR SS: [EBP + C];"
75519721 Main PUSH EAX
75519722 Main PUSH DWORD PTR SS: [EBP + C]
"75519725 Main CALL KERNELBA.755018D8;"
7551972A TEST EAX principal, EAX
7551972C Principal JGE SHORT KERNELBA.75519739
"75519739 Main CALL KERNELBA.754E6FB9;"
7551973E Main PUSH DWORD PTR DS: [EAX + 8]
"75519741 Main CALL KERNELBA.754E6EE0;"
"75519746 Main PUSH EAX;"
"75519747 Main PUSH DWORD PTR SS: [EBP + C];"
"7551974A Main PUSH DWORD PTR SS: [EBP + 8];"
"7551974D Main CALL KERNELBA.754ECF95;"
75519752 TEST EAX principal, EAX
75519754 Main JGE SHORT KERNELBA.7551975D
"7551975D Principal LEA EAX, DWORD PTR SS: [EBP + 8];"
75519760 Main PUSH EAX
75519761 Main PUSH 55
75519763 Main PUSH DWORD PTR SS: [EBP + 8]
"75519766 Main CALL KERNELBA.754FA018;"
"7551976B Main LEA EAX, DWORD PTR SS: [EBP + 8];"
7551976E Main PUSH EAX
7551976F Main PUSH DWORD PTR SS: [EBP + 8]
"75519772 Main CALL KERNELBA.754E700B;"
"75519777 Main MOV EAX, DWORD PTR SS: [EBP + 8];"
"7551977A Principal INC EAX;"
"7551977B Main POP EBP;"
"7551977C Main RETN 8;"
754ECFD1 EDI principal MOV, EDI
754ECFD3 Main PUSH EBP
"754ECFD4 Main MOV EBP,ESP ;"
"754ECFD6 MOV principal EDX, DWORD PTR SS: [EBP + C];"
754ECFD9 Main PUSH EBX
"754ECFDA Principal XOR EAX, EAX;"
754ECFDC Main PUSH EDI
"754ECFDD Principal MOV EBX, 7FFFFFFF;"
754ECFE2 TEST principal EDX, EDX
754ECFE4 Principal JE SHORT KERNELBA.754ED030
754ECFE6 Main CMP EDX, EBX
754ECFE8 Main JA SHORT KERNELBA.754ED030
"754ECFEA MOV PRINCIPAL EDI, DWORD PTR SS: [EBP + 8];"
754ECFED Principal TEST EAX, EAX
754ECFEF Principal JL SHORT KERNELBA.754ED040
754ECFF1 Main AND DWORD PTR SS: [EBP + C], 0
754ECFF5 Principal XOR ECX, ECX
754ECFF7 Main PUSH ESI
"754ECFF8 Principal MOV ESI, EDX;"
"754ECFFA Principal MOV EAX, EDI;"
754ECFFC Main CMP EDX, ECX
754ECFFE Principal JE SHORT KERNELBA.754ED037
754ED000 Main CMP WORD PTR DS:[EAX],CX
754ED003 Principal JE SHORT KERNELBA.754ED00A
"754ED005 Main INC EAX;"
"754ED006 Principal INC EAX;"
"754ED007 Main DEC ESI;"
"754ED008 Main JNZ SHORT KERNELBA.754ED000;"
754ED00A Principal CMP ESI, ECX
754ED00C Principal JE SHORT KERNELBA.754ED037
"754ED00E Principal MOV ECX, EDX;"
"754ED010 Principal SUB ECX, ESI;"
"754ED012 Principal MOV EAX, DWORD PTR SS: [EBP + C];"
"754ED015 Main POP ESI;"
754ED016 TEST principal EAX, EAX
754ED018 Main JL SHORT KERNELBA.754ED02A
"754ED01A Principal MOV EAX, DWORD PTR SS: [EBP + 10];"
754ED01D Main PUSH EBX
"754ED01E Principal SUB EDX, ECX;"
754ED020 Main PUSH 0
"754ED022 Principal LEA ECX, DWORD PTR DS: [EDI + ECX * 2];"
"754ED025 Main CALL KERNELBA.754ECF3C;"
"754ED02A POP EDI principal;"
"754ED02B Main POP EBX;"
"754ED02C Main POP EBP;"
"754ED02D Main RETN 0C;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C Main RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
754E7342 Main PUSH EBP
"754E7343 Main MOV EBP,ESP ;"
754E7345 Main PUSH DWORD PTR SS: [EBP + C]
754E7348 Main PUSH DWORD PTR SS: [EBP + 8]
754E734B Main CALL DWORD PTR DS: [<& ntdll.RtlInitializeCri
754E7351 Principal XOR EAX, EAX
"754E7353 Main INC EAX;"
"754E7354 Main POP EBP;"
"754E7355 Main RETN 8;"
"GetCommandLineA MOV EAX, DWORD PTR DS: [7552578C];"
"754F194C Main RETN;"
754F1954 Main PUSH EBP
"754F1955 Main MOV EBP,ESP ;"
754F1957 Main PUSH DWORD PTR SS: [EBP + 8]
"754F195A MOV principal EAX, DWORD PTR FS: [18];"
"754F1960 Principal MOV EAX, DWORD PTR DS: [EAX + 30];"
754F1963 Main PUSH 0
754F1965 Main PUSH DWORD PTR DS: [EAX + 18]
"754F1968 Main CALL DWORD PTR DS: [<& ntdll.RtlFreeHeap>];"
754F196E Principal MOVZX EAX, AL
"754F1971 Main POP EBP;"
"754F1972 Main RETN 4;"
"GetACP MOV EAX, DWORD PTR DS: [75525054];"
"754E92F8 Main RETN;"
"KiFastSystemCallR> RETN;"
754F9241 EDI MOV principal, EDI
754F9243 Main PUSH EBP
"754F9244 Main MOV EBP,ESP ;"
"754F9246 Principal MOV AX, WORD PTR SS: [EBP + 8];"
754F924A Main CMP AX, WORD PTR SS: [EBP + 10]
754F924E Main JA SHORT KERNELBA.754F925D
754F9250 Main CMP AX, WORD PTR SS: [EBP + C]
754F9254 Principal MOVZX EAX, AX
754F9257 Main JB SHORT KERNELBA.754F925D
"754F9259 Main POP EBP;"
"754F925A Main RETN 0C;"
"KiFastSystemCallR> RETN;"
"GetVersion MOV EAX, DWORD PTR FS: [18];"
"754EC20D Principal MOV ECX, DWORD PTR DS: [EAX + 30];"
"754EC210 Principal MOV EAX, DWORD PTR DS: [ECX + B0];"
"754EC216 Principal MOVZX EDX, WORD PTR DS: [ECX + AC];"
"754EC21D Principal XOR EAX, FFFFFFFE;"
"754EC220 Main SHL EAX, 0E;"
"754EC223 Main OR EAX, EDX;"
"754EC225 Main SHL EAX, 8;"
"754EC228 Main OR EAX, DWORD PTR DS: [ECX + A8];"
"754EC22E Main SHL EAX, 8;"
"754EC231 Main OR EAX, DWORD PTR DS: [ECX + A4];"
"754EC237 Main RETN;"
"754E7058 Principal XOR EAX, EAX;"
"754E705A Main JMP SHORT KERNELBA.754E7053;"
754ED5D5 Main PUSH DWORD PTR SS: [EBP-30]
754ED5D8 Principal CALL KERNELBA.BaseDllFreeResourceId
754ED5DD Main PUSH DWORD PTR SS: [EBP-2C]
754ED5E0 Principal CALL KERNELBA.BaseDllFreeResourceId
"754ED5E5 Main RETN;"
SetHandleCount MOV EDI, EDI
754E92E4 Main PUSH EBP
"754E92E5 Main MOV EBP,ESP ;"
754E92E7 MOV principal EAX, DWORD PTR SS: [EBP + 8]
"754E92EA Main POP EBP;"
"754E92EB Main RETN 4;"
"KiFastSystemCallR> RETN;"
754E9ADF 00000574 PUSH EBP
"754E9AE0 00000574 MOV EBP,ESP ;"
754E9AE2 00000574 PUSH DWORD PTR SS: [EBP + 10]
754E9AE5 00000574 PUSH 2
754E9AE7 00000574 PUSH DWORD PTR SS: [EBP + C]
754E9AEA 00000574 PUSH 0
754E9AEC 00000574 PUSH 0C
754E9AEE 00000574 PUSH DWORD PTR SS: [EBP + 8]
"754E9AF1 00000574 CALL KERNELBA.DuplicateTokenEx ;"
"754E9AF6 00000574 POP EBP;"
"754E9AF7 00000574 RETN 0C;"
"GetOEMCP MOV EAX, DWORD PTR DS: [75525048];"
"754ED9B4 Main RETN;"
"NlsGetCacheUpdate> MOV EAX, DWORD PTR DS: [7552504C];"
"754E9308 Principal MOV EAX, DWORD PTR DS: [EAX + 5C8];"
"754E930E Main RETN;"
754F4628 Main PUSH EBP
"754F4629 Main MOV EBP,ESP ;"
754F462B Main PUSH 0
"754F462D Principal LEA EAX, DWORD PTR SS: [EBP + 8];"
754F4630 Main PUSH EAX
"754F4631 Main CALL KERNELBA.NlsValidateLocale;"
754F4636 TEST principal EAX, EAX
754F4638 Principal JE SHORT KERNELBA.754F4640
"754F463A Principal MOV EAX, DWORD PTR DS: [EAX];"
"754F463C Main POP EBP;"
"754F463D Main RETN 4;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"GetCommandLineW MOV EAX, DWORD PTR DS: [7552506C];"
"754ED9A9 Main RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
754F0C45 EDI MOV principal, EDI
754F0C47 Main PUSH EBP
"754F0C48 Main MOV EBP,ESP ;"
754F0C4A Main PUSH ECX
754F0C4B Main AND DWORD PTR SS: [EBP-4], 0
754F0C4F Main PUSH EDI
"754F0C50 Principal XOR EDI, EDI;"
754F0C52 Main PUSH EDI
754F0C53 Main PUSH 20019
754F0C58 Main PUSH DWORD PTR SS: [EBP + C]
"754F0C5B Principal LEA EAX, DWORD PTR SS: [EBP-4];"
754F0C5E Main PUSH KERNELBA.754ED3C0
754F0C63 Main PUSH EAX
"754F0C64 Main CALL KERNELBA.OpenRegKey;"
754F0C69 TEST EAX principal, EAX
754F0C6B Main JL SHORT KERNELBA.754F0C9C
754F0C6D Main PUSH EDI
754F0C6E Main PUSH 1
754F0C70 Main PUSH 214
"754F0C75 Principal LEA EAX, DWORD PTR SS: [EBP + 10];"
754F0C78 Main PUSH EAX
754F0C79 Main PUSH DWORD PTR SS: [EBP + 8]
754F0C7C Main PUSH DWORD PTR SS: [EBP-4]
"754F0C7F Main CALL KERNELBA.754ED2F0;"
"754F0C84 Main XOR ECX, ECX;"
754F0C86 TEST principal EAX, EAX
754F0C88 Main SETGE CL
754F0C8B Main CMP DWORD PTR SS: [EBP-4], 0
754F0C8F MOV Principal EDI, ECX
754F0C91 Principal JE SHORT KERNELBA.754F0C9C
"754F0C93 Main PUSH DWORD PTR SS: [EBP-4];"
"754F0C96 Main CALL DWORD PTR DS: [<& ntdll.NtClose>];"
754F0C9C Principal MOV EAX, EDI
"754F0C9E POP EDI principal;"
"754F0C9F Main LEAVE;"
"754F0CA0 Main RETN 0C;"
754F252B Main PUSH EBP
"754F252C Main MOV EBP,ESP ;"
"754F252E Principal MOV EAX, DWORD PTR FS: [18];"
"754F2534 Principal MOV EAX, DWORD PTR DS: [EAX + 30];"
754F2537 Main PUSH 30
754F2539 Main PUSH 8
754F253B Main PUSH DWORD PTR DS: [EAX + 18]
754F253E Main CALL DWORD PTR DS: [<& ntdll.RtlAllocateHeap>
754F2544 Principal TEST EAX, EAX
754F2546 Principal JE SHORT KERNELBA.754F254D
"754F2548 Principal MOV ECX, DWORD PTR SS: [EBP + 8];"
754F254B Principal MOV DWORD PTR DS: [EAX], ECX
"754F254D Main POP EBP;"
"754F254E Main RETN 4;"
754E74DD Principal XOR EAX, EAX
"754E74DF Main INC EAX;"
"754E74E0 Main JMP SHORT KERNELBA.754E74D9;"
754EACBB Main PUSH EBP
"754EACBC Main MOV EBP,ESP ;"
754EACBE Principal MOVZX EAX, BYTE PTR SS: [EBP + 8]
754EACC2 Main PUSH EAX
754EACC3 Principal CALL DWORD PTR DS: [<& ntdll.RtlLengthRequire
"754EACC9 Main POP EBP;"
"754EACCA Main RETN 4;"
OpenEventA MOV EDI, EDI
754EE697 Main PUSH EBP
"754EE698 Main MOV EBP,ESP ;"
754EE69A Main PUSH ECX
754EE69B Main PUSH ECX
754EE69C Main CMP DWORD PTR SS: [EBP + 10], 0
754EE6A0 Principal JE SHORT KERNELBA.754EE6DA
754EE6A2 Main PUSH DWORD PTR SS: [EBP + 10]
"754EE6A5 Principal LEA EAX, DWORD PTR SS: [EBP-8];"
754EE6A8 Main PUSH EAX
"754EE6A9 Main CALL KERNELBA.754E8745;"
754EE6AE TEST EAX principal, EAX
754EE6B0 Principal JE SHORT KERNELBA.754EE6D6
754EE6B2 Main PUSH ESI
"754EE6B3 Main PUSH DWORD PTR SS: [EBP-4];"
"754EE6B6 Main PUSH DWORD PTR SS: [EBP + C];"
"754EE6B9 Main PUSH DWORD PTR SS: [EBP + 8];"
"754EE6BC Main CALL KERNELBA.OpenEventW;"
754EE6C1 Main CMP DWORD PTR SS: [EBP + 10], 0
"754EE6C5 Principal MOV ESI, EAX;"
754EE6C7 Principal JE SHORT KERNELBA.754EE6D3
"754EE6C9 Principal LEA EAX, DWORD PTR SS: [EBP-8];"
754EE6CC Main PUSH EAX
754EE6CD Main CALL DWORD PTR DS: [<& ntdll.RtlFreeUnicodeSt
754EE6D3 Principal MOV EAX, ESI
"754EE6D5 Main POP ESI;"
"754EE6D6 Main LEAVE;"
"754EE6D7 Main RETN 0C;"
"KiFastSystemCallR> RETN;"
75513BED EDI MOV principal, EDI
75513BEF Main PUSH EBP
"75513BF0 Main MOV EBP,ESP ;"
75513BF2 Main PUSH ECX
"75513BF3 Principal LEA EAX, DWORD PTR SS: [EBP-4];"
75513BF6 Main PUSH EAX
75513BF7 Main PUSH 0
"75513BF9 Main CALL KERNELBA.754EB67A;"
75513BFE Main PUSH DWORD PTR SS: [EBP + 8]
75513C01 Main PUSH 0
75513C03 Main PUSH DWORD PTR SS: [EBP-4]
75513C06 Main PUSH EAX
75513C07 Main PUSH 0
75513C09 Main PUSH KERNELBA.754F2473
75513C0E Main PUSH KERNELBA.75525800
"75513C13 Main CALL KERNELBA.754EB5CB;"
754F1BC8 Main CMP DWORD PTR SS: [EBP + C], EBX
754F1BCB Main JNZ SHORT KERNELBA.754F1BD3
754F1BCD Main CALL DWORD PTR DS: [<& ntdll.RtlReleasePebLoc
"754F1BD3 Main RETN;"
"75513C18 LEA PRINCIPAL;"
"75513C19 Main RETN 4;"
754F2458 Main PUSH EBP
"754F2459 Main MOV EBP,ESP ;"
"754F245B Main PUSH DWORD PTR SS: [EBP + C];"
"754F245E Principal MOV EAX, DWORD PTR SS: [EBP + 8];"
"754F2461 Main ADD EAX, -4;"
"754F2464 Main PUSH EAX;"
754F2465 Principal CHAMADA KERNELBA.755138ED
755138ED EDI MOV principal, EDI
755138EF Main PUSH EBP
"755138F0 Main MOV EBP,ESP ;"
755138F2 Main CMP DWORD PTR SS: [EBP + C], - 1
755138F6 Main JNZ SHORT KERNELBA.75513906
75513906 Main PUSH DWORD PTR SS: [EBP + C]
75513909 Main PUSH KERNELBA.75525800
"7551390E Main CALL KERNELBA.754EB4E5;"
"75513913 Main POP EBP;"
75513914 Main RETN 8
"754F246A Main POP EBP;"
"754F246B Main RETN 8;"
"KiFastSystemCallR> RETN;"
754F5048 EDI MOV principal, EDI
754F504A Main PUSH EBP
"754F504B Main MOV EBP,ESP ;"
"754F504D MOV principal EAX, DWORD PTR SS: [EBP + C];"
"754F5050 Principal MOVZX EAX, BYTE PTR DS: [EAX];"
"754F5053 Principal MOV ECX, DWORD PTR SS: [EBP + 8];"
"754F5056 Main MOV CX,WORD PTR DS:[ECX+EAX*2] ;"
"754F505A MOV principal EAX, DWORD PTR SS: [EBP + 10];"
754F505D Main PUSH DWORD PTR SS: [EBP + 14]
754F5060 Main MOV WORD PTR DS:[EAX],CX
754F5063 Main PUSH EAX
"754F5064 Main CALL KERNELBA.754F5072;"
"754F5069 Main POP EBP;"
"754F506A Main RETN 10;"
"KiFastSystemCallR> RETN;"
754E180B 00000EB0 PUSH EBP
"754E180C 00000EB0 MOV EBP,ESP ;"
"754E180E 00000EB0 PUSH 0;"
"754E1810 00000EB0 PUSH DWORD PTR SS: [EBP + 8];"
"754E1813 00000EB0 CHAMAR KERNELBA.SleepEx;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C Main RETN 8;"
GetTimeZoneInform> MOI EDI, EDI
754F6E3C Main PUSH EBP
"754F6E3D Main MOV EBP,ESP ;"
754F6E3F Main PUSH 1
754F6E41 Main PUSH DWORD PTR SS: [EBP + 8]
"754F6E44 Main CALL KERNELBA.754F6E52;"
"754E71E4 Principal MOV EAX, DWORD PTR DS: [75525044];"
"754E71E9 Principal MOV EAX, DWORD PTR DS: [EAX + 91C];"
754E71EF Principal XOR ECX, ECX
754E71F1 Principal CMP EAX, -1
754E71F4 Main SETNE CL
"754E71F7 Principal MOV EAX, ECX;"
"754E71F9 Main RETN;"
754F6F80 EDI MOV principal, EDI
754F6F82 Main PUSH EBP
"754F6F83 Main MOV EBP,ESP ;"
754F6F85 Main SUB ESP,218
"754F6F8B MOV principal EAX, DWORD PTR DS: [755259A0];"
"754F6F90 Principal XOR EAX, EBP;"
754F6F92 Principal MOV DWORD PTR SS: [EBP-4], EAX
754F6F95 Main PUSH EBX
"754F6F96 Principal MOV EBX, DWORD PTR SS: [EBP + C];"
754F6F99 Main PUSH EDI
"754F6F9A MOV Principal EDI, DWORD PTR SS: [EBP + 8];"
754F6F9D Main PUSH EDI
754F6F9E Main PUSH 20
754F6FA0 Main PUSH EBX
"754F6FA1 Main CALL <JMP. & Ntdll.wcscpy_s>;"
754F6FA6 Main ADD ESP,0C
754F6FA9 Main CMP WORD PTR DS: [EDI], 40
754F6FAD Main JNZ KERNELBA.754F707F
754F6FB3 Main PUSH ESI
"754F6FB4 Principal MOV ESI, DWORD PTR DS: [<& ntdll.wcschr>];"
"754F6FBA Main PUSH 5C;"
"754F6FBC Main PUSH EDI;"
"754F6FBD Main CALL ESI;"
"754F6FBF Main POP ECX;"
"754F6FC0 Main POP ECX;"
754F6FC1 TEST EAX principal, EAX
754F6FC3 Main JNZ KERNELBA.754F707E
754F6FC9 Main PUSH 2F
754F6FCB Main PUSH EDI
"754F6FCC Main CALL ESI;"
"754F6FCE Main POP ECX;"
"754F6FCF Main POP ECX;"
754F6FD0 TEST principal EAX, EAX
754F6FD2 Main JNZ KERNELBA.754F707E
754F6FD8 Main PUSH 2C
754F6FDA Main PUSH EDI
"754F6FDB Main CALL ESI;"
"754F6FDD Principal MOV ESI, EAX;"
"754F6FDF Main POP ECX;"
"754F6FE0 Main POP ECX;"
754F6FE1 Principal TEST ESI, ESI
754F6FE3 Principal JE KERNELBA.754F707E
754F6FE9 Main CMP WORD PTR DS: [ESI + 2], 2D
754F6FEE Main JNZ KERNELBA.754F707E
"754F6FF4 Principal LEA EAX, DWORD PTR DS: [ESI + 4];"
754F6FF7 Main PUSH EAX
"754F6FF8 Principal LEA EAX, DWORD PTR SS: [EBP-218];"
754F6FFE Main PUSH EAX
754F6FFF Main CALL DWORD PTR DS: [<& ntdll.RtlInitUnicodeSt
"754F7005 Principal LEA EAX, DWORD PTR SS: [EBP-210];"
754F700B Main PUSH EAX
754F700C Main PUSH 0A
"754F700E Principal LEA EAX, DWORD PTR SS: [EBP-218];"
754F7014 Main PUSH EAX
754F7015 Main CALL DWORD PTR DS: [<& ntdll.RtlUnicodeString
754F701B TEST EAX principal, EAX
754F701D Main JL SHORT KERNELBA.754F707E
"754F701F Main CALL KERNELBA.KernelBaseGetGlobalData;"
"754F7024 Principal SUB ESI, EDI;"
"754F7026 Main ADD EAX, 3C;"
"754F7029 Principal LEA ECX, DWORD PTR DS: [EDI + 2];"
754F702C Main PUSH ECX
"754F702D Principal SAR ESI, 1;"
"754F702F Main DEC ESI;"
754F7030 Main PUSH ESI
754F7031 Main PUSH DWORD PTR DS: [EAX + 4]
"754F7034 Principal LEA EAX, DWORD PTR SS: [EBP-20C];"
754F703A Main PUSH KERNELBA.754F7090
754F703F Main PUSH 208
754F7044 Main PUSH EAX
"754F7045 Main CALL KERNELBA.754ED42B;"
754F704A Main ADD ESP,18
754F704D TEST EAX principal, EAX
754F704F Main JL SHORT KERNELBA.754F707E
"754F7051 Main PUSH 2;"
"754F7053 Main PUSH 0;"
"754F7055 Principal LEA EAX, DWORD PTR SS: [EBP-20C];"
"754F705B Main PUSH EAX;"
"754F705C Main CALL KERNELBA.LoadLibraryExW;"
"754F7061 Principal MOV ESI, EAX;"
754F7063 TEST Principal ESI, ESI
754F7065 Principal JE SHORT KERNELBA.754F707E
754F7067 Main PUSH 0
754F7069 Main PUSH 20
754F706B Main PUSH EBX
754F706C Main PUSH DWORD PTR SS: [EBP-210]
754F7072 Main PUSH ESI
"754F7073 Main CALL KERNELBA.LoadStringBaseExW;"
"754F7078 Main PUSH ESI;"
"754F7079 Main CALL KERNELBA.FreeLibrary;"
"754F707E Main POP ESI;"
"754F707F MOV principal ECX, DWORD PTR SS: [EBP-4];"
"754F7082 Main POP EDI;"
"754F7083 Main XOR ECX, EBP;"
"754F7085 Main POP EBX;"
754F7086 Principal CALL KERNELBA.754E68A6
"754F708B Main LEAVE;"
"754F708C Main RETN 8;"
"754F6E49 Main POP EBP;"
"754F6E4A Main RETN 4;"
754FAEA0 Main PUSH EBP
"754FAEA1 Main MOV EBP,ESP ;"
754FAEA3 Main PUSH 1
754FAEA5 Main PUSH DWORD PTR SS: [EBP + 8]
"754FAEA8 Main CALL KERNELBA.754FC37C;"
754FC3F5 EDI principal MOV, EDI
754FC3F7 Main PUSH EBP
"754FC3F8 Main MOV EBP,ESP ;"
754FC3FA Main PUSH ESI
754FC3FB Main PUSH EDI
754FC3FC Principal MOV EAX, DWORD PTR SS: [EBP + 8]
"754FC3FF Principal MOV ECX, DWORD PTR DS: [EAX];"
"754FC401 Principal MOV EDX, DWORD PTR SS: [EBP + C];"
754FC404 Principal MOV DWORD PTR DS: [EDX], ECX
"754FC406 Principal MOV ECX, DWORD PTR DS: [EAX + 54];"
754FC409 Principal MOV DWORD PTR DS: [EDX + 54], ECX
"754FC40C Principal MOV ECX, DWORD PTR DS: [EAX + A8];"
754FC412 Principal MOV DWORD PTR DS: [EDX + A8], ECX
"754FC418 Main MOV CX,WORD PTR DS:[EAX+44] ;"
754FC41C Main MOV WORD PTR DS:[EDX+44],CX
"754FC420 Main MOV CX,WORD PTR DS:[EAX+46] ;"
754FC424 Main MOV WORD PTR DS:[EDX+46],CX
"754FC428 Main MOV CX,WORD PTR DS:[EAX+52] ;"
754FC42C Main MOV WORD PTR DS:[EDX+48],CX
"754FC430 Main MOV CX,WORD PTR DS:[EAX+48] ;"
754FC434 Main MOV WORD PTR DS:[EDX+4A],CX
"754FC438 Main MOV CX,WORD PTR DS:[EAX+4A] ;"
754FC43C Main MOV WORD PTR DS:[EDX+4C],CX
"754FC440 Main MOV CX,WORD PTR DS:[EAX+4C] ;"
754FC444 Main MOV WORD PTR DS:[EDX+4E],CX
754FC448 Main MOV CX,WORD PTR DS:[EAX+4E]
754FC44C Main MOV WORD PTR DS:[EDX+50],CX
"754FC450 Main MOV CX,WORD PTR DS:[EAX+50] ;"
754FC454 Main MOV WORD PTR DS:[EDX+52],CX
"754FC458 Main MOV CX,WORD PTR DS:[EAX+98] ;"
754FC45F Main MOV WORD PTR DS:[EDX+98],CX
"754FC466 Main MOV CX,WORD PTR DS:[EAX+9A] ;"
754FC46D Main MOV WORD PTR DS:[EDX+9A],CX
"754FC474 Main MOV CX,WORD PTR DS:[EAX+A6] ;"
754FC47B Main MOV WORD PTR DS:[EDX+9C],CX
"754FC482 Main MOV CX,WORD PTR DS:[EAX+9C] ;"
754FC489 Main MOV WORD PTR DS:[EDX+9E],CX
"754FC490 Main MOV CX,WORD PTR DS:[EAX+9E] ;"
754FC497 Main MOV WORD PTR DS:[EDX+A0],CX
"754FC49E Main MOV CX,WORD PTR DS:[EAX+A0] ;"
754FC4A5 Main MOV WORD PTR DS:[EDX+A2],CX
754FC4AC Main MOV CX,WORD PTR DS:[EAX+A2]
754FC4B3 Main MOV WORD PTR DS:[EDX+A4],CX
"754FC4BA Main MOV CX,WORD PTR DS:[EAX+A4] ;"
754FC4C1 Main PUSH 40
754FC4C3 Main MOV WORD PTR DS:[EDX+A6],CX
"754FC4CA Main POP ECX;"
"754FC4CB Principal LEA ESI, DWORD PTR DS: [EAX + AC];"
"754FC4D1 Principal LEA EDI, DWORD PTR DS: [EDX + AC];"
754FC4D7 Main REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[E
"754FC4D9 Principal MOV AL, BYTE PTR DS: [EAX + 1AC];"
"754FC4DF Main POP EDI;"
754FC4E0 Principal MOV BYTE PTR DS: [EDX + 1AC], AL
"754FC4E6 Main POP ESI;"
"754FC4E7 Main POP EBP;"
"754FC4E8 Main RETN 8;"
"754FAEAD Main POP EBP;"
"754FAEAE Main RETN 4;"
755045D4 Main PUSH EBP
"755045D5 Main MOV EBP,ESP ;"
755045D7 Main PUSH ESI
755045D8 Main PUSH DWORD PTR SS: [EBP + 20]
"755045DB Principal XOR ESI, ESI;"
755045DD Main PUSH DWORD PTR SS: [EBP + 1C]
"755045E0 Principal INC ESI;"
755045E1 Main PUSH DWORD PTR SS: [EBP + 18]
755045E4 Main PUSH DWORD PTR SS: [EBP + 14]
755045E7 Main PUSH DWORD PTR SS: [EBP + 10]
755045EA Main PUSH DWORD PTR SS: [EBP + C]
755045ED Main PUSH DWORD PTR SS: [EBP + 8]
755045F0 Main CALL DWORD PTR DS: [<& ntdll.RtlGetFileMUIPat
755045F6 Principal TEST EAX, EAX
755045F8 Main JL SHORT KERNELBA.75504601
"755045FA Principal MOV EAX, ESI;"
"755045FC Main POP ESI;"
"755045FD Main POP EBP;"
"755045FE Main RETN 1C;"
754FC14D Main PUSH EBP
"754FC14E Main MOV EBP,ESP ;"
754FC150 Principal XOR EAX, EAX
754FC152 TEST principal ECX, ECX
754FC154 Principal JE SHORT KERNELBA.754FC15F
754FC156 Main CMP ECX, DWORD PTR SS: [EBP + 8]
754FC159 Main JA SHORT KERNELBA.754FC15F
"754FC15B Main POP EBP;"
"754FC15C Main RETN 4;"
754FC0CE Main PUSH EBP
"754FC0CF Main MOV EBP,ESP ;"
754FC0D1 Main PUSH EBX
"754FC0D2 Principal MOV EBX, DWORD PTR SS: [EBP + C];"
754FC0D5 Main PUSH ESI
754FC0D6 Principal MOV ESI, EAX
754FC0D8 Main PUSH EDI
"754FC0D9 Principal XOR EAX, EAX;"
"754FC0DB Principal XOR EDI, EDI;"
754FC0DD TEST PRINCIPAL ESI, ESI
754FC0DF Principal JE SHORT KERNELBA.754FC117
754FC0E1 Main CMP DWORD PTR SS: [EBP + 10], EAX
754FC0E4 Principal JE SHORT KERNELBA.754FC0FE
"754FC0E6 Principal MOVZX EDX, WORD PTR DS: [EBX];"
754FC0E9 TEST principal DX, DX
754FC0EC Principal JE SHORT KERNELBA.754FC0FE
754FC0EE Main MOV WORD PTR DS: [ECX], DX
"754FC0F1 Main INC ECX;"
"754FC0F2 Main INC ECX;"
"754FC0F3 Principal INC EBX;"
"754FC0F4 Main INC EBX;"
"754FC0F5 Main DEC ESI;"
754FC0F6 Principal DEC DWORD PTR SS: [EBP + 10]
"754FC0F9 Principal INC EDI;"
754FC0FA Main TEST ESI, ESI
"754FC0FC Main JNZ SHORT KERNELBA.754FC0E1;"
754FC0FE Main TEST ESI, ESI
754FC100 Principal JE SHORT KERNELBA.754FC117
754FC102 Principal XOR EDX, EDX
754FC104 Main MOV WORD PTR DS: [ECX], DX
"754FC107 Principal MOV ECX, DWORD PTR SS: [EBP + 8];"
754FC10A TEST principal ECX, ECX
754FC10C Principal JE SHORT KERNELBA.754FC110
754FC10E Principal MOV DWORD PTR DS: [ECX], EDI
"754FC110 Main POP EDI;"
"754FC111 Main POP ESI;"
"754FC112 Main POP EBX;"
"754FC113 Main POP EBP;"
"754FC114 Main RETN 0C;"
754F798C Main PUSH DWORD PTR DS: [75525034]
"754F7992 Main CALL DWORD PTR DS: [<& ntdll.RtlUnlockHeap>];"
"754F7998 Main RETN;"
"KiFastSystemCallR> RETN;"
"GetThreadLocale MOV EAX, DWORD PTR FS: [18];"
"754E9218 Principal MOV EAX, DWORD PTR DS: [EAX + C4];"
"754E921E Main RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
754EFC49 Main PUSH DWORD PTR DS: [75525034]
"754EFC4F Principal CALL DWORD PTR DS: [<& ntdll.RtlUnlockHeap>];"
"754EFC55 Main RETN;"
754EFA9D Main PUSH DWORD PTR DS: [75525034]
"754EFAA3 Main CALL DWORD PTR DS: [<& ntdll.RtlUnlockHeap>];"
"754EFAA9 Main RETN;"
754EFAAF Main PUSH DWORD PTR DS: [75525034]
"754EFAB5 Main CALL DWORD PTR DS: [<& ntdll.RtlUnlockHeap>];"
"754EFABB Main RETN;"
754EE815 Main PUSH DWORD PTR DS: [75525034]
"754EE81B Main CALL DWORD PTR DS: [<& ntdll.RtlUnlockHeap>];"
"754EE821 Main RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
lstrlenA PUSH 8
754E7375 Main PUSH KERNELBA.754E73B0
"754E737A Main CALL KERNELBA.754E16A0;"
"754E737F MOV principal EAX, DWORD PTR SS: [EBP + 8];"
754E7382 TEST principal EAX, EAX
754E7384 Principal JE SHORT KERNELBA.754E73A5
754E7386 Main AND DWORD PTR SS: [EBP-4], 0
"754E738A Principal LEA EDX, DWORD PTR DS: [EAX + 1];"
"754E738D Principal MOV CL, BYTE PTR DS: [EAX];"
"754E738F Main INC EAX;"
754E7390 Main TEST CL, CL
"754E7392 Main JNZ SHORT KERNELBA.754E738D;"
"754E7394 Principal SUB EAX, EDX;"
754E7396 Principal MOV DWORD PTR SS: [EBP-4], - 2
"754E739D Main CALL KERNELBA.754E17F0;"
"754E73A2 Main RETN 4;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
754EC1CA Main PUSH DWORD PTR DS: [75525034]
"754EC1D0 Main CALL DWORD PTR DS: [<& ntdll.RtlUnlockHeap>];"
"754EC1D6 Main RETN;"
SwitchToThread CALL DWORD PTR DS: [<& ntdll.NtYieldExecution
"ZwYieldExecution MOV EAX, 190;"
"754EC2D4 00000A28 XOR ECX, ECX;"
754EC2D6 00000A28 CMP EAX, 40000024
"754EC2DB 00000A28 SETNE CL;"
"754EC2DE 00000A28 MOV EAX, ECX;"
"754EC2E0 00000A28 RETN;"
"KiFastSystemCallR> RETN;"
754EE32D Main PUSH EBP
"754EE32E Main MOV EBP,ESP ;"
754EE330 Main PUSH DWORD PTR SS: [EBP + 18]
754EE333 Main PUSH DWORD PTR SS: [EBP + 14]
754EE336 Main PUSH DWORD PTR SS: [EBP + 10]
754EE339 Main PUSH DWORD PTR SS: [EBP + C]
754EE33C Main PUSH DWORD PTR SS: [EBP + 8]
754EE33F Main CALL DWORD PTR DS: [<& ntdll.NtQuerySecurityO
754EE345 TEST EAX principal, EAX
754EE347 Main JGE SHORT KERNELBA.754EE355
"754EE349 Main PUSH EAX;"
"754EE34A Main CALL KERNELBA.754E6BA5;"
"754EE34F Principal XOR EAX, EAX;"
"754EE351 Main POP EBP;"
"754EE352 Main RETN 14;"
754EE355 Principal XOR EAX, EAX
"754EE357 Main INC EAX;"
"754EE358 Main JMP SHORT KERNELBA.754EE351;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
754F41BA Main PUSH EBP
"754F41BB Main MOV EBP,ESP ;"
754F41BD Main PUSH DWORD PTR SS: [EBP + C]
"754F41C0 Principal MOV EAX, DWORD PTR SS: [EBP + 8];"
"754F41C3 ADD EAX, EAX;"
754F41C5 Main PUSH EAX
754F41C6 Principal CALL DWORD PTR DS: [<& ntdll.RtlGetCurrentDir
"754F41CC Main SHR EAX, 1;"
"754F41CE Main POP EBP;"
"754F41CF Main RETN 8;"
"FreeResource XOR EAX, EAX;"
"754E917A Main RETN 4;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C Main RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C Main RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
754FCAA4 EDI principal MOV, EDI
754FCAA6 Main PUSH EBP
"754FCAA7 Main MOV EBP,ESP ;"
754FCAA9 Principal MOV EAX, DWORD PTR SS: [EBP + 8]
"754FCAAC Principal MOV ECX, DWORD PTR DS: [EAX];"
"754FCAAE Principal MOV EDX, DWORD PTR SS: [EBP + C];"
754FCAB1 Principal MOV DWORD PTR DS: [EDX], ECX
"754FCAB3 Principal MOV ECX, DWORD PTR DS: [EAX + 54];"
754FCAB6 Principal MOV DWORD PTR DS: [EDX + 54], ECX
"754FCAB9 Principal MOV ECX, DWORD PTR DS: [EAX + A8];"
754FCABF Principal MOV DWORD PTR DS: [EDX + A8], ECX
754FCAC5 Main PUSH ESI
754FCAC6 Main PUSH EDI
754FCAC7 Main PUSH 10
"754FCAC9 Main POP ECX;"
754FCACA Main PUSH 10
"754FCACC Main LEA ESI, DWORD PTR DS: [EAX + 4];"
"754FCACF Main LEA EDI, DWORD PTR DS: [EDX + 4];"
754FCAD2 Main REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[E
"754FCAD4 Main POP ECX;"
"754FCAD5 Principal LEA ESI, DWORD PTR DS: [EAX + 58];"
"754FCAD8 Principal LEA EDI, DWORD PTR DS: [EDX + 58];"
754FCADB Main REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[E
754FCADD Main MOV CX,WORD PTR DS:[EAX+44]
754FCAE1 Main MOV WORD PTR DS:[EDX+44],CX
"754FCAE5 Main MOV CX,WORD PTR DS:[EAX+46] ;"
754FCAE9 Main MOV WORD PTR DS:[EDX+46],CX
"754FCAED Main MOV CX,WORD PTR DS:[EAX+48] ;"
754FCAF1 Main MOV WORD PTR DS:[EDX+52],CX
"754FCAF5 Main MOV CX,WORD PTR DS:[EAX+4A] ;"
754FCAF9 Main MOV WORD PTR DS:[EDX+48],CX
"754FCAFD Main MOV CX,WORD PTR DS:[EAX+4C] ;"
754FCB01 Main MOV WORD PTR DS:[EDX+4A],CX
"754FCB05 Main MOV CX,WORD PTR DS:[EAX+4E] ;"
754FCB09 Main MOV WORD PTR DS:[EDX+4C],CX
754FCB0D Main MOV CX,WORD PTR DS:[EAX+50]
754FCB11 Main MOV WORD PTR DS:[EDX+4E],CX
"754FCB15 Main MOV CX,WORD PTR DS:[EAX+52] ;"
754FCB19 Main MOV WORD PTR DS:[EDX+50],CX
"754FCB1D Main MOV CX,WORD PTR DS:[EAX+98] ;"
754FCB24 Main MOV WORD PTR DS:[EDX+98],CX
"754FCB2B Main MOV CX,WORD PTR DS:[EAX+9A] ;"
754FCB32 Main MOV WORD PTR DS:[EDX+9A],CX
"754FCB39 Main MOV CX,WORD PTR DS:[EAX+9C] ;"
754FCB40 Main MOV WORD PTR DS:[EDX+A6],CX
"754FCB47 Main MOV CX,WORD PTR DS:[EAX+9E] ;"
754FCB4E Main MOV WORD PTR DS:[EDX+9C],CX
"754FCB55 Main MOV CX,WORD PTR DS:[EAX+A0] ;"
754FCB5C Main MOV WORD PTR DS:[EDX+9E],CX
"754FCB63 Main MOV CX,WORD PTR DS:[EAX+A2] ;"
754FCB6A Main MOV WORD PTR DS:[EDX+A0],CX
754FCB71 Main MOV CX,WORD PTR DS:[EAX+A4]
754FCB78 Main MOV WORD PTR DS:[EDX+A2],CX
"754FCB7F Main MOV CX,WORD PTR DS:[EAX+A6] ;"
754FCB86 Main PUSH 40
754FCB88 Main MOV WORD PTR DS:[EDX+A4],CX
"754FCB8F Main POP ECX;"
"754FCB90 Main LEA ESI, DWORD PTR DS: [EAX + AC];"
"754FCB96 Principal LEA EDI, DWORD PTR DS: [EDX + AC];"
754FCB9C Main REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[E
"754FCB9E Principal MOV AL, BYTE PTR DS: [EAX + 1AC];"
"754FCBA4 Main POP EDI;"
754FCBA5 Principal MOV BYTE PTR DS: [EDX + 1AC], AL
"754FCBAB Main POP ESI;"
"754FCBAC Main POP EBP;"
"754FCBAD Main RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C Main RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C Main RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C Main RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
754EF25F Main PUSH EBP
"754EF260 Main MOV EBP,ESP ;"
754EF262 Main PUSH 0
754EF264 Main PUSH DWORD PTR SS: [EBP + 14]
754EF267 Main PUSH DWORD PTR SS: [EBP + 10]
754EF26A Main PUSH DWORD PTR SS: [EBP + C]
754EF26D Main PUSH DWORD PTR SS: [EBP + 8]
"754EF270 Main CALL KERNELBA.LoadStringBaseExW;"
"754EF275 Main POP EBP;"
"754EF276 Main RETN 10;"
754F818C Main PUSH EBP
"754F818D Main MOV EBP,ESP ;"
754F818F Main PUSH DWORD PTR SS: [EBP + 8]
754F8192 Main PUSH 1
754F8194 Main CALL DWORD PTR DS: [<& ntdll.RtlWow64EnableFs
754F819A TEST EAX principal, EAX
754F819C Principal JGE SHORT KERNELBA.754F81AA
"754F819E Main PUSH EAX;"
"754F819F Main CALL KERNELBA.754E6BA5;"
"754F81A4 Principal XOR EAX, EAX;"
"754F81A6 Main POP EBP;"
"754F81A7 Main RETN 4;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
FormatMessageW MOV EDI,EDI
754EECA2 Main PUSH EBP
"754EECA3 Main MOV EBP,ESP ;"
754EECA5 Main PUSH DWORD PTR SS: [EBP + 20]
754EECA8 Main PUSH DWORD PTR SS: [EBP + 1C]
754EECAB Main PUSH DWORD PTR SS: [EBP + 18]
754EECAE Main PUSH DWORD PTR SS: [EBP + 14]
754EECB1 Main PUSH DWORD PTR SS: [EBP + 10]
754EECB4 Main PUSH DWORD PTR SS: [EBP + C]
754EECB7 Main PUSH DWORD PTR SS: [EBP + 8]
754EECBA Main PUSH 0
"754EECBC Main CALL KERNELBA.754EEACC;"
"754EECC1 Main POP EBP;"
"754EECC2 Main RETN 1C;"
"754E1818 Main POP EBP;"
"754E1819 Main RETN 4;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
75504E5F Main PUSH EBP
"75504E60 Main MOV EBP,ESP ;"
75504E62 Main PUSH 1
75504E64 Main PUSH DWORD PTR SS: [EBP + 10]
75504E67 Main PUSH DWORD PTR SS: [EBP + C]
75504E6A Main PUSH DWORD PTR SS: [EBP + 8]
"75504E6D Main CALL KERNELBA.754FC63A;"
"75504E72 Main POP EBP;"
"75504E73 Main RETN 0C;"
"KiFastSystemCallR> RETN;"
"774F658C 00000E80 RETN 8;"
754FFE14 EDI MOV principal, EDI
754FFE16 Main PUSH EBP
"754FFE17 Main MOV EBP,ESP ;"
754FFE19 Main PUSH ESI
"754FFE1A Principal MOV ESI, DWORD PTR SS: [EBP + 8];"
"754FFE1D Principal MOV ECX, DWORD PTR DS: [ESI];"
754FFE1F CMP principal ECX, 9
754FFE22 Main JA SHORT KERNELBA.754FFE71
754FFE24 Main CMP DWORD PTR DS: [ESI + 4], 1
754FFE28 Main JA SHORT KERNELBA.754FFE71
754FFE2A Main CMP DWORD PTR DS: [ESI + 8], 270F
754FFE31 Main JA SHORT KERNELBA.754FFE71
754FFE33 Main CMP DWORD PTR DS: [ESI + 14], 4
754FFE37 Main JA SHORT KERNELBA.754FFE71
"754FFE39 Principal MOV EAX, DWORD PTR DS: [ESI + C];"
754FFE3C TEST EAX principal, EAX
754FFE3E Principal JE SHORT KERNELBA.754FFE71
"754FFE40 Main XOR EDX, EDX;"
754FFE42 TEST PRINCIPAL ECX, ECX
754FFE44 Main SETNE DL
754FFE47 Main PUSH EDX
754FFE48 Main PUSH 4
754FFE4A Main PUSH EAX
"754FFE4B Main CALL KERNELBA.754FFE7A;"
754FFE50 TEST EAX principal, EAX
754FFE52 Principal JE SHORT KERNELBA.754FFE71
"754FFE54 Principal MOV ESI, DWORD PTR DS: [ESI + 10];"
754FFE57 TEST PRINCIPAL ESI, ESI
754FFE59 Principal JE SHORT KERNELBA.754FFE71
754FFE5B Main PUSH 0
754FFE5D Main PUSH 4
754FFE5F Main PUSH ESI
754FFE60 Main CALL KERNELBA.754FFE7A
754FFE65 TEST EAX principal, EAX
754FFE67 Principal JE SHORT KERNELBA.754FFE71
"754FFE69 Principal XOR EAX, EAX;"
"754FFE6B Main INC EAX;"
"754FFE6C Main POP ESI;"
"754FFE6D Main POP EBP;"
"754FFE6E Main RETN 4;"
"KiFastSystemCallR> RETN;"
[17:11:34] Thread 00000864 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
[17:11:35] Exceção 000006BA
754E845D 00000E14 LEAVE
"774F6BC9 00000E14 MOV ECX,DWORD PTR SS:[ESP+4] ;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C 00000E14 RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C 00000E14 RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C Main RETN 8;"
[17:12:01] Thread 00000968 encerrado, código de saída 0
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C 00000AD0 RETN 8;"
KiFastSystemCallR> DIR
"774F658C 00000AD0 RETN 8;"
KiFastSystemCallR> DIR
"774F658C 00000AD0 RETN 8;"
"KiFastSystemCallR> RETN;"
"774F658C 00000AD0 RETN 8;"
[17:12:47] Thread 00000DC0 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:12:49] Thread 00000C04 encerrado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:13:03] Thread 0000007C encerrado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:13:08] Thread 00000410 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:13:09] Thread 00000E80 encerrado, código de saída 0
[17:13:09] Thread 00000E14 encerrado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:13:09] Thread 00000344 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:13:09] Thread 00000AD0 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:14:19] Thread 00000498 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:15:49] Thread 00000BB8 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:16:20] Thread 00000EB0 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:17:19] Thread 00000D00 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:18:42] Thread 00000188 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:20:19] Thread 00000964 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:21:49] Thread 00000BB0 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:23:19] Thread 00000E74 encerrado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:24:49] Thread 000004E8 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:26:19] Thread 00000C5C encerrado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:27:49] Thread 00000F44 encerrado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:29:19] Thread 00000930 encerrado, código de saída 0
[17:30:49] Thread 00000708 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:32:19] Thread 00000C00 terminou, código de saída 0
KiFastSystemCallR> DIR
Executar o traçado fechas

se usar qualquer programa de comparação vão ver que a linha 754E16A0 Main PUSH KERNELBA.755006BD e a linha que determina se o arquivo e verdadeiro ou não onde diz ( JMP) pular para não iguais

Ainda analisando em assembly foi possível ver um padrão no arquivo ntb onde por definição e ser um arquivo de calculo não existe um numero de Mac escondido dentro do arquivo NTB , pq o arquivo todo é o numero de Mac. ( como isso é possível? ) o numero de mac é usado como uma senha de ativação onde os 12 dígitos são gerados inúmeras vezes aleatoriamente e quando é realocado pelo programa tools é feita varias somas para a confirmação de validação do arquivo .

Utilizando Linguagem de alto nível em editor de cod fonte dnSpy ( lembando que toda a extensão dos três arquivos em base de 32bits ) então vc deve usar um sistema operacional de 86x.

Eu pude constatar que arquivo NTB tem a crytp M5 Exatamente a mesma que o ios usa podem baixar qualquer firmware do ios que verão ser a mesma cryt (M5)

apos a analise total dos arquivos ficou claro que o BOOT é o arquivo funcional - o TOOLS é o programa de ativação e relocação - o NTB é a chave de autentificação .

e chave é gerada por um software de crypt M5 ( ios )

( Lembrando que NTB é uma extensão criada pela HP a qual é utilizada para a atualização de firmwares remotamente )

( isso pode dizer que desenvolvedor pode ter um servidor que gera este arquivo e se esta for a forma utilizada mesmo que se gere um arquivo exato pode não ativar devido a não ter se gerado ao servido )

e ainda tem a possibilidade de o desenvolvedor simplesmente desligar a maquina .

Douglas Lima said:

Boa tarde ... nos últimos meses eu vi uma enorme procura sobre um arquivo ( firmware ntb ). Bom pedi para que me enviasse o tal arquivo para analise . Eu testei em varias plataformas e linguagem desde assembly a c++ ou seja desde linguagem de baixo nível a linguagem de alto nível. usando linguagem de baixo nível foi possível sanicar e fazer as devidas comparações em assembly :

dados de um arquivo comprado e ativo

"Endereço Thread Command;"
"754E845E Main RETN 10;"
754E16A0 Main PUSH KERNELBA.755006BD
754E16A5 Main PUSH DWORD PTR FS: [0]
"754E16AC Main MOV EAX,DWORD PTR SS:[ESP+10] ;"
754E16B0 Main MOV DWORD PTR SS:[ESP+10],EBP
"754E16B4 Main LEA EBP,DWORD PTR SS:[ESP+10] ;"
754E16B8 Main SUB ESP,EAX
754E16BA Main PUSH EBX
754E16BB Main PUSH ESI
754E16BC Main PUSH EDI
"754E16BD Principal MOV EAX, DWORD PTR DS: [755259A0];"
754E16C2 Principal XOR DWORD PTR SS: [EBP-4], EAX
"754E16C5 Principal XOR EAX, EBP;"
754E16C7 Main PUSH EAX
754E16C8 Main MOV DWORD PTR SS:[EBP-18],ESP
754E16CB Main PUSH DWORD PTR SS: [EBP-8]
"754E16CE Principal MOV EAX, DWORD PTR SS: [EBP-4];"
754E16D1 Principal MOV DWORD PTR SS: [EBP-4], - 2
754E16D8 Principal MOV DWORD PTR SS: [EBP-8], EAX
"754E16DB Principal LEA EAX, DWORD PTR SS: [EBP-10];"
754E16DE Principal MOV DWORD PTR FS: [0], EAX
"754E16E4 Main RETN;"
754E7B1E Main CMP BYTE PTR SS: [EBP-19], 0
754E7B22 Principal JE SHORT KERNELBA.754E7B2F
754E7B24 Main PUSH DWORD PTR SS: [EBP-24]
754E7B27 Main PUSH 1
754E7B29 Principal CALL DWORD PTR DS: [<& ntdll.LdrUnlockLoaderL
"754E7B2F Main RETN;"
"754E17F0 Principal MOV ECX, DWORD PTR SS: [EBP-10];"
754E17F3 Principal MOV DWORD PTR FS: [0], ECX
"754E17FA Main POP ECX;"
"754E17FB POP EDI principal;"
"754E17FC POP POP EDI;"
"754E17FD Main POP ESI;"
"754E17FE Main POP EBX;"
754E17FF Main MOV ESP,EBP
"754E1801 Main POP EBP;"
754E1802 Main PUSH ECX
"754E1803 Main RETN;"
"GetCurrentThreadI> MOV EAX, DWORD PTR FS: [18];"
"754E6831 Principal MOV EAX, DWORD PTR DS: [EAX + 24];"
"754E6834 Main RETN;"
754E6C51 Main PUSH KERNELBA.755006BD
754E6C56 Main PUSH DWORD PTR FS: [0]
"754E6C5D Main MOV EAX,DWORD PTR SS:[ESP+10] ;"
754E6C61 Main MOV DWORD PTR SS:[ESP+10],EBP
"754E6C65 Main LEA EBP,DWORD PTR SS:[ESP+10] ;"
754E6C69 Main SUB ESP,EAX
754E6C6B Main PUSH EBX
754E6C6C Main PUSH ESI
754E6C6D Main PUSH EDI
"754E6C6E Principal MOV EAX, DWORD PTR DS: [755259A0];"
754E6C73 Principal XOR DWORD PTR SS: [EBP-4], EAX
"754E6C76 Principal XOR EAX, EBP;"
754E6C78 Principal MOV DWORD PTR SS: [EBP-1C], EAX
754E6C7B Main PUSH EAX
754E6C7C Main MOV DWORD PTR SS:[EBP-18],ESP
754E6C7F Main PUSH DWORD PTR SS: [EBP-8]
"754E6C82 Principal MOV EAX, DWORD PTR SS: [EBP-4];"
754E6C85 Principal MOV DWORD PTR SS: [EBP-4], - 2
754E6C8C Principal MOV DWORD PTR SS: [EBP-8], EAX
"754E6C8F LEA principal EAX, DWORD PTR SS: [EBP-10];"
754E6C92 Principal MOV DWORD PTR FS: [0], EAX
"754E6C98 Main RETN;"
"KernelBaseGetGlob> MOV EAX, KERNELBA.755250F0;"
"754E68A0 Main RETN;"
"GetProcessHeap MOV EAX, DWORD PTR FS: [18];"
"754E68EF 00000DA8 MOV EAX, DWORD PTR DS: [EAX + 30];"
"754E68F2 00000DA8 MOV EAX, DWORD PTR DS: [EAX + 18];"
"754E68F5 00000DA8 RETN;"
"IsDebuggerPresent MOV EAX, DWORD PTR FS: [18];"
"754EFC6C Principal MOV EAX, DWORD PTR DS: [EAX + 30];"
"754EFC6F Principal MOVZX EAX, BYTE PTR DS: [EAX + 2];"
"754EFC73 Main RETN;"
754E6BA5 00000DA8 MOV EDI, EDI
754E6BA7 00000DA8 PUSH EBP
"754E6BA8 00000DA8 MOV EBP,ESP ;"
754E6BAA 00000DA8 PUSH ESI
754E6BAB 00000DA8 PUSH DWORD PTR SS: [EBP + 8]
754E6BAE 00000DA8 CALL DWORD PTR DS: [<& ntdll.RtlNtStatusToDos
"754E6BB4 00000DA8 MOV ESI, EAX;"
754E6BB6 00000DA8 PUSH ESI
754E6BB7 00000DA8 CALL DWORD PTR DS: [<& ntdll.RtlSetLastWin32E
"754E6BBD 00000DA8 MOV EAX, ESI;"
"754E6BBF 00000DA8 POP ESI;"
"754E6BC0 00000DA8 POP EBP;"
"754E6BC1 00000DA8 RETN 4;"
"GetLastError MOV EAX, DWORD PTR FS: [18];"
"754E68BE 00000DA8 MOV EAX, DWORD PTR DS: [EAX + 34];"
"754E68C1 00000DA8 RETN;"
GetSystemInfo MOI EDI, EDI
754EA855 00000DA8 PUSH EBP
"754EA856 00000DA8 MOV EBP,ESP ;"
754EA858 00000DA8 SUB ESP, 38
754EA85B 00000DA8 PUSH ESI
754EA85C 00000DA8 MOV ESI, DWORD PTR DS: [<& ntdll.NtQuerySystem
"754EA862 00000DA8 PUSH 0;"
"754EA864 00000DA8 PUSH 2C;"
"754EA866 00000DA8 LEA EAX, DWORD PTR SS: [EBP-38];"
"754EA869 00000DA8 PUSH EAX;"
"754EA86A 00000DA8 PUSH 0;"
"754EA86C 00000DA8 CALL ESI;"
754EA86E 00000DA8 TEST EAX, EAX
754EA870 00000DA8 JL SHORT KERNELBA.754EA892
"754EA872 00000DA8 PUSH 0;"
"754EA874 00000DA8 PUSH 0C;"
"754EA876 00000DA8 LEA EAX, DWORD PTR SS: [EBP-C];"
"754EA879 00000DA8 PUSH EAX;"
"754EA87A 00000DA8 PUSH 1;"
"754EA87C 00000DA8 CALL ESI;"
754EA87E 00000DA8 TEST EAX, EAX
754EA880 00000DA8 JL SHORT KERNELBA.754EA892
754EA882 00000DA8 PUSH DWORD PTR SS: [EBP + 8]
"754EA885 00000DA8 LEA EAX, DWORD PTR SS: [EBP-C];"
754EA888 00000DA8 PUSH EAX
"754EA889 00000DA8 LEA EAX, DWORD PTR SS: [EBP-38];"
754EA88C 00000DA8 PUSH EAX
"754EA88D 00000DA8 CALL KERNELBA.754EA89C;"
"754EA892 00000DA8 POP ESI;"
"754EA893 00000DA8 LEAVE;"
"754EA894 00000DA8 RETN 4;"
754EBF3F Main PUSH EBP
"754EBF40 Main MOV EBP,ESP ;"
"754EBF42 Main PUSH DWORD PTR SS: [EBP + 10];"
"754EBF45 Main PUSH DWORD PTR SS: [EBP + C];"
"754EBF48 Main PUSH DWORD PTR SS: [EBP + 8];"
"754EBF4B Main PUSH -1;"
"754EBF4D Main CALL KERNELBA.VirtualQueryEx ;"
"754EBF52 Main POP EBP;"
"754EBF53 Main RETN 0C;"
"GetCurrentProcess OU EAX, FFFFFFFF;"
"754E693A Main RETN;"
GetCurrentThread PUSH -2
"754E6942 Main POP EAX;"
754E6943 Main RETN
754E74B8 Main PUSH EBP
"754E74B9 Main MOV EBP,ESP ;"
754E74BB Main PUSH DWORD PTR SS: [EBP + 14]
754E74BE Main PUSH DWORD PTR SS: [EBP + 10]
754E74C1 Main PUSH DWORD PTR SS: [EBP + C]
754E74C4 Main PUSH DWORD PTR SS: [EBP + 8]
754E74C7 Main CALL DWORD PTR DS: [<& ntdll.NtOpenThreadToke
754E74CD TEST EAX principal, EAX
754E74CF Principal JGE SHORT KERNELBA.754E74DD
"754E74D1 Main PUSH EAX;"
"754E74D2 Main CALL KERNELBA.754E6BA5;"
"754E74D7 Main XOR EAX, EAX;"
"754E74D9 Main POP EBP;"
"754E74DA Main RETN 10;"
"GetCurrentProcess> MOV EAX, DWORD PTR FS: [18];"
"754E6988 Principal MOV EAX, DWORD PTR DS: [EAX + 20];"
"754E698B Main RETN;"
754E79A9 Main PUSH EBP
"754E79AA Main MOV EBP,ESP ;"
754E79AC Main PUSH DWORD PTR SS: [EBP + 14]
754E79AF Main PUSH DWORD PTR SS: [EBP + 10]
754E79B2 Main PUSH DWORD PTR SS: [EBP + C]
754E79B5 Main PUSH DWORD PTR SS: [EBP + 8]
754E79B8 Main PUSH -1
"754E79BA Main CALL KERNELBA.VirtualAllocEx ;"
"754E79BF Main POP EBP;"
"754E79C0 Main RETN 10;"
754E7A1E Main PUSH EBP
"754E7A1F Main MOV EBP,ESP ;"
754E7A21 Main PUSH DWORD PTR SS: [EBP + 10]
754E7A24 Main PUSH DWORD PTR SS: [EBP + C]
754E7A27 Main PUSH DWORD PTR SS: [EBP + 8]
754E7A2A Main PUSH -1
"754E7A2C Main CALL KERNELBA.VirtualFreeEx ;"
"754E7A31 Main POP EBP;"
"754E7A32 Main RETN 0C;"
75513B81 EDI MOV principal, EDI
75513B83 Main PUSH EBP
"75513B84 Main MOV EBP,ESP ;"
75513B86 Main PUSH ECX
"75513B87 Principal LEA EAX, DWORD PTR SS: [EBP-4];"
75513B8A Main PUSH EAX
75513B8B Main PUSH DWORD PTR SS: [EBP + 8]
"75513B8E Main CALL KERNELBA.754EB67A;"
75513B93 Main PUSH DWORD PTR SS: [EBP + 10]
75513B96 Main PUSH DWORD PTR SS: [EBP + C]
75513B99 Main PUSH DWORD PTR SS: [EBP-4]
75513B9C Main PUSH EAX
75513B9D Main PUSH DWORD PTR SS: [EBP + 8]
75513BA0 Main PUSH KERNELBA.754F20AC
75513BA5 Main PUSH KERNELBA.75525880
"75513BAA Main CALL KERNELBA.754EB5CB;"
"75513BAF Main LEAVE;"
"75513BB0 Main RETN 0C;"
"KiFastSystemCallR> RETN;"
7551388F EDI MOV principal, EDI
75513891 Main PUSH EBP
"75513892 Main MOV EBP,ESP ;"
75513894 Main CMP DWORD PTR SS: [EBP + C], - 1
75513898 Main JNZ SHORT KERNELBA.755138A8
755138A8 Main PUSH DWORD PTR SS: [EBP + C]
755138AB Main PUSH KERNELBA.75525880
"755138B0 Main CALL KERNELBA.754EB4E5;"
"755138B5 Main POP EBP;"
"755138B6 Main RETN 8;"
"KiFastSystemCallR> RETN;"
"774F658C Main RETN 8;"
754E7135 EDI MOV principal, EDI
"754E7137 Main PUSH EBP;"
754F0660 00000DEC MOV EDI, EDI
754F0662 00000DEC PUSH EBP
"754F0663 00000DEC MOV EBP,ESP ;"
754F0665 00000DEC PUSH ESI
754F0666 00000DEC MOV ESI, DWORD PTR SS: [EBP + 14]
"754F0669 00000DEC MOV EAX, DWORD PTR DS: [ESI];"
754F066B 00000DEC PUSH EDI
754F066C 00000DEC MOV EDI, DWORD PTR SS: [EBP + 10]
"754F066F 00000DEC ADICIONAR EAX, EAX;"
754F0671 00000DEC MOV DWORD PTR SS: [EBP + 14], EAX
"754F0674 00000DEC LEA EAX, DWORD PTR SS: [EBP + 14];"
754F0677 00000DEC PUSH EAX
754F0678 00000DEC PUSH EDI
754F0679 00000DEC PUSH DWORD PTR SS: [EBP + C]
754F067C 00000DEC PUSH DWORD PTR SS: [EBP + 8]
"754F067F 00000DEC CALL KERNELBA.754F06B0;"
"754E7138 Main MOV EBP,ESP ;"
"754E713A Principal MOV ECX, DWORD PTR SS: [EBP + 8];"
754E713D Main PUSH 0C
"754E713F Main POP EDX;"
754E7140 TEST PRINCIPAL ECX, ECX
754E7142 Principal JE SHORT KERNELBA.754E7163
754E7144 Main PUSH ESI
754E7145 Main PUSH 0A
"754E7147 Main POP ESI;"
754E7148 Principal MOVZX EAX, WORD PTR DS: [ECX]
754E714B Main TEST AX, AX
754E714E Principal JE SHORT KERNELBA.754E7162
754E7150 PRINCIPAL TEST ESI, ESI
754E7152 Principal JE SHORT KERNELBA.754E7162
"754E7154 Main AND EAX, 0DF;"
"754E7159 ADD principal EDX, EDX;"
"754E715B Main XOR EDX, EAX;"
"754E715D Main INC ECX;"
"754E715E Main INC ECX;"
"754E715F Main DEC ESI;"
"754E7160 Main JMP SHORT KERNELBA.754E7148;"
"754E7162 Main POP ESI;"
"754E7163 MOV principal EAX, DWORD PTR SS: [EBP + C];"
"754E7166 Main SHR EAX, 8;"
"754E7169 Main XOR EDX, EAX;"
"754E716B MOV principal EAX, EDX;"
"754E716D SAR EAX principal, 8;"
"754E7170 ADD EAX, EDX;"
"754E7172 Main AND EAX, 7F;"
"754E7175 Main POP EBP;"
"754E7176 Main RETN 8;"
754ED049 EDI MOV principal, EDI
754ED04B Main PUSH EBP
"754ED04C Main MOV EBP,ESP ;"
754ED04E Principal MOV ECX, DWORD PTR SS: [EBP + 8]
754ED051 Main PUSH 0C
"754ED053 Main POP EDX;"
754ED054 TEST principal ECX, ECX
754ED056 Principal JE SHORT KERNELBA.754ED077
754ED058 Main PUSH ESI
754ED059 Main PUSH 0A
"754ED05B Main POP ESI;"
"754ED05C Principal MOVZX EAX, WORD PTR DS: [ECX];"
754ED05F Main TEST AX, AX
754ED062 Principal JE SHORT KERNELBA.754ED076
754ED064 Principal TEST ESI, ESI
754ED066 Principal JE SHORT KERNELBA.754ED076
"754ED068 Main AND EAX, 0DF;"
"754ED06D Main ADD EDX, EDX;"
"754ED06F Principal XOR EDX, EAX;"
"754ED071 Main INC ECX;"
"754ED072 Main INC ECX;"
"754ED073 Main DEC ESI;"
"754ED074 Main JMP SHORT KERNELBA.754ED05C;"
"754ED076 Main POP ESI;"
"754ED077 Principal MOV EAX, EDX;"
"754ED079 Principal SAR EAX, 8;"
"754ED07C ADD EAX, EDX;"
"754ED07E Main AND EAX, 7F;"
"754ED081 Main POP EBP;"
"754ED082 Main RETN 4;"
75521434 EDI MOV principal, EDI
75521436 Main PUSH EBX
"75521437 Main MOV EBX,ESP ;"
75521439 Main PUSH ECX
7552143A Main PUSH ECX
7552143B Principal E ESP, FFFFFFE0
7552143E ADD PRINCIPAL ESP, 4
75521441 Main PUSH EBP
"75521442 Principal MOV EBP, DWORD PTR DS: [EBX + 4];"
75521445 Main MOV DWORD PTR SS:[ESP+4],EBP
"75521449 Main MOV EBP,ESP ;"
7552144B Main SUB ESP,458
"75521451 Principal MOV EAX, DWORD PTR DS: [755259A0];"
"75521456 Main XOR EAX, EBP;"
75521458 Principal MOV DWORD PTR SS: [EBP-4], EAX
7552145B Main PUSH ESI
"7552145C Principal MOV ESI, DWORD PTR DS: [EBX + 8];"
7552145F Main PUSH EDI
"75521460 MOV Principal EDI, DWORD PTR DS: [EBX + C];"
"75521463 Main CALL KERNELBA.754F393A;"
75521468 TEST EAX principal, EAX
7552146A Main JNZ SHORT KERNELBA.75521473
75521473 Main PUSH 104
"75521478 Principal LEA EAX, DWORD PTR SS: [EBP-210];"
7552147E Main PUSH EAX
7552147F Main PUSH 8
75521481 Main PUSH 10
75521483 Main PUSH DWORD PTR DS: [ESI + 4]
"75521486 Main CALL KERNELBA.754F4ABE;"
754ECF95 EDI MOV principal, EDI
754ECF97 Main PUSH EBP
"754ECF98 Main MOV EBP,ESP ;"
"754ECF9A MOV principal EDX, DWORD PTR SS: [EBP + C];"
"754ECF9D Principal XOR EAX, EAX;"
754ECF9F Main TEST EDX, EDX
754ECFA1 Principal JE SHORT KERNELBA.754ECFC5
754ECFA3 Main CMP EDX, 7FFFFFFF
754ECFA9 Main JA SHORT KERNELBA.754ECFC5
754ECFAB Principal TEST EAX, EAX
754ECFAD Principal JL SHORT KERNELBA.754ECFC1
"754ECFAF MOV principal EAX, DWORD PTR SS: [EBP + 10];"
754ECFB2 Principal MOV ECX, DWORD PTR SS: [EBP + 8]
754ECFB5 Main PUSH 7FFFFFFE
754ECFBA Main PUSH 0
"754ECFBC Main CALL KERNELBA.754ECF3C;"
"754ECFC1 Main POP EBP;"
"754ECFC2 Main RETN 0C;"
7552148B TEST EAX principal, EAX
7552148D Main JNZ SHORT KERNELBA.7552146C
7552148F Main PUSH 2E
"75521491 Main POP EAX;"
75521492 Main PUSH 0FB
75521497 Main MOV WORD PTR SS: [EBP-200], AX
"7552149E Principal LEA EAX, DWORD PTR SS: [EBP-1FE];"
755214A4 Main PUSH EAX
755214A5 Main PUSH 8
755214A7 Main PUSH 10
755214A9 Main PUSH DWORD PTR DS: [ESI + 8]
"755214AC Main CALL KERNELBA.754F4ABE;"
755214B1 TEST EAX principal, EAX
755214B3 Principal JNZ SHORT KERNELBA.7552146C
"755214B5 Principal XOR ESI, ESI;"
755214B7 Main PUSH ESI
755214B8 Main PUSH 1
"755214BA Principal LEA EAX, DWORD PTR SS: [EBP-440];"
755214C0 Principal MOV DWORD PTR SS: [EBP-444], EAX
755214C6 Main PUSH 214
"755214CB Principal LEA EAX, DWORD PTR SS: [EBP-444];"
755214D1 Main PUSH EAX
"755214D2 Principal LEA EAX, DWORD PTR SS: [EBP-210];"
755214D8 Main PUSH EAX
755214D9 Main PUSH DWORD PTR DS: [75525944]
"755214DF Main CALL KERNELBA.754ED2F0;"
755214E4 TEST EAX principal, EAX
755214E6 Main JNZ SHORT KERNELBA.7552146C
"7552146C Principal XOR EAX, EAX;"
7552146E Principal JMP KERNELBA.7552151D
"7552151D Principal MOV ECX, DWORD PTR SS: [EBP-4];"
"75521520 POP EDI principal;"
"75521521 Principal XOR ECX, EBP;"
"75521523 Main POP ESI;"
75521524 Principal CALL KERNELBA.754E68A6
75521529 Main MOV ESP,EBP
"7552152B Main POP EBP;"
7552152C Main MOV ESP,EBX
"7552152E Main POP EBX;"
7552152F Main RETN 0C
754E7030 Main PUSH EBP
"754E7031 Main MOV EBP,ESP ;"
754E7033 Main PUSH ESI
"754E7034 Principal MOV ESI, DWORD PTR SS: [EBP + 8];"
754E7037 TEST PRINCIPAL ESI, ESI
754E7039 Principal JE SHORT KERNELBA.754E7050
"754E703B Main CALL KERNELBA.754E6EA8;"
"754E7040 Principal MOV ECX, DWORD PTR DS: [EAX + 8];"
754E7043 Main CMP ECX, DWORD PTR DS: [ESI + 8]
754E7046 Main JNZ SHORT KERNELBA.754E7058
"754E7048 Principal MOV EAX, DWORD PTR DS: [EAX + 4];"
754E704B Principal CMP EAX, DWORD PTR DS: [ESI + 4]
754E704E Main JNZ SHORT KERNELBA.754E7058
"754E7050 Main XOR EAX, EAX;"
"754E7052 Main INC EAX;"
"754E7053 Main POP ESI;"
"754E7054 Main POP EBP;"
"754E7055 Main RETN 4;"
754F2B4F EDI MOV principal, EDI
754F2B51 Main PUSH EBP
"754F2B52 Main MOV EBP,ESP ;"
754F2B54 Principal XOR EAX, EAX
754F2B56 Main CMP DWORD PTR DS: [EAX * 4 + 75525E80], 0
754F2B5E Main JNZ SHORT KERNELBA.754F2B78
"754F2B78 Principal INC EAX;"
754F2B79 Principal CMP EAX, 0A
"754F2B7C Main JGE SHORT KERNELBA.754F2B6A;"
"754F0684 00000DEC MOV ECX, DWORD PTR SS: [EBP + 14];"
"754F0687 00000DEC SHR ECX, 1;"
754F0689 00000DEC MOV DWORD PTR DS: [ESI], ECX
754F068B 00000DEC TEST EAX, EAX
754F068D 00000DEC JL SHORT KERNELBA.754F069E
754F068F 00000DEC TEST ECX, ECX
754F0691 00000DEC JBE SHORT KERNELBA.754F06A4
754F0693 00000DEC CMP WORD PTR DS: [EDI + ECX * 2-2], 0
754F0699 00000DEC JNZ SHORT KERNELBA.754F06A4
"754F069B 00000DEC DEC ECX;"
754F069C 00000DEC MOV DWORD PTR DS: [ESI], ECX
754F069E 00000DEC POP EDI
754F069F 00000DEC POP ESI
"754F06A0 00000DEC POP EBP;"
"754F06A1 00000DEC RETN 10;"
754F2B7E Main JMP SHORT KERNELBA.754F2B56
"754F2B60 Principal MOV ECX, DWORD PTR SS: [EBP + 8];"
754F2B63 Principal MOV DWORD PTR DS: [EAX * 4 + 75525E80], ECX
"754F2B6A Principal XOR ECX, ECX;"
754F2B6C Principal CMP EAX, 0A
"754F2B6F Main SETNE CL;"
754F2B72 Principal MOV EAX, ECX
"754F2B74 Main POP EBP;"
"754F2B75 Main RETN 4;"
754EB89E Main PUSH EBP
"754EB89F Main MOV EBP,ESP ;"
"754EB8A1 Principal MOV EDX, DWORD PTR SS: [EBP + 8];"
"754EB8A4 Principal MOV ECX, DWORD PTR DS: [754EB8E0];"
754EB8AA Principal MOVZX EAX, DL
"754EB8AD Main SHR EDX, 8;"
754EB8B0 Principal MOVZX EDX, DL
754EB8B3 Main PUSH ESI
"754EB8B4 Principal MOV ESI, DWORD PTR DS: [ECX + 30];"
"754EB8B7 Principal MOVZX EDX, WORD PTR DS: [ESI + EDX * 2];"
754EB8BB Main PUSH EDI
"754EB8BC MOV Principal EDI, EAX;"
"754EB8BE Main SHR EDX, 1;"
"754EB8C0 Main SHR EDI, 4;"
"754EB8C3 Main ADD EDX, EDI;"
"754EB8C5 Principal MOVZX EDX, WORD PTR DS: [ESI + EDX * 2];"
"754EB8C9 Main AND EAX, 0F;"
"754EB8CC Main ADD EDX, ESI;"
"754EB8CE Principal MOVZX EAX, BYTE PTR DS: [EAX + EDX];"
"754EB8D2 Principal IMUL EAX, EAX, 6;"
"754EB8D5 ADD principal EAX, DWORD PTR DS: [ECX + 2C];"
"754EB8D8 POP EDI principal;"
"754EB8D9 Main POP ESI;"
"754EB8DA Main POP EBP;"
"754EB8DB Main RETN 4;"
EqualSid MOV EDI, EDI
754EAC74 00000DEC PUSH EBP
"754EAC75 00000DEC MOV EBP,ESP ;"
754EAC77 00000DEC PUSH 0
754EAC79 00000DEC CALL DWORD PTR DS: [<& ntdll.RtlSetLastWin32E
754EAC7F 00000DEC PUSH DWORD PTR SS: [EBP + C]
754EAC82 00000DEC PUSH DWORD PTR SS: [EBP + 8]
"754EAC85 00000DEC CALL DWORD PTR DS: [<& ntdll.RtlEqualSid>];"
754EAC8B 00000DEC MOVZX EAX, AL
"754EAC8E 00000DEC POP EBP;"
"754EAC8F 00000DEC RETN 8;"
FindFirstFileW MOV EDI, EDI
754EB451 Main PUSH EBP
"754EB452 Main MOV EBP,ESP ;"
"754EB454 Principal XOR EAX, EAX;"
754EB456 Main PUSH EAX
754EB457 Main PUSH EAX
754EB458 Main PUSH EAX
754EB459 Main PUSH DWORD PTR SS: [EBP + C]
754EB45C Main PUSH EAX
754EB45D Main PUSH DWORD PTR SS: [EBP + 8]
"754EB460 Main CALL KERNELBA.FindFirstFileExW;"
"754EB465 Main POP EBP;"
"754EB466 Main RETN 8;"
"754EE014 Principal MOV EAX, DWORD PTR SS: [EBP + 8];"
"754EE017 Main ADD EAX, 1C;"
754EE01A Main PUSH EAX
754EE01B Principal CALL DWORD PTR DS: [<& ntdll.RtlLeaveCritical
"754EE021 Main RETN;"
"KiFastSystemCallR> RETN;"
754F1B31 Main PUSH EBP
"754F1B32 Main MOV EBP,ESP ;"
"754F1B34 Main PUSH DWORD PTR SS: [EBP + 14];"
"754F1B37 Main PUSH DWORD PTR SS: [EBP + 10];"
"754F1B3A Main PUSH DWORD PTR SS: [EBP + C];"
"754F1B3D Main PUSH DWORD PTR SS: [EBP + 8];"
"754F1B40 Main PUSH -1;"
"754F1B42 Main CALL KERNELBA.VirtualProtectEx ;"
"754F1B47 Main POP EBP;"
"754F1B48 Main RETN 10;"
"7551389A Principal MOV EAX, DWORD PTR SS: [EBP + 8];"
"7551389D ADD principal EAX, -0C;"
"755138A0 Main PUSH EAX;"
755138A1 Principal CALL KERNELBA.754E8E9D
754E8E9D EDI MOV principal, EDI
754E8E9F Main PUSH EBP
"754E8EA0 Main MOV EBP,ESP ;"
754E8EA2 Main PUSH DWORD PTR SS: [EBP + 8]
"754E8EA5 Principal MOV EAX, DWORD PTR FS: [18];"
"754E8EAB Principal MOV EAX, DWORD PTR DS: [EAX + 30];"
754E8EAE Main PUSH 0
754E8EB0 Main PUSH DWORD PTR DS: [EAX + 18]
"754E8EB3 Principal CALL DWORD PTR DS: [<& ntdll.RtlFreeHeap>];"
"754E8EB9 Main POP EBP;"
754E8EBA Main RETN 4
"755138A6 Main JMP SHORT KERNELBA.755138B5;"
754EBDC1 Main PUSH EBP
"754EBDC2 Main MOV EBP,ESP ;"
754EBDC4 Main PUSH ECX
754EBDC5 Main PUSH ECX
754EBDC6 Main PUSH DWORD PTR SS: [EBP + 8]
"754EBDC9 Principal LEA EAX, DWORD PTR SS: [EBP-8];"
754EBDCC Main PUSH EAX
"754EBDCD Main CALL KERNELBA.754E8745;"
754EBDD2 TEST EAX principal, EAX
754EBDD4 Principal JE SHORT KERNELBA.754EBDF4
754EBDD6 Main PUSH ESI
"754EBDD7 Main PUSH DWORD PTR SS: [EBP + 10];"
"754EBDDA Main PUSH DWORD PTR SS: [EBP + C];"
"754EBDDD Main PUSH DWORD PTR SS: [EBP-4];"
"754EBDE0 Main CALL KERNELBA.LoadLibraryExW;"
"754EBDE5 Principal MOV ESI, EAX;"
"754EBDE7 Main LEA EAX, DWORD PTR SS: [EBP-8];"
754EBDEA Main PUSH EAX
754EBDEB Main CALL DWORD PTR DS: [<& ntdll.RtlFreeUnicodeSt
"754EBDF1 Principal MOV EAX, ESI;"
"754EBDF3 Main POP ESI;"
"754EBDF4 Main LEAVE;"
"754EBDF5 Main RETN 0C;"
754EE623 Main PUSH EBP
"754EE624 Main MOV EBP,ESP ;"
754EE626 Main PUSH ESI
754EE627 Main PUSH DWORD PTR SS: [EBP + 10]
754EE62A Principal XOR ESI, ESI
754EE62C Main PUSH DWORD PTR SS: [EBP + C]
754EE62F Main PUSH DWORD PTR SS: [EBP + 8]
"754EE632 Main CALL KERNELBA.754EE597;"
"754EE637 Main DEC EAX;"
754EE638 Principal JE SHORT KERNELBA.754EE653
"754EE63A Principal DEC EAX;"
754EE63B Principal JE SHORT KERNELBA.754EE650
754EE63D Main PUSH DWORD PTR SS: [EBP + 10]
754EE640 Main PUSH DWORD PTR SS: [EBP + C]
754EE643 Main PUSH DWORD PTR SS: [EBP + 8]
754EE646 Main PUSH ESI
"754EE647 Main CALL KERNELBA.754E8512;"
"754EBE7F Main PUSH DWORD PTR SS: [EBP-24];"
"754EBE82 Main PUSH DWORD PTR SS: [EBP-28];"
754EBE85 Main CALL KERNELBA.BaseReleaseProcessDllPath
BaseReleaseProces> MOV EDI, EDI
754EB544 Main PUSH EBP
"754EB545 Main MOV EBP,ESP ;"
"754EB547 Main PUSH DWORD PTR SS: [EBP + C];"
"754EB54A Principal MOV EAX, DWORD PTR SS: [EBP + 8];"
"754EB54D Main ADD EAX, -4;"
"754EB550 Main PUSH EAX;"
"754EB551 Main CALL KERNELBA.7551388F;"
"754EB556 Main POP EBP;"
754EB557 Main RETN 8
"754EBE8A Main RETN;"
754EE64C TEST EAX principal, EAX
754EE64E Principal JE SHORT KERNELBA.754EE653
754EE653 Principal MOV EAX, ESI
754EE655 Main POP ESI
"754EE656 Main POP EBP;"
"754EE657 Main RETN 0C;"
"KiFastSystemCallR> RETN;"
"754E8A72 Principal MOV EAX, ECX;"
"754E8A74 Principal XOR ECX, ECX;"
754E8A76 Main PUSH ESI
754E8A77 Principal MOV ESI, EAX
754E8A79 Main CMP WORD PTR DS:[EAX],CX
754E8A7C Principal JE SHORT KERNELBA.754E8AF1
754E8A7E Main PUSH 2
"754E8A80 Main POP EDX;"
"754E8A81 ADD EAX, EDX;"
754E8A83 Main CMP WORD PTR DS:[EAX],CX
754E8A86 Principal JE SHORT KERNELBA.754E8AF1
"754E8A88 ADD EAX, EDX;"
754E8A8A Main CMP WORD PTR DS:[EAX],CX
754E8A8D Principal JE SHORT KERNELBA.754E8AF1
"754E8A8F ADD EAX, EDX;"
754E8A91 Main CMP WORD PTR DS:[EAX],CX
754E8A94 Principal JE SHORT KERNELBA.754E8AF1
"754E8A96 ADD principal EAX, EDX;"
754E8A98 Main CMP WORD PTR DS:[EAX],CX
754E8A9B Principal JE SHORT KERNELBA.754E8AF1
"754E8A9D Main ADD EAX, EDX;"
754E8A9F Main CMP WORD PTR DS:[EAX],CX
754E8AA2 Principal JE SHORT KERNELBA.754E8AF1
"754E8AA4 ADD EAX, EDX;"
754E8AA6 Main CMP WORD PTR DS:[EAX],CX
754E8AA9 Principal JE SHORT KERNELBA.754E8AF1
"754E8AAB ADD EAX, EDX;"
754E8AAD Main CMP WORD PTR DS:[EAX],CX
754E8AB0 Principal JE SHORT KERNELBA.754E8AF1
"754E8AB2 ADD EAX, EDX;"
754E8AB4 Main CMP WORD PTR DS:[EAX],CX
754E8AB7 Principal JE SHORT KERNELBA.754E8AF1
"754E8AB9 Main ADD EAX, EDX;"
754E8ABB Main CMP WORD PTR DS:[EAX],CX
754E8ABE Principal JE SHORT KERNELBA.754E8AF1
"754E8AC0 ADD EAX, EDX;"
754E8AC2 Main CMP WORD PTR DS:[EAX],CX
754E8AC5 Principal JE SHORT KERNELBA.754E8AF1
"754E8AC7 ADD EAX, EDX;"
754E8AC9 Main CMP WORD PTR DS:[EAX],CX
754E8ACC Principal JE SHORT KERNELBA.754E8AF1
"754E8ACE Main ADD EAX, EDX;"
754E8AD0 Main CMP WORD PTR DS:[EAX],CX
754E8AD3 Principal JE SHORT KERNELBA.754E8AF1
"754E8AD5 ADD EAX, EDX;"
754E8AD7 Main CMP WORD PTR DS:[EAX],CX
754E8ADA Principal JE SHORT KERNELBA.754E8AF1
"754E8ADC ADD EAX, EDX;"
754E8ADE Main CMP WORD PTR DS:[EAX],CX
754E8AE1 Principal JE SHORT KERNELBA.754E8AF1
"754E8AE3 ADD EAX, EDX;"
754E8AE5 Main CMP WORD PTR DS:[EAX],CX
754E8AE8 Principal JE SHORT KERNELBA.754E8AF1
"754E8AEA ADD EAX, EDX;"
754E8AEC Main CMP WORD PTR DS:[EAX],CX
754E8AEF Main JNZ SHORT KERNELBA.754E8A81
"754E8AF1 Principal SUB EAX, ESI;"
"754E8AF3 SAR principal EAX, 1;"
754E8AF5 Principal POP ESI
"754E8AF6 Main RETN;"
754EE650 Principal XOR ESI, ESI
"754EE652 Main INC ESI;"
75513C21 EDI MOV principal, EDI
75513C23 Main PUSH EBP
"75513C24 Main MOV EBP,ESP ;"
75513C26 Main PUSH EBX
"75513C27 Principal MOV EBX, DWORD PTR SS: [EBP + 10];"
75513C2A Main PUSH ESI
75513C2B Main PUSH EDI
"75513C2C MOV principal EDI, 1000;"
75513C31 Main CMP DWORD PTR SS: [EBP + C], EDI
75513C34 Main JNZ SHORT KERNELBA.75513C7B
75513C7B Main PUSH DWORD PTR SS: [EBP + C]
75513C7E Main PUSH DWORD PTR SS: [EBP + 8]
75513C81 Principal CALL KERNELBA.75513A7B
75513A7B Main PUSH 30
75513A7D Main PUSH KERNELBA.75513B60
"75513A82 Main CALL KERNELBA.754E16A0;"
"75513A87 Principal MOV ECX, DWORD PTR SS: [EBP + C];"
75513A8A TEST ECX principal, 1000
75513A90 Principal JE SHORT KERNELBA.75513A98
"75513A98 Principal XOR EBX, EBX;"
"75513A9A Principal XOR EAX, EAX;"
"75513A9C Principal XOR EDX, EDX;"
"75513A9E Main INC EDX;"
75513A9F TEST ECX principal, 100
75513AA5 Principal JE SHORT KERNELBA.75513AB0
75513AB0 TEST ECX principal, 200
75513AB6 Principal JE SHORT KERNELBA.75513AC1
75513AC1 TEST ECX principal, 400
75513AC7 Principal JE SHORT KERNELBA.75513ADC
75513ADC Principal MOV DWORD PTR SS: [EBP + C], EBX
75513ADF TEST ECX principal, 800
75513AE5 Principal JE SHORT KERNELBA.75513AF0
75513AE7 Main MOV DWORD PTR SS: [EBP + EAX * 4-40], 9
"75513AEF Main INC EAX;"
75513AF0 Principal MOV DWORD PTR SS: [EBP + EAX * 4-40], EBX
"75513AF4 Principal XOR EDI, EDI;"
"75513AF6 Principal MOV ESI, DWORD PTR SS: [EBP + 8];"
75513AF9 Principal CMP ESI, EBX
75513AFB Principal JE SHORT KERNELBA.75513B0F
75513B0F Main CMP DWORD PTR SS: [EBP + C], EBX
75513B12 Principal JE SHORT KERNELBA.75513B1F
75513B1F Main MOV DWORD PTR SS: [EBP-4], EBX
75513B22 Main PUSH EDI
75513B23 Main PUSH ESI
75513B24 Main PUSH EBX
"75513B25 Principal LEA EAX, DWORD PTR SS: [EBP-40];"
75513B28 Main PUSH EAX
"75513B29 Main CALL KERNELBA.754F1C7F;"
"75513B2E Principal MOV ESI, EAX;"
75513B30 Main PUSH -2
"75513B32 Main LEA EAX, DWORD PTR SS: [EBP-10];"
75513B35 Main PUSH EAX
75513B36 Main PUSH KERNELBA.755259A0
75513B3B Main CALL KERNELBA.755088B4
755088B4 Main PUSH EBX
755088B5 Main PUSH ESI
755088B6 Main PUSH EDI
"755088B7 Main MOV EDX,DWORD PTR SS:[ESP+10] ;"
755088BB Main MOV EAX,DWORD PTR SS:[ESP+14]
"755088BF Main MOV ECX,DWORD PTR SS:[ESP+18] ;"
755088C3 Main PUSH EBP
755088C4 Main PUSH EDX
755088C5 Main PUSH EAX
755088C6 Main PUSH ECX
755088C7 Main PUSH ECX
755088C8 Main PUSH KERNELBA.75508944
755088CD Main PUSH DWORD PTR FS: [0]
"755088D4 Principal MOV EAX, DWORD PTR DS: [755259A0];"
"755088D9 Main XOR EAX,ESP ;"
755088DB Main MOV DWORD PTR SS:[ESP+8],EAX
755088DF Main MOV DWORD PTR FS:[0],ESP
"755088E6 Main MOV EAX,DWORD PTR SS:[ESP+30] ;"
"755088EA Principal MOV EBX, DWORD PTR DS: [EAX + 8];"
"755088ED Main MOV ECX,DWORD PTR SS:[ESP+2C] ;"
"755088F1 Principal XOR EBX, DWORD PTR DS: [ECX];"
"755088F3 Principal MOV ESI, DWORD PTR DS: [EAX + C];"
755088F6 Principal CMP ESI, -2
755088F9 Principal JE SHORT KERNELBA.75508936
"755088FB Main MOV EDX,DWORD PTR SS:[ESP+34] ;"
755088FF Principal CMP EDX, -2
75508902 Mão I SHORT KERNELBA.75508908
75508908 Principal LEA ESI, DWORD PTR DS: [ESI + ESI * 2]
"7550890B Principal LEA EBX, DWORD PTR DS: [EBX + ESI * 4 + 10];"
"7550890F Principal MOV ECX, DWORD PTR DS: [EBX];"
75508911 Principal MOV DWORD PTR DS: [EAX + C], ECX
75508914 Main CMP DWORD PTR DS: [EBX + 4], 0
75508918 Principal JNZ SHORT KERNELBA.755088E6
7550891A Main PUSH 101
"7550891F MOV Principal EAX, DWORD PTR DS: [EBX + 8];"
75508922 Principal CALL KERNELBA.755007D4
755007D4 Main PUSH EBX
755007D5 Main PUSH ECX
"755007D6 Principal MOV EBX, KERNELBA.75525790;"
"755007DB Main MOV ECX,DWORD PTR SS:[ESP+C] ;"
755007DF Principal MOV DWORD PTR DS: [EBX + 8], ECX
755007E2 Principal MOV DWORD PTR DS: [EBX + 4], EAX
755007E5 Principal MOV DWORD PTR DS: [EBX + C], EBP
755007E8 Main PUSH EBP
755007E9 Main PUSH ECX
755007EA Main PUSH EAX
755007EB Main EAX POP
755007EC Main POP ECX
755007ED Principal POP EBP
"755007EE Main POP ECX;"
"755007EF Main POP EBX;"
755007F0 Main RETN 4
"75508927 Principal MOV ECX, 1;"
7550892C Principal MOV EAX, DWORD PTR DS: [EBX + 8]
7550892F Principal CALL KERNELBA.755089A1
755089A1 Principal CALL EAX
75513B4D Main CMP DWORD PTR SS: [EBP + C], 0
755089A3 Main RETN
"75508934 Main JMP SHORT KERNELBA.755088E6;"
75508936 Main POP DWORD PTR FS: [0]
7550893D Principal ADD ESP, 18
75508940 POP EDI principal
"75508941 Main POP ESI;"
"75508942 Main POP EBX;"
75508943 Main RETN
75513B40 Main ADD ESP,0C
"75513B43 Principal MOV EAX, ESI;"
"75513B45 Main CALL KERNELBA.754E17F0;"
75513B4A Main RETN 8
75513C86 Main OR DWORD PTR DS: [EBX], FFFFFFFF
"75513C89 ADD EAX principal, 0C;"
"75513C8C POP POP principal;"
75513C8D Main POP ESI
"75513C8E Main POP EBX;"
"75513C8F Main POP EBP;"
"75513C90 Main RETN 0C;"
"KiFastSystemCallR> RETN;"
7551391C EDI principal MOV, EDI
7551391E Main PUSH EBP
"7551391F Main MOV EBP,ESP ;"
75513921 Main CMP DWORD PTR SS: [EBP + C], - 1
75513925 Main JNZ SHORT KERNELBA.75513935
"75513927 Principal MOV EAX, DWORD PTR SS: [EBP + 8];"
"7551392A ADD EAX, -0C;"
"7551392D Main PUSH EAX;"
"7551392E Main CALL KERNELBA.754E8E9D;"
75513933 Principal JMP SHORT KERNELBA.75513942
"75513942 Main POP EBP;"
"75513943 Main RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
NlsIsUserDefaultL> MOV EDI, EDI
754F8277 Main PUSH EBP
"754F8278 Main MOV EBP,ESP ;"
"754F827A Main CALL KERNELBA.754E6FB9;"
"754F827F MOV principal EDX, DWORD PTR SS: [EBP + 8];"
"754F8282 Main XOR ECX, ECX;"
754F8284 Main CMP EDX, DWORD PTR DS: [EAX + 8]
754F8287 Main SETE CL
"754F828A MOV principal EAX, ECX;"
"754F828C Main POP EBP;"
"754F828D Main RETN 4;"
754EF62C Main PUSH EBP
"754EF62D Main MOV EBP,ESP ;"
"754EF62F Principal MOV ECX, DWORD PTR SS: [EBP + 8];"
"754EF632 Main XOR EDX, EDX;"
"754EF634 Main CALL KERNELBA.GetNamedLocaleHashNode;"
"754EF639 Main POP EBP;"
"754EF63A Main RETN 4;"
7551971B Main PUSH EBP
"7551971C Main MOV EBP,ESP ;"
"7551971E Principal LEA EAX, DWORD PTR SS: [EBP + C];"
75519721 Main PUSH EAX
75519722 Main PUSH DWORD PTR SS: [EBP + C]
"75519725 Main CALL KERNELBA.755018D8;"
7551972A TEST EAX principal, EAX
7551972C Principal JGE SHORT KERNELBA.75519739
"75519739 Main CALL KERNELBA.754E6FB9;"
7551973E Main PUSH DWORD PTR DS: [EAX + 8]
"75519741 Main CALL KERNELBA.754E6EE0;"
"75519746 Main PUSH EAX;"
"75519747 Main PUSH DWORD PTR SS: [EBP + C];"
"7551974A Main PUSH DWORD PTR SS: [EBP + 8];"
"7551974D Main CALL KERNELBA.754ECF95;"
75519752 TEST EAX principal, EAX
75519754 Main JGE SHORT KERNELBA.7551975D
"7551975D Principal LEA EAX, DWORD PTR SS: [EBP + 8];"
75519760 Main PUSH EAX
75519761 Main PUSH 55
75519763 Main PUSH DWORD PTR SS: [EBP + 8]
"75519766 Main CALL KERNELBA.754FA018;"
"7551976B Main LEA EAX, DWORD PTR SS: [EBP + 8];"
7551976E Main PUSH EAX
7551976F Main PUSH DWORD PTR SS: [EBP + 8]
"75519772 Main CALL KERNELBA.754E700B;"
"75519777 Main MOV EAX, DWORD PTR SS: [EBP + 8];"
"7551977A Principal INC EAX;"
"7551977B Main POP EBP;"
"7551977C Main RETN 8;"
754ECFD1 EDI principal MOV, EDI
754ECFD3 Main PUSH EBP
"754ECFD4 Main MOV EBP,ESP ;"
"754ECFD6 MOV principal EDX, DWORD PTR SS: [EBP + C];"
754ECFD9 Main PUSH EBX
"754ECFDA Principal XOR EAX, EAX;"
754ECFDC Main PUSH EDI
"754ECFDD Principal MOV EBX, 7FFFFFFF;"
754ECFE2 TEST principal EDX, EDX
754ECFE4 Principal JE SHORT KERNELBA.754ED030
754ECFE6 Main CMP EDX, EBX
754ECFE8 Main JA SHORT KERNELBA.754ED030
"754ECFEA MOV PRINCIPAL EDI, DWORD PTR SS: [EBP + 8];"
754ECFED Principal TEST EAX, EAX
754ECFEF Principal JL SHORT KERNELBA.754ED040
754ECFF1 Main AND DWORD PTR SS: [EBP + C], 0
754ECFF5 Principal XOR ECX, ECX
754ECFF7 Main PUSH ESI
"754ECFF8 Principal MOV ESI, EDX;"
"754ECFFA Principal MOV EAX, EDI;"
754ECFFC Main CMP EDX, ECX
754ECFFE Principal JE SHORT KERNELBA.754ED037
754ED000 Main CMP WORD PTR DS:[EAX],CX
754ED003 Principal JE SHORT KERNELBA.754ED00A
"754ED005 Main INC EAX;"
"754ED006 Principal INC EAX;"
"754ED007 Main DEC ESI;"
"754ED008 Main JNZ SHORT KERNELBA.754ED000;"
754ED00A Principal CMP ESI, ECX
754ED00C Principal JE SHORT KERNELBA.754ED037
"754ED00E Principal MOV ECX, EDX;"
"754ED010 Principal SUB ECX, ESI;"
"754ED012 Principal MOV EAX, DWORD PTR SS: [EBP + C];"
"754ED015 Main POP ESI;"
754ED016 TEST principal EAX, EAX
754ED018 Main JL SHORT KERNELBA.754ED02A
"754ED01A Principal MOV EAX, DWORD PTR SS: [EBP + 10];"
754ED01D Main PUSH EBX
"754ED01E Principal SUB EDX, ECX;"
754ED020 Main PUSH 0
"754ED022 Principal LEA ECX, DWORD PTR DS: [EDI + ECX * 2];"
"754ED025 Main CALL KERNELBA.754ECF3C;"
"754ED02A POP EDI principal;"
"754ED02B Main POP EBX;"
"754ED02C Main POP EBP;"
"754ED02D Main RETN 0C;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C Main RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
754E7342 Main PUSH EBP
"754E7343 Main MOV EBP,ESP ;"
754E7345 Main PUSH DWORD PTR SS: [EBP + C]
754E7348 Main PUSH DWORD PTR SS: [EBP + 8]
754E734B Main CALL DWORD PTR DS: [<& ntdll.RtlInitializeCri
754E7351 Principal XOR EAX, EAX
"754E7353 Main INC EAX;"
"754E7354 Main POP EBP;"
"754E7355 Main RETN 8;"
"GetCommandLineA MOV EAX, DWORD PTR DS: [7552578C];"
"754F194C Main RETN;"
754F1954 Main PUSH EBP
"754F1955 Main MOV EBP,ESP ;"
754F1957 Main PUSH DWORD PTR SS: [EBP + 8]
"754F195A MOV principal EAX, DWORD PTR FS: [18];"
"754F1960 Principal MOV EAX, DWORD PTR DS: [EAX + 30];"
754F1963 Main PUSH 0
754F1965 Main PUSH DWORD PTR DS: [EAX + 18]
"754F1968 Main CALL DWORD PTR DS: [<& ntdll.RtlFreeHeap>];"
754F196E Principal MOVZX EAX, AL
"754F1971 Main POP EBP;"
"754F1972 Main RETN 4;"
"GetACP MOV EAX, DWORD PTR DS: [75525054];"
"754E92F8 Main RETN;"
"KiFastSystemCallR> RETN;"
754F9241 EDI MOV principal, EDI
754F9243 Main PUSH EBP
"754F9244 Main MOV EBP,ESP ;"
"754F9246 Principal MOV AX, WORD PTR SS: [EBP + 8];"
754F924A Main CMP AX, WORD PTR SS: [EBP + 10]
754F924E Main JA SHORT KERNELBA.754F925D
754F9250 Main CMP AX, WORD PTR SS: [EBP + C]
754F9254 Principal MOVZX EAX, AX
754F9257 Main JB SHORT KERNELBA.754F925D
"754F9259 Main POP EBP;"
"754F925A Main RETN 0C;"
"KiFastSystemCallR> RETN;"
"GetVersion MOV EAX, DWORD PTR FS: [18];"
"754EC20D Principal MOV ECX, DWORD PTR DS: [EAX + 30];"
"754EC210 Principal MOV EAX, DWORD PTR DS: [ECX + B0];"
"754EC216 Principal MOVZX EDX, WORD PTR DS: [ECX + AC];"
"754EC21D Principal XOR EAX, FFFFFFFE;"
"754EC220 Main SHL EAX, 0E;"
"754EC223 Main OR EAX, EDX;"
"754EC225 Main SHL EAX, 8;"
"754EC228 Main OR EAX, DWORD PTR DS: [ECX + A8];"
"754EC22E Main SHL EAX, 8;"
"754EC231 Main OR EAX, DWORD PTR DS: [ECX + A4];"
"754EC237 Main RETN;"
"754E7058 Principal XOR EAX, EAX;"
"754E705A Main JMP SHORT KERNELBA.754E7053;"
754ED5D5 Main PUSH DWORD PTR SS: [EBP-30]
754ED5D8 Principal CALL KERNELBA.BaseDllFreeResourceId
754ED5DD Main PUSH DWORD PTR SS: [EBP-2C]
754ED5E0 Principal CALL KERNELBA.BaseDllFreeResourceId
"754ED5E5 Main RETN;"
SetHandleCount MOV EDI, EDI
754E92E4 Main PUSH EBP
"754E92E5 Main MOV EBP,ESP ;"
754E92E7 MOV principal EAX, DWORD PTR SS: [EBP + 8]
"754E92EA Main POP EBP;"
"754E92EB Main RETN 4;"
"KiFastSystemCallR> RETN;"
754E9ADF 00000360 PUSH EBP
"754E9AE0 00000360 MOV EBP,ESP ;"
754E9AE2 00000360 PUSH DWORD PTR SS: [EBP + 10]
754E9AE5 00000360 PUSH 2
754E9AE7 00000360 PUSH DWORD PTR SS: [EBP + C]
754E9AEA 00000360 PUSH 0
754E9AEC 00000360 PUSH 0C
754E9AEE 00000360 PUSH DWORD PTR SS: [EBP + 8]
"754E9AF1 00000360 CALL KERNELBA.DuplicateTokenEx ;"
"754E9AF6 00000360 POP EBP;"
"754E9AF7 00000360 RETN 0C;"
"GetOEMCP MOV EAX, DWORD PTR DS: [75525048];"
"754ED9B4 Main RETN;"
"NlsGetCacheUpdate> MOV EAX, DWORD PTR DS: [7552504C];"
"754E9308 Principal MOV EAX, DWORD PTR DS: [EAX + 5C8];"
"754E930E Main RETN;"
754F4628 Main PUSH EBP
"754F4629 Main MOV EBP,ESP ;"
754F462B Main PUSH 0
"754F462D Principal LEA EAX, DWORD PTR SS: [EBP + 8];"
754F4630 Main PUSH EAX
"754F4631 Main CALL KERNELBA.NlsValidateLocale;"
754F4636 TEST principal EAX, EAX
754F4638 Principal JE SHORT KERNELBA.754F4640
"754F463A Principal MOV EAX, DWORD PTR DS: [EAX];"
"754F463C Main POP EBP;"
"754F463D Main RETN 4;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"GetCommandLineW MOV EAX, DWORD PTR DS: [7552506C];"
"754ED9A9 Main RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
754F0C45 EDI MOV principal, EDI
754F0C47 Main PUSH EBP
"754F0C48 Main MOV EBP,ESP ;"
754F0C4A Main PUSH ECX
754F0C4B Main AND DWORD PTR SS: [EBP-4], 0
754F0C4F Main PUSH EDI
"754F0C50 Principal XOR EDI, EDI;"
754F0C52 Main PUSH EDI
754F0C53 Main PUSH 20019
754F0C58 Main PUSH DWORD PTR SS: [EBP + C]
"754F0C5B Principal LEA EAX, DWORD PTR SS: [EBP-4];"
754F0C5E Main PUSH KERNELBA.754ED3C0
754F0C63 Main PUSH EAX
"754F0C64 Main CALL KERNELBA.OpenRegKey;"
754F0C69 TEST EAX principal, EAX
754F0C6B Main JL SHORT KERNELBA.754F0C9C
754F0C6D Main PUSH EDI
754F0C6E Main PUSH 1
754F0C70 Main PUSH 214
"754F0C75 Principal LEA EAX, DWORD PTR SS: [EBP + 10];"
754F0C78 Main PUSH EAX
754F0C79 Main PUSH DWORD PTR SS: [EBP + 8]
754F0C7C Main PUSH DWORD PTR SS: [EBP-4]
"754F0C7F Main CALL KERNELBA.754ED2F0;"
"754F0C84 Main XOR ECX, ECX;"
754F0C86 TEST principal EAX, EAX
754F0C88 Main SETGE CL
754F0C8B Main CMP DWORD PTR SS: [EBP-4], 0
754F0C8F MOV Principal EDI, ECX
754F0C91 Principal JE SHORT KERNELBA.754F0C9C
"754F0C93 Main PUSH DWORD PTR SS: [EBP-4];"
"754F0C96 Main CALL DWORD PTR DS: [<& ntdll.NtClose>];"
754F0C9C Principal MOV EAX, EDI
"754F0C9E POP EDI principal;"
"754F0C9F Main LEAVE;"
"754F0CA0 Main RETN 0C;"
754F252B Main PUSH EBP
"754F252C Main MOV EBP,ESP ;"
"754F252E Principal MOV EAX, DWORD PTR FS: [18];"
"754F2534 Principal MOV EAX, DWORD PTR DS: [EAX + 30];"
754F2537 Main PUSH 30
754F2539 Main PUSH 8
754F253B Main PUSH DWORD PTR DS: [EAX + 18]
754F253E Main CALL DWORD PTR DS: [<& ntdll.RtlAllocateHeap>
754F2544 Principal TEST EAX, EAX
754F2546 Principal JE SHORT KERNELBA.754F254D
"754F2548 Principal MOV ECX, DWORD PTR SS: [EBP + 8];"
754F254B Principal MOV DWORD PTR DS: [EAX], ECX
"754F254D Main POP EBP;"
"754F254E Main RETN 4;"
754E74DD Principal XOR EAX, EAX
"754E74DF Main INC EAX;"
"754E74E0 Main JMP SHORT KERNELBA.754E74D9;"
754EACBB Main PUSH EBP
"754EACBC Main MOV EBP,ESP ;"
754EACBE Principal MOVZX EAX, BYTE PTR SS: [EBP + 8]
754EACC2 Main PUSH EAX
754EACC3 Principal CALL DWORD PTR DS: [<& ntdll.RtlLengthRequire
"754EACC9 Main POP EBP;"
"754EACCA Main RETN 4;"
OpenEventA MOV EDI, EDI
754EE697 Main PUSH EBP
"754EE698 Main MOV EBP,ESP ;"
754EE69A Main PUSH ECX
754EE69B Main PUSH ECX
754EE69C Main CMP DWORD PTR SS: [EBP + 10], 0
754EE6A0 Principal JE SHORT KERNELBA.754EE6DA
754EE6A2 Main PUSH DWORD PTR SS: [EBP + 10]
"754EE6A5 Principal LEA EAX, DWORD PTR SS: [EBP-8];"
754EE6A8 Main PUSH EAX
"754EE6A9 Main CALL KERNELBA.754E8745;"
754EE6AE TEST EAX principal, EAX
754EE6B0 Principal JE SHORT KERNELBA.754EE6D6
754EE6B2 Main PUSH ESI
"754EE6B3 Main PUSH DWORD PTR SS: [EBP-4];"
"754EE6B6 Main PUSH DWORD PTR SS: [EBP + C];"
"754EE6B9 Main PUSH DWORD PTR SS: [EBP + 8];"
"754EE6BC Main CALL KERNELBA.OpenEventW;"
754EE6C1 Main CMP DWORD PTR SS: [EBP + 10], 0
"754EE6C5 Principal MOV ESI, EAX;"
754EE6C7 Principal JE SHORT KERNELBA.754EE6D3
"754EE6C9 Principal LEA EAX, DWORD PTR SS: [EBP-8];"
754EE6CC Main PUSH EAX
754EE6CD Main CALL DWORD PTR DS: [<& ntdll.RtlFreeUnicodeSt
754EE6D3 Principal MOV EAX, ESI
"754EE6D5 Main POP ESI;"
"754EE6D6 Main LEAVE;"
"754EE6D7 Main RETN 0C;"
"KiFastSystemCallR> RETN;"
75513BED EDI MOV principal, EDI
75513BEF Main PUSH EBP
"75513BF0 Main MOV EBP,ESP ;"
75513BF2 Main PUSH ECX
"75513BF3 Principal LEA EAX, DWORD PTR SS: [EBP-4];"
75513BF6 Main PUSH EAX
75513BF7 Main PUSH 0
"75513BF9 Main CALL KERNELBA.754EB67A;"
75513BFE Main PUSH DWORD PTR SS: [EBP + 8]
75513C01 Main PUSH 0
75513C03 Main PUSH DWORD PTR SS: [EBP-4]
75513C06 Main PUSH EAX
75513C07 Main PUSH 0
75513C09 Main PUSH KERNELBA.754F2473
75513C0E Main PUSH KERNELBA.75525800
"75513C13 Main CALL KERNELBA.754EB5CB;"
754F1BC8 Main CMP DWORD PTR SS: [EBP + C], EBX
754F1BCB Main JNZ SHORT KERNELBA.754F1BD3
754F1BCD Main CALL DWORD PTR DS: [<& ntdll.RtlReleasePebLoc
"754F1BD3 Main RETN;"
"75513C18 LEA PRINCIPAL;"
"75513C19 Main RETN 4;"
754F2458 Main PUSH EBP
"754F2459 Main MOV EBP,ESP ;"
"754F245B Main PUSH DWORD PTR SS: [EBP + C];"
"754F245E Principal MOV EAX, DWORD PTR SS: [EBP + 8];"
"754F2461 Main ADD EAX, -4;"
"754F2464 Main PUSH EAX;"
754F2465 Principal CHAMADA KERNELBA.755138ED
755138ED EDI MOV principal, EDI
755138EF Main PUSH EBP
"755138F0 Main MOV EBP,ESP ;"
755138F2 Main CMP DWORD PTR SS: [EBP + C], - 1
755138F6 Main JNZ SHORT KERNELBA.75513906
75513906 Main PUSH DWORD PTR SS: [EBP + C]
75513909 Main PUSH KERNELBA.75525800
"7551390E Main CALL KERNELBA.754EB4E5;"
"75513913 Main POP EBP;"
75513914 Main RETN 8
"754F246A Main POP EBP;"
"754F246B Main RETN 8;"
"KiFastSystemCallR> RETN;"
754F5048 EDI MOV principal, EDI
754F504A Main PUSH EBP
"754F504B Main MOV EBP,ESP ;"
"754F504D MOV principal EAX, DWORD PTR SS: [EBP + C];"
"754F5050 Principal MOVZX EAX, BYTE PTR DS: [EAX];"
"754F5053 Principal MOV ECX, DWORD PTR SS: [EBP + 8];"
"754F5056 Main MOV CX,WORD PTR DS:[ECX+EAX*2] ;"
"754F505A MOV principal EAX, DWORD PTR SS: [EBP + 10];"
754F505D Main PUSH DWORD PTR SS: [EBP + 14]
754F5060 Main MOV WORD PTR DS:[EAX],CX
754F5063 Main PUSH EAX
"754F5064 Main CALL KERNELBA.754F5072;"
"754F5069 Main POP EBP;"
"754F506A Main RETN 10;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C Main RETN 8;"
754E180B 00000630 PUSH EBP
"754E180C 00000630 MOV EBP,ESP ;"
"754E180E 00000630 PUSH 0;"
"754E1810 00000630 PUSH DWORD PTR SS: [EBP + 8];"
"754E1813 00000630 CHAMAR KERNELBA.SleepEx;"
GetTimeZoneInform> MOI EDI, EDI
754F6E3C Main PUSH EBP
"754F6E3D Main MOV EBP,ESP ;"
754F6E3F Main PUSH 1
754F6E41 Main PUSH DWORD PTR SS: [EBP + 8]
"754F6E44 Main CALL KERNELBA.754F6E52;"
"754E71E4 Principal MOV EAX, DWORD PTR DS: [75525044];"
"754E71E9 Principal MOV EAX, DWORD PTR DS: [EAX + 91C];"
754E71EF Principal XOR ECX, ECX
754E71F1 Principal CMP EAX, -1
754E71F4 Main SETNE CL
"754E71F7 Principal MOV EAX, ECX;"
"754E71F9 Main RETN;"
754F6F80 EDI MOV principal, EDI
754F6F82 Main PUSH EBP
"754F6F83 Main MOV EBP,ESP ;"
754F6F85 Main SUB ESP,218
"754F6F8B MOV principal EAX, DWORD PTR DS: [755259A0];"
"754F6F90 Principal XOR EAX, EBP;"
754F6F92 Principal MOV DWORD PTR SS: [EBP-4], EAX
754F6F95 Main PUSH EBX
"754F6F96 Principal MOV EBX, DWORD PTR SS: [EBP + C];"
754F6F99 Main PUSH EDI
"754F6F9A MOV Principal EDI, DWORD PTR SS: [EBP + 8];"
754F6F9D Main PUSH EDI
754F6F9E Main PUSH 20
754F6FA0 Main PUSH EBX
"754F6FA1 Main CALL <JMP. & Ntdll.wcscpy_s>;"
754F6FA6 Main ADD ESP,0C
754F6FA9 Main CMP WORD PTR DS: [EDI], 40
754F6FAD Main JNZ KERNELBA.754F707F
754F6FB3 Main PUSH ESI
"754F6FB4 Principal MOV ESI, DWORD PTR DS: [<& ntdll.wcschr>];"
"754F6FBA Main PUSH 5C;"
"754F6FBC Main PUSH EDI;"
"754F6FBD Main CALL ESI;"
"754F6FBF Main POP ECX;"
"754F6FC0 Main POP ECX;"
754F6FC1 TEST EAX principal, EAX
754F6FC3 Main JNZ KERNELBA.754F707E
754F6FC9 Main PUSH 2F
754F6FCB Main PUSH EDI
"754F6FCC Main CALL ESI;"
"754F6FCE Main POP ECX;"
"754F6FCF Main POP ECX;"
754F6FD0 TEST principal EAX, EAX
754F6FD2 Main JNZ KERNELBA.754F707E
754F6FD8 Main PUSH 2C
754F6FDA Main PUSH EDI
"754F6FDB Main CALL ESI;"
"754F6FDD Principal MOV ESI, EAX;"
"754F6FDF Main POP ECX;"
"754F6FE0 Main POP ECX;"
754F6FE1 Principal TEST ESI, ESI
754F6FE3 Principal JE KERNELBA.754F707E
754F6FE9 Main CMP WORD PTR DS: [ESI + 2], 2D
754F6FEE Main JNZ KERNELBA.754F707E
"754F6FF4 Principal LEA EAX, DWORD PTR DS: [ESI + 4];"
754F6FF7 Main PUSH EAX
"754F6FF8 Principal LEA EAX, DWORD PTR SS: [EBP-218];"
754F6FFE Main PUSH EAX
754F6FFF Main CALL DWORD PTR DS: [<& ntdll.RtlInitUnicodeSt
"754F7005 Principal LEA EAX, DWORD PTR SS: [EBP-210];"
754F700B Main PUSH EAX
754F700C Main PUSH 0A
"754F700E Principal LEA EAX, DWORD PTR SS: [EBP-218];"
754F7014 Main PUSH EAX
754F7015 Main CALL DWORD PTR DS: [<& ntdll.RtlUnicodeString
754F701B TEST EAX principal, EAX
754F701D Main JL SHORT KERNELBA.754F707E
"754F701F Main CALL KERNELBA.KernelBaseGetGlobalData;"
"754F7024 Principal SUB ESI, EDI;"
"754F7026 Main ADD EAX, 3C;"
"754F7029 Principal LEA ECX, DWORD PTR DS: [EDI + 2];"
754F702C Main PUSH ECX
"754F702D Principal SAR ESI, 1;"
"754F702F Main DEC ESI;"
754F7030 Main PUSH ESI
754F7031 Main PUSH DWORD PTR DS: [EAX + 4]
"754F7034 Principal LEA EAX, DWORD PTR SS: [EBP-20C];"
754F703A Main PUSH KERNELBA.754F7090
754F703F Main PUSH 208
754F7044 Main PUSH EAX
"754F7045 Main CALL KERNELBA.754ED42B;"
754F704A Main ADD ESP,18
754F704D TEST EAX principal, EAX
754F704F Main JL SHORT KERNELBA.754F707E
"754F7051 Main PUSH 2;"
"754F7053 Main PUSH 0;"
"754F7055 Principal LEA EAX, DWORD PTR SS: [EBP-20C];"
"754F705B Main PUSH EAX;"
"754F705C Main CALL KERNELBA.LoadLibraryExW;"
"754F7061 Principal MOV ESI, EAX;"
754F7063 TEST Principal ESI, ESI
754F7065 Principal JE SHORT KERNELBA.754F707E
754F7067 Main PUSH 0
754F7069 Main PUSH 20
754F706B Main PUSH EBX
754F706C Main PUSH DWORD PTR SS: [EBP-210]
754F7072 Main PUSH ESI
"754F7073 Main CALL KERNELBA.LoadStringBaseExW;"
"754F7078 Main PUSH ESI;"
"754F7079 Main CALL KERNELBA.FreeLibrary;"
"754F707E Main POP ESI;"
"754F707F MOV principal ECX, DWORD PTR SS: [EBP-4];"
"754F7082 Main POP EDI;"
"754F7083 Main XOR ECX, EBP;"
"754F7085 Main POP EBX;"
754F7086 Principal CALL KERNELBA.754E68A6
"754F708B Main LEAVE;"
"754F708C Main RETN 8;"
"754F6E49 Main POP EBP;"
"754F6E4A Main RETN 4;"
754FAEA0 Main PUSH EBP
"754FAEA1 Main MOV EBP,ESP ;"
754FAEA3 Main PUSH 1
754FAEA5 Main PUSH DWORD PTR SS: [EBP + 8]
"754FAEA8 Main CALL KERNELBA.754FC37C;"
754FC3F5 EDI principal MOV, EDI
754FC3F7 Main PUSH EBP
"754FC3F8 Main MOV EBP,ESP ;"
754FC3FA Main PUSH ESI
754FC3FB Main PUSH EDI
754FC3FC Principal MOV EAX, DWORD PTR SS: [EBP + 8]
"754FC3FF Principal MOV ECX, DWORD PTR DS: [EAX];"
"754FC401 Principal MOV EDX, DWORD PTR SS: [EBP + C];"
754FC404 Principal MOV DWORD PTR DS: [EDX], ECX
"754FC406 Principal MOV ECX, DWORD PTR DS: [EAX + 54];"
754FC409 Principal MOV DWORD PTR DS: [EDX + 54], ECX
"754FC40C Principal MOV ECX, DWORD PTR DS: [EAX + A8];"
754FC412 Principal MOV DWORD PTR DS: [EDX + A8], ECX
"754FC418 Main MOV CX,WORD PTR DS:[EAX+44] ;"
754FC41C Main MOV WORD PTR DS:[EDX+44],CX
"754FC420 Main MOV CX,WORD PTR DS:[EAX+46] ;"
754FC424 Main MOV WORD PTR DS:[EDX+46],CX
"754FC428 Main MOV CX,WORD PTR DS:[EAX+52] ;"
754FC42C Main MOV WORD PTR DS:[EDX+48],CX
"754FC430 Main MOV CX,WORD PTR DS:[EAX+48] ;"
754FC434 Main MOV WORD PTR DS:[EDX+4A],CX
"754FC438 Main MOV CX,WORD PTR DS:[EAX+4A] ;"
754FC43C Main MOV WORD PTR DS:[EDX+4C],CX
"754FC440 Main MOV CX,WORD PTR DS:[EAX+4C] ;"
754FC444 Main MOV WORD PTR DS:[EDX+4E],CX
754FC448 Main MOV CX,WORD PTR DS:[EAX+4E]
754FC44C Main MOV WORD PTR DS:[EDX+50],CX
"754FC450 Main MOV CX,WORD PTR DS:[EAX+50] ;"
754FC454 Main MOV WORD PTR DS:[EDX+52],CX
"754FC458 Main MOV CX,WORD PTR DS:[EAX+98] ;"
754FC45F Main MOV WORD PTR DS:[EDX+98],CX
"754FC466 Main MOV CX,WORD PTR DS:[EAX+9A] ;"
754FC46D Main MOV WORD PTR DS:[EDX+9A],CX
"754FC474 Main MOV CX,WORD PTR DS:[EAX+A6] ;"
754FC47B Main MOV WORD PTR DS:[EDX+9C],CX
"754FC482 Main MOV CX,WORD PTR DS:[EAX+9C] ;"
754FC489 Main MOV WORD PTR DS:[EDX+9E],CX
"754FC490 Main MOV CX,WORD PTR DS:[EAX+9E] ;"
754FC497 Main MOV WORD PTR DS:[EDX+A0],CX
"754FC49E Main MOV CX,WORD PTR DS:[EAX+A0] ;"
754FC4A5 Main MOV WORD PTR DS:[EDX+A2],CX
754FC4AC Main MOV CX,WORD PTR DS:[EAX+A2]
754FC4B3 Main MOV WORD PTR DS:[EDX+A4],CX
"754FC4BA Main MOV CX,WORD PTR DS:[EAX+A4] ;"
754FC4C1 Main PUSH 40
754FC4C3 Main MOV WORD PTR DS:[EDX+A6],CX
"754FC4CA Main POP ECX;"
"754FC4CB Principal LEA ESI, DWORD PTR DS: [EAX + AC];"
"754FC4D1 Principal LEA EDI, DWORD PTR DS: [EDX + AC];"
754FC4D7 Main REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[E
"754FC4D9 Principal MOV AL, BYTE PTR DS: [EAX + 1AC];"
"754FC4DF Main POP EDI;"
754FC4E0 Principal MOV BYTE PTR DS: [EDX + 1AC], AL
"754FC4E6 Main POP ESI;"
"754FC4E7 Main POP EBP;"
"754FC4E8 Main RETN 8;"
"754FAEAD Main POP EBP;"
"754FAEAE Main RETN 4;"
755045D4 Main PUSH EBP
"755045D5 Main MOV EBP,ESP ;"
755045D7 Main PUSH ESI
755045D8 Main PUSH DWORD PTR SS: [EBP + 20]
"755045DB Principal XOR ESI, ESI;"
755045DD Main PUSH DWORD PTR SS: [EBP + 1C]
"755045E0 Principal INC ESI;"
755045E1 Main PUSH DWORD PTR SS: [EBP + 18]
755045E4 Main PUSH DWORD PTR SS: [EBP + 14]
755045E7 Main PUSH DWORD PTR SS: [EBP + 10]
755045EA Main PUSH DWORD PTR SS: [EBP + C]
755045ED Main PUSH DWORD PTR SS: [EBP + 8]
755045F0 Main CALL DWORD PTR DS: [<& ntdll.RtlGetFileMUIPat
755045F6 Principal TEST EAX, EAX
755045F8 Main JL SHORT KERNELBA.75504601
"755045FA Principal MOV EAX, ESI;"
"755045FC Main POP ESI;"
"755045FD Main POP EBP;"
"755045FE Main RETN 1C;"
754FC14D Main PUSH EBP
"754FC14E Main MOV EBP,ESP ;"
754FC150 Principal XOR EAX, EAX
754FC152 TEST principal ECX, ECX
754FC154 Principal JE SHORT KERNELBA.754FC15F
754FC156 Main CMP ECX, DWORD PTR SS: [EBP + 8]
754FC159 Main JA SHORT KERNELBA.754FC15F
"754FC15B Main POP EBP;"
"754FC15C Main RETN 4;"
754FC0CE Main PUSH EBP
"754FC0CF Main MOV EBP,ESP ;"
754FC0D1 Main PUSH EBX
"754FC0D2 Principal MOV EBX, DWORD PTR SS: [EBP + C];"
754FC0D5 Main PUSH ESI
754FC0D6 Principal MOV ESI, EAX
754FC0D8 Main PUSH EDI
"754FC0D9 Principal XOR EAX, EAX;"
"754FC0DB Principal XOR EDI, EDI;"
754FC0DD TEST PRINCIPAL ESI, ESI
754FC0DF Principal JE SHORT KERNELBA.754FC117
754FC0E1 Main CMP DWORD PTR SS: [EBP + 10], EAX
754FC0E4 Principal JE SHORT KERNELBA.754FC0FE
"754FC0E6 Principal MOVZX EDX, WORD PTR DS: [EBX];"
754FC0E9 TEST principal DX, DX
754FC0EC Principal JE SHORT KERNELBA.754FC0FE
754FC0EE Main MOV WORD PTR DS: [ECX], DX
"754FC0F1 Main INC ECX;"
"754FC0F2 Main INC ECX;"
"754FC0F3 Principal INC EBX;"
"754FC0F4 Main INC EBX;"
"754FC0F5 Main DEC ESI;"
754FC0F6 Principal DEC DWORD PTR SS: [EBP + 10]
"754FC0F9 Principal INC EDI;"
754FC0FA Main TEST ESI, ESI
"754FC0FC Main JNZ SHORT KERNELBA.754FC0E1;"
754FC0FE Main TEST ESI, ESI
754FC100 Principal JE SHORT KERNELBA.754FC117
754FC102 Principal XOR EDX, EDX
754FC104 Main MOV WORD PTR DS: [ECX], DX
"754FC107 Principal MOV ECX, DWORD PTR SS: [EBP + 8];"
754FC10A TEST principal ECX, ECX
754FC10C Principal JE SHORT KERNELBA.754FC110
754FC10E Principal MOV DWORD PTR DS: [ECX], EDI
"754FC110 Main POP EDI;"
"754FC111 Main POP ESI;"
"754FC112 Main POP EBX;"
"754FC113 Main POP EBP;"
"754FC114 Main RETN 0C;"
754F798C Main PUSH DWORD PTR DS: [75525034]
"754F7992 Main CALL DWORD PTR DS: [<& ntdll.RtlUnlockHeap>];"
"754F7998 Main RETN;"
"KiFastSystemCallR> RETN;"
"GetThreadLocale MOV EAX, DWORD PTR FS: [18];"
"754E9218 Principal MOV EAX, DWORD PTR DS: [EAX + C4];"
"754E921E Main RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
754EFC49 Main PUSH DWORD PTR DS: [75525034]
"754EFC4F Principal CALL DWORD PTR DS: [<& ntdll.RtlUnlockHeap>];"
"754EFC55 Main RETN;"
754EFA9D Main PUSH DWORD PTR DS: [75525034]
"754EFAA3 Main CALL DWORD PTR DS: [<& ntdll.RtlUnlockHeap>];"
"754EFAA9 Main RETN;"
754EFAAF Main PUSH DWORD PTR DS: [75525034]
"754EFAB5 Main CALL DWORD PTR DS: [<& ntdll.RtlUnlockHeap>];"
"754EFABB Main RETN;"
754EE815 Main PUSH DWORD PTR DS: [75525034]
"754EE81B Main CALL DWORD PTR DS: [<& ntdll.RtlUnlockHeap>];"
"754EE821 Main RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
lstrlenA PUSH 8
754E7375 Main PUSH KERNELBA.754E73B0
"754E737A Main CALL KERNELBA.754E16A0;"
"754E737F MOV principal EAX, DWORD PTR SS: [EBP + 8];"
754E7382 TEST principal EAX, EAX
754E7384 Principal JE SHORT KERNELBA.754E73A5
754E7386 Main AND DWORD PTR SS: [EBP-4], 0
"754E738A Principal LEA EDX, DWORD PTR DS: [EAX + 1];"
"754E738D Principal MOV CL, BYTE PTR DS: [EAX];"
"754E738F Main INC EAX;"
754E7390 Main TEST CL, CL
"754E7392 Main JNZ SHORT KERNELBA.754E738D;"
"754E7394 Principal SUB EAX, EDX;"
754E7396 Principal MOV DWORD PTR SS: [EBP-4], - 2
"754E739D Main CALL KERNELBA.754E17F0;"
"754E73A2 Main RETN 4;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
754EC1CA Main PUSH DWORD PTR DS: [75525034]
"754EC1D0 Main CALL DWORD PTR DS: [<& ntdll.RtlUnlockHeap>];"
"754EC1D6 Main RETN;"
SwitchToThread CALL DWORD PTR DS: [<& ntdll.NtYieldExecution
"ZwYieldExecution MOV EAX, 190;"
"754EC2D4 00000DEC XOR ECX, ECX;"
754EC2D6 00000DEC CMP EAX, 40000024
"754EC2DB 00000DEC SETNE CL;"
"754EC2DE 00000DEC MOV EAX, ECX;"
"754EC2E0 00000DEC RETN;"
"KiFastSystemCallR> RETN;"
754EE32D Main PUSH EBP
"754EE32E Main MOV EBP,ESP ;"
754EE330 Main PUSH DWORD PTR SS: [EBP + 18]
754EE333 Main PUSH DWORD PTR SS: [EBP + 14]
754EE336 Main PUSH DWORD PTR SS: [EBP + 10]
754EE339 Main PUSH DWORD PTR SS: [EBP + C]
754EE33C Main PUSH DWORD PTR SS: [EBP + 8]
754EE33F Main CALL DWORD PTR DS: [<& ntdll.NtQuerySecurityO
754EE345 TEST EAX principal, EAX
754EE347 Main JGE SHORT KERNELBA.754EE355
"754EE349 Main PUSH EAX;"
"754EE34A Main CALL KERNELBA.754E6BA5;"
"754EE34F Principal XOR EAX, EAX;"
"754EE351 Main POP EBP;"
"754EE352 Main RETN 14;"
754EE355 Principal XOR EAX, EAX
"754EE357 Main INC EAX;"
"754EE358 Main JMP SHORT KERNELBA.754EE351;"
"KiFastSystemCallR> RETN;"
"754E1818 00000630 POP EBP;"
"754E1819 00000630 RETN 4;"
[17:50:18] Thread 000005A4 encerrado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:50:48] Thread 00000630 encerrado, código de saída 0
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
754F41BA Main PUSH EBP
"754F41BB Main MOV EBP,ESP ;"
754F41BD Main PUSH DWORD PTR SS: [EBP + C]
"754F41C0 Principal MOV EAX, DWORD PTR SS: [EBP + 8];"
"754F41C3 ADD EAX, EAX;"
754F41C5 Main PUSH EAX
754F41C6 Principal CALL DWORD PTR DS: [<& ntdll.RtlGetCurrentDir
"754F41CC Main SHR EAX, 1;"
"754F41CE Main POP EBP;"
"754F41CF Main RETN 8;"
"FreeResource XOR EAX, EAX;"
"754E917A Main RETN 4;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C Main RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C Main RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
754FCAA4 EDI principal MOV, EDI
754FCAA6 Main PUSH EBP
"754FCAA7 Main MOV EBP,ESP ;"
754FCAA9 Principal MOV EAX, DWORD PTR SS: [EBP + 8]
"754FCAAC Principal MOV ECX, DWORD PTR DS: [EAX];"
"754FCAAE Principal MOV EDX, DWORD PTR SS: [EBP + C];"
754FCAB1 Principal MOV DWORD PTR DS: [EDX], ECX
"754FCAB3 Principal MOV ECX, DWORD PTR DS: [EAX + 54];"
754FCAB6 Principal MOV DWORD PTR DS: [EDX + 54], ECX
"754FCAB9 Principal MOV ECX, DWORD PTR DS: [EAX + A8];"
754FCABF Principal MOV DWORD PTR DS: [EDX + A8], ECX
754FCAC5 Main PUSH ESI
754FCAC6 Main PUSH EDI
754FCAC7 Main PUSH 10
"754FCAC9 Main POP ECX;"
754FCACA Main PUSH 10
"754FCACC Main LEA ESI, DWORD PTR DS: [EAX + 4];"
"754FCACF Main LEA EDI, DWORD PTR DS: [EDX + 4];"
754FCAD2 Main REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[E
"754FCAD4 Main POP ECX;"
"754FCAD5 Principal LEA ESI, DWORD PTR DS: [EAX + 58];"
"754FCAD8 Principal LEA EDI, DWORD PTR DS: [EDX + 58];"
754FCADB Main REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[E
754FCADD Main MOV CX,WORD PTR DS:[EAX+44]
754FCAE1 Main MOV WORD PTR DS:[EDX+44],CX
"754FCAE5 Main MOV CX,WORD PTR DS:[EAX+46] ;"
754FCAE9 Main MOV WORD PTR DS:[EDX+46],CX
"754FCAED Main MOV CX,WORD PTR DS:[EAX+48] ;"
754FCAF1 Main MOV WORD PTR DS:[EDX+52],CX
"754FCAF5 Main MOV CX,WORD PTR DS:[EAX+4A] ;"
754FCAF9 Main MOV WORD PTR DS:[EDX+48],CX
"754FCAFD Main MOV CX,WORD PTR DS:[EAX+4C] ;"
754FCB01 Main MOV WORD PTR DS:[EDX+4A],CX
"754FCB05 Main MOV CX,WORD PTR DS:[EAX+4E] ;"
754FCB09 Main MOV WORD PTR DS:[EDX+4C],CX
754FCB0D Main MOV CX,WORD PTR DS:[EAX+50]
754FCB11 Main MOV WORD PTR DS:[EDX+4E],CX
"754FCB15 Main MOV CX,WORD PTR DS:[EAX+52] ;"
754FCB19 Main MOV WORD PTR DS:[EDX+50],CX
"754FCB1D Main MOV CX,WORD PTR DS:[EAX+98] ;"
754FCB24 Main MOV WORD PTR DS:[EDX+98],CX
"754FCB2B Main MOV CX,WORD PTR DS:[EAX+9A] ;"
754FCB32 Main MOV WORD PTR DS:[EDX+9A],CX
"754FCB39 Main MOV CX,WORD PTR DS:[EAX+9C] ;"
754FCB40 Main MOV WORD PTR DS:[EDX+A6],CX
"754FCB47 Main MOV CX,WORD PTR DS:[EAX+9E] ;"
754FCB4E Main MOV WORD PTR DS:[EDX+9C],CX
"754FCB55 Main MOV CX,WORD PTR DS:[EAX+A0] ;"
754FCB5C Main MOV WORD PTR DS:[EDX+9E],CX
"754FCB63 Main MOV CX,WORD PTR DS:[EAX+A2] ;"
754FCB6A Main MOV WORD PTR DS:[EDX+A0],CX
754FCB71 Main MOV CX,WORD PTR DS:[EAX+A4]
754FCB78 Main MOV WORD PTR DS:[EDX+A2],CX
"754FCB7F Main MOV CX,WORD PTR DS:[EAX+A6] ;"
754FCB86 Main PUSH 40
754FCB88 Main MOV WORD PTR DS:[EDX+A4],CX
"754FCB8F Main POP ECX;"
"754FCB90 Main LEA ESI, DWORD PTR DS: [EAX + AC];"
"754FCB96 Principal LEA EDI, DWORD PTR DS: [EDX + AC];"
754FCB9C Main REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[E
"754FCB9E Principal MOV AL, BYTE PTR DS: [EAX + 1AC];"
"754FCBA4 Main POP EDI;"
754FCBA5 Principal MOV BYTE PTR DS: [EDX + 1AC], AL
"754FCBAB Main POP ESI;"
"754FCBAC Main POP EBP;"
"754FCBAD Main RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C Main RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C Main RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C Main RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
754EF25F Main PUSH EBP
"754EF260 Main MOV EBP,ESP ;"
754EF262 Main PUSH 0
754EF264 Main PUSH DWORD PTR SS: [EBP + 14]
754EF267 Main PUSH DWORD PTR SS: [EBP + 10]
754EF26A Main PUSH DWORD PTR SS: [EBP + C]
754EF26D Main PUSH DWORD PTR SS: [EBP + 8]
"754EF270 Main CALL KERNELBA.LoadStringBaseExW;"
"754EF275 Main POP EBP;"
"754EF276 Main RETN 10;"
754F818C Main PUSH EBP
"754F818D Main MOV EBP,ESP ;"
754F818F Main PUSH DWORD PTR SS: [EBP + 8]
754F8192 Main PUSH 1
754F8194 Main CALL DWORD PTR DS: [<& ntdll.RtlWow64EnableFs
754F819A TEST EAX principal, EAX
754F819C Principal JGE SHORT KERNELBA.754F81AA
"754F819E Main PUSH EAX;"
"754F819F Main CALL KERNELBA.754E6BA5;"
"754F81A4 Principal XOR EAX, EAX;"
"754F81A6 Main POP EBP;"
"754F81A7 Main RETN 4;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C 000005D8 RETN 8;"
"KiFastSystemCallR> RETN;"
FormatMessageW MOV EDI,EDI
754EECA2 Main PUSH EBP
"754EECA3 Main MOV EBP,ESP ;"
754EECA5 Main PUSH DWORD PTR SS: [EBP + 20]
754EECA8 Main PUSH DWORD PTR SS: [EBP + 1C]
754EECAB Main PUSH DWORD PTR SS: [EBP + 18]
754EECAE Main PUSH DWORD PTR SS: [EBP + 14]
754EECB1 Main PUSH DWORD PTR SS: [EBP + 10]
754EECB4 Main PUSH DWORD PTR SS: [EBP + C]
754EECB7 Main PUSH DWORD PTR SS: [EBP + 8]
754EECBA Main PUSH 0
"754EECBC Main CALL KERNELBA.754EEACC;"
"754EECC1 Main POP EBP;"
"754EECC2 Main RETN 1C;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
[17:51:37] Exceção 000006BA
754E845D 00000124 LEAVE
"774F6BC9 00000124 MOV ECX,DWORD PTR SS:[ESP+4] ;"
75504E5F Main PUSH EBP
"75504E60 Main MOV EBP,ESP ;"
75504E62 Main PUSH 1
75504E64 Main PUSH DWORD PTR SS: [EBP + 10]
75504E67 Main PUSH DWORD PTR SS: [EBP + C]
75504E6A Main PUSH DWORD PTR SS: [EBP + 8]
"75504E6D Main CALL KERNELBA.754FC63A;"
"75504E72 Main POP EBP;"
"75504E73 Main RETN 0C;"
754FFE14 EDI MOV principal, EDI
754FFE16 Main PUSH EBP
"754FFE17 Main MOV EBP,ESP ;"
754FFE19 Main PUSH ESI
"754FFE1A Principal MOV ESI, DWORD PTR SS: [EBP + 8];"
"754FFE1D Principal MOV ECX, DWORD PTR DS: [ESI];"
754FFE1F CMP principal ECX, 9
754FFE22 Main JA SHORT KERNELBA.754FFE71
754FFE24 Main CMP DWORD PTR DS: [ESI + 4], 1
754FFE28 Main JA SHORT KERNELBA.754FFE71
754FFE2A Main CMP DWORD PTR DS: [ESI + 8], 270F
754FFE31 Main JA SHORT KERNELBA.754FFE71
754FFE33 Main CMP DWORD PTR DS: [ESI + 14], 4
754FFE37 Main JA SHORT KERNELBA.754FFE71
"754FFE39 Principal MOV EAX, DWORD PTR DS: [ESI + C];"
754FFE3C TEST EAX principal, EAX
754FFE3E Principal JE SHORT KERNELBA.754FFE71
"754FFE40 Main XOR EDX, EDX;"
754FFE42 TEST PRINCIPAL ECX, ECX
754FFE44 Main SETNE DL
754FFE47 Main PUSH EDX
754FFE48 Main PUSH 4
754FFE4A Main PUSH EAX
"754FFE4B Main CALL KERNELBA.754FFE7A;"
754FFE50 TEST EAX principal, EAX
754FFE52 Principal JE SHORT KERNELBA.754FFE71
"754FFE54 Principal MOV ESI, DWORD PTR DS: [ESI + 10];"
754FFE57 TEST PRINCIPAL ESI, ESI
754FFE59 Principal JE SHORT KERNELBA.754FFE71
754FFE5B Main PUSH 0
754FFE5D Main PUSH 4
754FFE5F Main PUSH ESI
754FFE60 Main CALL KERNELBA.754FFE7A
754FFE65 TEST EAX principal, EAX
754FFE67 Principal JE SHORT KERNELBA.754FFE71
"754FFE69 Principal XOR EAX, EAX;"
"754FFE6B Main INC EAX;"
"754FFE6C Main POP ESI;"
"754FFE6D Main POP EBP;"
"754FFE6E Main RETN 4;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C 00000124 RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C 00000124 RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C Main RETN 8;"
[17:51:46] Thread 00000E78 encerrado, código de saída 0
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C 00000CB0 RETN 8;"
KiFastSystemCallR> DIR
"774F658C 00000CB0 RETN 8;"
KiFastSystemCallR> DIR
"774F658C 00000CB0 RETN 8;"
"KiFastSystemCallR> RETN;"
"774F658C 00000CB0 RETN 8;"
[17:51:51] Thread 00000C48 encerrado, código de saída 0
[17:52:43] Thread 00000C3C encerrado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:52:53] Thread 000008D8 terminou, exit code 0
"KiFastSystemCallR> RETN;"
[17:52:53] Thread 00000770 encerrado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:52:53] Thread 00000124 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:52:53] Thread 000005D8 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:52:53] Thread 00000CB0 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:52:55] Thread 00000FA0 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:53:51] Thread 00000A04 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:55:21] Thread 000007C0 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:56:04] Thread 00000FF8 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:56:46] Thread 00000710 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:58:21] Thread 00000AD0 encerrado, código de saída 0
KiFastSystemCallR> DIR
Executar o traçado fechado

dados de um arquivo comprado mas com outro mac

"Endereço Thread Command;"
"754E845E Main RETN 10;"
754E16A0 Main PUSH KERNELBA.755006BD
754E16A5 Main PUSH DWORD PTR FS: [0]
"754E16AC Main MOV EAX,DWORD PTR SS:[ESP+10] ;"
754E16B0 Main MOV DWORD PTR SS:[ESP+10],EBP
"754E16B4 Main LEA EBP,DWORD PTR SS:[ESP+10] ;"
754E16B8 Main SUB ESP,EAX
754E16BA Main PUSH EBX
754E16BB Main PUSH ESI
754E16BC Main PUSH EDI
"754E16BD Principal MOV EAX, DWORD PTR DS: [755259A0];"
754E16C2 Principal XOR DWORD PTR SS: [EBP-4], EAX
"754E16C5 Principal XOR EAX, EBP;"
754E16C7 Main PUSH EAX
754E16C8 Main MOV DWORD PTR SS:[EBP-18],ESP
754E16CB Main PUSH DWORD PTR SS: [EBP-8]
"754E16CE Principal MOV EAX, DWORD PTR SS: [EBP-4];"
754E16D1 Principal MOV DWORD PTR SS: [EBP-4], - 2
754E16D8 Principal MOV DWORD PTR SS: [EBP-8], EAX
"754E16DB Principal LEA EAX, DWORD PTR SS: [EBP-10];"
754E16DE Principal MOV DWORD PTR FS: [0], EAX
"754E16E4 Main RETN;"
754E7B1E Main CMP BYTE PTR SS: [EBP-19], 0
754E7B22 Principal JE SHORT KERNELBA.754E7B2F
754E7B24 Main PUSH DWORD PTR SS: [EBP-24]
754E7B27 Main PUSH 1
754E7B29 Principal CALL DWORD PTR DS: [<& ntdll.LdrUnlockLoaderL
"754E7B2F Main RETN;"
"754E17F0 Principal MOV ECX, DWORD PTR SS: [EBP-10];"
754E17F3 Principal MOV DWORD PTR FS: [0], ECX
"754E17FA Main POP ECX;"
"754E17FB POP EDI principal;"
"754E17FC POP POP EDI;"
"754E17FD Main POP ESI;"
"754E17FE Main POP EBX;"
754E17FF Main MOV ESP,EBP
"754E1801 Main POP EBP;"
754E1802 Main PUSH ECX
"754E1803 Main RETN;"
"GetCurrentThreadI> MOV EAX, DWORD PTR FS: [18];"
"754E6831 Principal MOV EAX, DWORD PTR DS: [EAX + 24];"
"754E6834 Main RETN;"
754E6C51 Main PUSH KERNELBA.755006BD
754E6C56 Main PUSH DWORD PTR FS: [0]
"754E6C5D Main MOV EAX,DWORD PTR SS:[ESP+10] ;"
754E6C61 Main MOV DWORD PTR SS:[ESP+10],EBP
"754E6C65 Main LEA EBP,DWORD PTR SS:[ESP+10] ;"
754E6C69 Main SUB ESP,EAX
754E6C6B Main PUSH EBX
754E6C6C Main PUSH ESI
754E6C6D Main PUSH EDI
"754E6C6E Principal MOV EAX, DWORD PTR DS: [755259A0];"
754E6C73 Principal XOR DWORD PTR SS: [EBP-4], EAX
"754E6C76 Principal XOR EAX, EBP;"
754E6C78 Principal MOV DWORD PTR SS: [EBP-1C], EAX
754E6C7B Main PUSH EAX
754E6C7C Main MOV DWORD PTR SS:[EBP-18],ESP
754E6C7F Main PUSH DWORD PTR SS: [EBP-8]
"754E6C82 Principal MOV EAX, DWORD PTR SS: [EBP-4];"
754E6C85 Principal MOV DWORD PTR SS: [EBP-4], - 2
754E6C8C Principal MOV DWORD PTR SS: [EBP-8], EAX
"754E6C8F LEA principal EAX, DWORD PTR SS: [EBP-10];"
754E6C92 Principal MOV DWORD PTR FS: [0], EAX
"754E6C98 Main RETN;"
"KernelBaseGetGlob> MOV EAX, KERNELBA.755250F0;"
"754E68A0 Main RETN;"
"IsDebuggerPresent MOV EAX, DWORD PTR FS: [18];"
"754EFC6C Principal MOV EAX, DWORD PTR DS: [EAX + 30];"
"754EFC6F Principal MOVZX EAX, BYTE PTR DS: [EAX + 2];"
"754EFC73 Main RETN;"
"GetProcessHeap MOV EAX, DWORD PTR FS: [18];"
"754E68EF 000009E8 MOV EAX, DWORD PTR DS: [EAX + 30];"
"754E68F2 000009E8 MOV EAX, DWORD PTR DS: [EAX + 18];"
"754E68F5 000009E8 RETN;"
754E6BA5 000009E8 MOV EDI, EDI
754E6BA7 000009E8 PUSH EBP
"754E6BA8 000009E8 MOV EBP,ESP ;"
754E6BAA 000009E8 PUSH ESI
754E6BAB 000009E8 PUSH DWORD PTR SS: [EBP + 8]
754E6BAE 000009E8 CALL DWORD PTR DS: [<& ntdll.RtlNtStatusToDos
"754E6BB4 000009E8 MOV ESI, EAX;"
754E6BB6 000009E8 PUSH ESI
754E6BB7 000009E8 CALL DWORD PTR DS: [<& ntdll.RtlSetLastWin32E
"754E6BBD 000009E8 MOV EAX, ESI;"
"754E6BBF 000009E8 POP ESI;"
"754E6BC0 000009E8 POP EBP ;"
"754E6BC1 000009E8 RETN 4 ;"
"GetLastError MOV EAX,DWORD PTR FS:[18] ;"
"754E68BE 000009E8 MOV EAX,DWORD PTR DS:[EAX+34] ;"
"754E68C1 000009E8 RETN ;"
GetSystemInfo MOV EDI,EDI
754EA855 000009E8 PUSH EBP
"754EA856 000009E8 MOV EBP,ESP ;"
754EA858 000009E8 SUB ESP,38
754EA85B 000009E8 PUSH ESI
754EA85C 000009E8 MOV ESI,DWORD PTR DS:[<&ntdll.NtQuerySystem
"754EA862 000009E8 PUSH 0 ;"
"754EA864 000009E8 PUSH 2C ;"
"754EA866 000009E8 LEA EAX,DWORD PTR SS:[EBP-38] ;"
"754EA869 000009E8 PUSH EAX ;"
"754EA86A 000009E8 PUSH 0 ;"
"754EA86C 000009E8 CALL ESI ;"
754EA86E 000009E8 TEST EAX,EAX
754EA870 000009E8 JL SHORT KERNELBA.754EA892
"754EA872 000009E8 PUSH 0 ;"
"754EA874 000009E8 PUSH 0C ;"
"754EA876 000009E8 LEA EAX,DWORD PTR SS:[EBP-C] ;"
"754EA879 000009E8 PUSH EAX ;"
"754EA87A 000009E8 PUSH 1 ;"
"754EA87C 000009E8 CALL ESI ;"
754EA87E 000009E8 TEST EAX,EAX
754EA880 000009E8 JL SHORT KERNELBA.754EA892
754EA882 000009E8 PUSH DWORD PTR SS:[EBP+8]
"754EA885 000009E8 LEA EAX,DWORD PTR SS:[EBP-C] ;"
754EA888 000009E8 PUSH EAX
"754EA889 000009E8 LEA EAX, DWORD PTR SS: [EBP-38];"
754EA88C 000009E8 PUSH EAX
"754EA88D 000009E8 CHAMADA KERNELBA.754EA89C;"
"754EA892 000009E8 POP ESI;"
"754EA893 000009E8 LEAVE;"
"754EA894 000009E8 RETN 4;"
754EBF3F Main PUSH EBP
"754EBF40 Main MOV EBP,ESP ;"
"754EBF42 Main PUSH DWORD PTR SS: [EBP + 10];"
"754EBF45 Main PUSH DWORD PTR SS: [EBP + C];"
"754EBF48 Main PUSH DWORD PTR SS: [EBP + 8];"
"754EBF4B Main PUSH -1;"
"754EBF4D Main CALL KERNELBA.VirtualQueryEx ;"
"754EBF52 Main POP EBP;"
"754EBF53 Main RETN 0C;"
"GetCurrentProcess OU EAX, FFFFFFFF;"
"754E693A Main RETN;"
GetCurrentThread PUSH -2
"754E6942 Main POP EAX;"
754E6943 Main RETN
754E74B8 Main PUSH EBP
"754E74B9 Main MOV EBP,ESP ;"
754E74BB Main PUSH DWORD PTR SS: [EBP + 14]
754E74BE Main PUSH DWORD PTR SS: [EBP + 10]
754E74C1 Main PUSH DWORD PTR SS: [EBP + C]
754E74C4 Main PUSH DWORD PTR SS: [EBP + 8]
754E74C7 Main CALL DWORD PTR DS: [<& ntdll.NtOpenThreadToke
754E74CD TEST EAX principal, EAX
754E74CF Principal JGE SHORT KERNELBA.754E74DD
"754E74D1 Main PUSH EAX;"
"754E74D2 Main CALL KERNELBA.754E6BA5;"
"754E74D7 Main XOR EAX, EAX;"
"754E74D9 Main POP EBP;"
"754E74DA Main RETN 10;"
"GetCurrentProcess> MOV EAX, DWORD PTR FS: [18];"
"754E6988 Principal MOV EAX, DWORD PTR DS: [EAX + 20];"
"754E698B Main RETN;"
754E79A9 Main PUSH EBP
"754E79AA Main MOV EBP,ESP ;"
754E79AC Main PUSH DWORD PTR SS: [EBP + 14]
754E79AF Main PUSH DWORD PTR SS: [EBP + 10]
754E79B2 Main PUSH DWORD PTR SS: [EBP + C]
754E79B5 Main PUSH DWORD PTR SS: [EBP + 8]
754E79B8 Main PUSH -1
"754E79BA Main CALL KERNELBA.VirtualAllocEx ;"
"754E79BF Main POP EBP;"
"754E79C0 Main RETN 10;"
754E7A1E Main PUSH EBP
"754E7A1F Main MOV EBP,ESP ;"
754E7A21 Main PUSH DWORD PTR SS: [EBP + 10]
754E7A24 Main PUSH DWORD PTR SS: [EBP + C]
754E7A27 Main PUSH DWORD PTR SS: [EBP + 8]
754E7A2A Main PUSH -1
"754E7A2C Main CALL KERNELBA.VirtualFreeEx ;"
"754E7A31 Main POP EBP;"
"754E7A32 Main RETN 0C;"
75513B81 EDI MOV principal, EDI
75513B83 Main PUSH EBP
"75513B84 Main MOV EBP,ESP ;"
75513B86 Main PUSH ECX
"75513B87 Principal LEA EAX, DWORD PTR SS: [EBP-4];"
75513B8A Main PUSH EAX
75513B8B Main PUSH DWORD PTR SS: [EBP + 8]
"75513B8E Main CALL KERNELBA.754EB67A;"
75513B93 Main PUSH DWORD PTR SS: [EBP + 10]
75513B96 Main PUSH DWORD PTR SS: [EBP + C]
75513B99 Main PUSH DWORD PTR SS: [EBP-4]
75513B9C Main PUSH EAX
75513B9D Main PUSH DWORD PTR SS: [EBP + 8]
75513BA0 Main PUSH KERNELBA.754F20AC
75513BA5 Main PUSH KERNELBA.75525880
"75513BAA Main CALL KERNELBA.754EB5CB;"
"75513BAF Main LEAVE;"
"75513BB0 Main RETN 0C;"
"KiFastSystemCallR> RETN;"
7551388F EDI MOV principal, EDI
75513891 Main PUSH EBP
"75513892 Main MOV EBP,ESP ;"
75513894 Main CMP DWORD PTR SS: [EBP + C], - 1
75513898 Main JNZ SHORT KERNELBA.755138A8
755138A8 Main PUSH DWORD PTR SS: [EBP + C]
755138AB Main PUSH KERNELBA.75525880
"755138B0 Main CALL KERNELBA.754EB4E5;"
"755138B5 Main POP EBP;"
"755138B6 Main RETN 8;"
"KiFastSystemCallR> RETN;"
"774F658C Main RETN 8;"
754F0660 00000A28 MOV EDI, EDI
754F0662 00000A28 PUSH EBP
"754F0663 00000A28 MOV EBP,ESP ;"
754F0665 00000A28 PUSH ESI
754F0666 00000A28 MOV ESI, DWORD PTR SS: [EBP + 14]
"754F0669 00000A28 MOV EAX, DWORD PTR DS: [ESI];"
754F066B 00000A28 PUSH EDI
754F066C 00000A28 MOV EDI, DWORD PTR SS: [EBP + 10]
"754F066F 00000A28 ADICIONAR EAX, EAX;"
754F0671 00000A28 MOV DWORD PTR SS: [EBP + 14], EAX
"754F0674 00000A28 LEA EAX, DWORD PTR SS: [EBP + 14];"
754F0677 00000A28 PUSH EAX
754F0678 00000A28 PUSH EDI
754F0679 00000A28 PUSH DWORD PTR SS: [EBP + C]
754F067C 00000A28 PUSH DWORD PTR SS: [EBP + 8]
"754F067F 00000A28 CHAMAR KERNELBA.754F06B0;"
"754F0684 00000A28 MOV ECX, DWORD PTR SS: [EBP + 14];"
"754F0687 00000A28 SHR ECX, 1;"
754F0689 00000A28 MOV DWORD PTR DS: [ESI], ECX
754F068B 00000A28 TEST EAX, EAX
754F068D 00000A28 JL SHORT KERNELBA.754F069E
754F068F 00000A28 TEST ECX, ECX
754F0691 00000A28 JBE SHORT KERNELBA.754F06A4
754F0693 00000A28 CMP WORD PTR DS: [EDI + ECX * 2-2], 0
754F0699 00000A28 JNZ SHORT KERNELBA.754F06A4
"754F069B 00000A28 DEC ECX;"
754F069C 00000A28 MOV DWORD PTR DS: [ESI], ECX
754F069E 00000A28 POP EDI
754F069F 00000A28 POP ESI
"754F06A0 00000A28 POP EBP;"
"754F06A1 00000A28 RETN 10;"
EqualSid MOV EDI, EDI
754EAC74 00000A28 PUSH EBP
"754EAC75 00000A28 MOV EBP,ESP ;"
754EAC77 00000A28 PUSH 0
754EAC79 00000A28 CALL DWORD PTR DS: [<& ntdll.RtlSetLastWin32E
754EAC7F 00000A28 PUSH DWORD PTR SS: [EBP + C]
754EAC82 00000A28 PUSH DWORD PTR SS: [EBP + 8]
"754EAC85 00000A28 CALL DWORD PTR DS: [<& ntdll.RtlEqualSid>];"
754EAC8B 00000A28 MOVZX EAX, AL
"754EAC8E 00000A28 POP EBP;"
"754EAC8F 00000A28 RETN 8;"
754E7135 EDI MOV principal, EDI
754E7137 Main PUSH EBP
"754E7138 Main MOV EBP,ESP ;"
"754E713A Principal MOV ECX, DWORD PTR SS: [EBP + 8];"
754E713D Main PUSH 0C
"754E713F Main POP EDX;"
754E7140 TEST PRINCIPAL ECX, ECX
754E7142 Principal JE SHORT KERNELBA.754E7163
754E7144 Main PUSH ESI
754E7145 Main PUSH 0A
"754E7147 Main POP ESI;"
754E7148 Principal MOVZX EAX, WORD PTR DS: [ECX]
754E714B Main TEST AX, AX
754E714E Principal JE SHORT KERNELBA.754E7162
754E7150 PRINCIPAL TEST ESI, ESI
754E7152 Principal JE SHORT KERNELBA.754E7162
"754E7154 Main AND EAX, 0DF;"
"754E7159 ADD principal EDX, EDX;"
"754E715B Main XOR EDX, EAX;"
"754E715D Main INC ECX;"
"754E715E Main INC ECX;"
"754E715F Main DEC ESI;"
"754E7160 Main JMP SHORT KERNELBA.754E7148;"
"754E7162 Main POP ESI;"
"754E7163 MOV principal EAX, DWORD PTR SS: [EBP + C];"
"754E7166 Main SHR EAX, 8;"
"754E7169 Main XOR EDX, EAX;"
"754E716B MOV principal EAX, EDX;"
"754E716D SAR EAX principal, 8;"
"754E7170 ADD EAX, EDX;"
"754E7172 Main AND EAX, 7F;"
"754E7175 Main POP EBP;"
"754E7176 Main RETN 8;"
754ED049 EDI MOV principal, EDI
754ED04B Main PUSH EBP
"754ED04C Main MOV EBP,ESP ;"
754ED04E Principal MOV ECX, DWORD PTR SS: [EBP + 8]
754ED051 Main PUSH 0C
"754ED053 Main POP EDX;"
754ED054 TEST principal ECX, ECX
754ED056 Principal JE SHORT KERNELBA.754ED077
754ED058 Main PUSH ESI
754ED059 Main PUSH 0A
"754ED05B Main POP ESI;"
"754ED05C Principal MOVZX EAX, WORD PTR DS: [ECX];"
754ED05F Main TEST AX, AX
754ED062 Principal JE SHORT KERNELBA.754ED076
754ED064 Principal TEST ESI, ESI
754ED066 Principal JE SHORT KERNELBA.754ED076
"754ED068 Main AND EAX, 0DF;"
"754ED06D Main ADD EDX, EDX;"
"754ED06F Principal XOR EDX, EAX;"
"754ED071 Main INC ECX;"
"754ED072 Main INC ECX;"
"754ED073 Main DEC ESI;"
"754ED074 Main JMP SHORT KERNELBA.754ED05C;"
"754ED076 Main POP ESI;"
"754ED077 Principal MOV EAX, EDX;"
"754ED079 Principal SAR EAX, 8;"
"754ED07C ADD EAX, EDX;"
"754ED07E Main AND EAX, 7F;"
"754ED081 Main POP EBP;"
"754ED082 Main RETN 4;"
75521434 EDI MOV principal, EDI
75521436 Main PUSH EBX
"75521437 Main MOV EBX,ESP ;"
75521439 Main PUSH ECX
7552143A Main PUSH ECX
7552143B Principal E ESP, FFFFFFE0
7552143E ADD PRINCIPAL ESP, 4
75521441 Main PUSH EBP
"75521442 Principal MOV EBP, DWORD PTR DS: [EBX + 4];"
75521445 Main MOV DWORD PTR SS:[ESP+4],EBP
"75521449 Main MOV EBP,ESP ;"
7552144B Main SUB ESP,458
"75521451 Principal MOV EAX, DWORD PTR DS: [755259A0];"
"75521456 Main XOR EAX, EBP;"
75521458 Principal MOV DWORD PTR SS: [EBP-4], EAX
7552145B Main PUSH ESI
"7552145C Principal MOV ESI, DWORD PTR DS: [EBX + 8];"
7552145F Main PUSH EDI
"75521460 MOV Principal EDI, DWORD PTR DS: [EBX + C];"
"75521463 Main CALL KERNELBA.754F393A;"
75521468 TEST EAX principal, EAX
7552146A Main JNZ SHORT KERNELBA.75521473
75521473 Main PUSH 104
"75521478 Principal LEA EAX, DWORD PTR SS: [EBP-210];"
7552147E Main PUSH EAX
7552147F Main PUSH 8
75521481 Main PUSH 10
75521483 Main PUSH DWORD PTR DS: [ESI + 4]
"75521486 Main CALL KERNELBA.754F4ABE;"
754ECF95 EDI MOV principal, EDI
754ECF97 Main PUSH EBP
"754ECF98 Main MOV EBP,ESP ;"
"754ECF9A MOV principal EDX, DWORD PTR SS: [EBP + C];"
"754ECF9D Principal XOR EAX, EAX;"
754ECF9F Main TEST EDX, EDX
754ECFA1 Principal JE SHORT KERNELBA.754ECFC5
754ECFA3 Main CMP EDX, 7FFFFFFF
754ECFA9 Main JA SHORT KERNELBA.754ECFC5
754ECFAB Principal TEST EAX, EAX
754ECFAD Principal JL SHORT KERNELBA.754ECFC1
"754ECFAF MOV principal EAX, DWORD PTR SS: [EBP + 10];"
754ECFB2 Principal MOV ECX, DWORD PTR SS: [EBP + 8]
754ECFB5 Main PUSH 7FFFFFFE
754ECFBA Main PUSH 0
"754ECFBC Main CALL KERNELBA.754ECF3C;"
"754ECFC1 Main POP EBP;"
"754ECFC2 Main RETN 0C;"
7552148B TEST EAX principal, EAX
7552148D Main JNZ SHORT KERNELBA.7552146C
7552148F Main PUSH 2E
"75521491 Main POP EAX;"
75521492 Main PUSH 0FB
75521497 Main MOV WORD PTR SS: [EBP-200], AX
"7552149E Principal LEA EAX, DWORD PTR SS: [EBP-1FE];"
755214A4 Main PUSH EAX
755214A5 Main PUSH 8
755214A7 Main PUSH 10
755214A9 Main PUSH DWORD PTR DS: [ESI + 8]
"755214AC Main CALL KERNELBA.754F4ABE;"
755214B1 TEST EAX principal, EAX
755214B3 Principal JNZ SHORT KERNELBA.7552146C
"755214B5 Principal XOR ESI, ESI;"
755214B7 Main PUSH ESI
755214B8 Main PUSH 1
"755214BA Principal LEA EAX, DWORD PTR SS: [EBP-440];"
755214C0 Principal MOV DWORD PTR SS: [EBP-444], EAX
755214C6 Main PUSH 214
"755214CB Principal LEA EAX, DWORD PTR SS: [EBP-444];"
755214D1 Main PUSH EAX
"755214D2 Principal LEA EAX, DWORD PTR SS: [EBP-210];"
755214D8 Main PUSH EAX
755214D9 Main PUSH DWORD PTR DS: [75525944]
"755214DF Main CALL KERNELBA.754ED2F0;"
755214E4 TEST EAX principal, EAX
755214E6 Main JNZ SHORT KERNELBA.7552146C
"7552146C Principal XOR EAX, EAX;"
7552146E Principal JMP KERNELBA.7552151D
"7552151D Principal MOV ECX, DWORD PTR SS: [EBP-4];"
"75521520 POP EDI principal;"
"75521521 Principal XOR ECX, EBP;"
"75521523 Main POP ESI;"
75521524 Principal CALL KERNELBA.754E68A6
75521529 Main MOV ESP,EBP
"7552152B Main POP EBP;"
7552152C Main MOV ESP,EBX
"7552152E Main POP EBX;"
7552152F Main RETN 0C
754E7030 Main PUSH EBP
"754E7031 Main MOV EBP,ESP ;"
754E7033 Main PUSH ESI
"754E7034 Principal MOV ESI, DWORD PTR SS: [EBP + 8];"
754E7037 TEST PRINCIPAL ESI, ESI
754E7039 Principal JE SHORT KERNELBA.754E7050
"754E703B Main CALL KERNELBA.754E6EA8;"
"754E7040 Principal MOV ECX, DWORD PTR DS: [EAX + 8];"
754E7043 Main CMP ECX, DWORD PTR DS: [ESI + 8]
754E7046 Main JNZ SHORT KERNELBA.754E7058
"754E7048 Principal MOV EAX, DWORD PTR DS: [EAX + 4];"
754E704B Principal CMP EAX, DWORD PTR DS: [ESI + 4]
754E704E Main JNZ SHORT KERNELBA.754E7058
"754E7050 Main XOR EAX, EAX;"
"754E7052 Main INC EAX;"
"754E7053 Main POP ESI;"
"754E7054 Main POP EBP;"
"754E7055 Main RETN 4;"
754F2B4F EDI MOV principal, EDI
754F2B51 Main PUSH EBP
"754F2B52 Main MOV EBP,ESP ;"
754F2B54 Principal XOR EAX, EAX
754F2B56 Main CMP DWORD PTR DS: [EAX * 4 + 75525E80], 0
754F2B5E Main JNZ SHORT KERNELBA.754F2B78
"754F2B78 Principal INC EAX;"
754F2B79 Principal CMP EAX, 0A
754F2B7C Main JGE SHORT KERNELBA.754F2B6A
754F2B7E Main JMP SHORT KERNELBA.754F2B56
"754F2B60 Principal MOV ECX, DWORD PTR SS: [EBP + 8];"
754F2B63 Principal MOV DWORD PTR DS: [EAX * 4 + 75525E80], ECX
"754F2B6A Principal XOR ECX, ECX;"
754F2B6C Principal CMP EAX, 0A
"754F2B6F Main SETNE CL;"
754F2B72 Principal MOV EAX, ECX
"754F2B74 Main POP EBP;"
"754F2B75 Main RETN 4;"
754EB89E Main PUSH EBP
"754EB89F Main MOV EBP,ESP ;"
"754EB8A1 Principal MOV EDX, DWORD PTR SS: [EBP + 8];"
"754EB8A4 Principal MOV ECX, DWORD PTR DS: [754EB8E0];"
754EB8AA Principal MOVZX EAX, DL
"754EB8AD Main SHR EDX, 8;"
754EB8B0 Principal MOVZX EDX, DL
754EB8B3 Main PUSH ESI
"754EB8B4 Principal MOV ESI, DWORD PTR DS: [ECX + 30];"
"754EB8B7 Principal MOVZX EDX, WORD PTR DS: [ESI + EDX * 2];"
754EB8BB Main PUSH EDI
"754EB8BC MOV Principal EDI, EAX;"
"754EB8BE Main SHR EDX, 1;"
"754EB8C0 Main SHR EDI, 4;"
"754EB8C3 Main ADD EDX, EDI;"
"754EB8C5 Principal MOVZX EDX, WORD PTR DS: [ESI + EDX * 2];"
"754EB8C9 Main AND EAX, 0F;"
"754EB8CC Main ADD EDX, ESI;"
"754EB8CE Principal MOVZX EAX, BYTE PTR DS: [EAX + EDX];"
"754EB8D2 Principal IMUL EAX, EAX, 6;"
"754EB8D5 ADD principal EAX, DWORD PTR DS: [ECX + 2C];"
"754EB8D8 POP EDI principal;"
"754EB8D9 Main POP ESI;"
"754EB8DA Main POP EBP;"
"754EB8DB Main RETN 4;"
FindFirstFileW MOV EDI, EDI
754EB451 Main PUSH EBP
"754EB452 Main MOV EBP,ESP ;"
"754EB454 Principal XOR EAX, EAX;"
754EB456 Main PUSH EAX
754EB457 Main PUSH EAX
754EB458 Main PUSH EAX
754EB459 Main PUSH DWORD PTR SS: [EBP + C]
754EB45C Main PUSH EAX
754EB45D Main PUSH DWORD PTR SS: [EBP + 8]
"754EB460 Main CALL KERNELBA.FindFirstFileExW;"
"754EB465 Main POP EBP;"
"754EB466 Main RETN 8;"
"754EE014 Principal MOV EAX, DWORD PTR SS: [EBP + 8];"
"754EE017 Main ADD EAX, 1C;"
754EE01A Main PUSH EAX
754EE01B Principal CALL DWORD PTR DS: [<& ntdll.RtlLeaveCritical
"754EE021 Main RETN;"
"KiFastSystemCallR> RETN;"
754F1B31 Main PUSH EBP
"754F1B32 Main MOV EBP,ESP ;"
"754F1B34 Main PUSH DWORD PTR SS: [EBP + 14];"
"754F1B37 Main PUSH DWORD PTR SS: [EBP + 10];"
"754F1B3A Main PUSH DWORD PTR SS: [EBP + C];"
"754F1B3D Main PUSH DWORD PTR SS: [EBP + 8];"
"754F1B40 Main PUSH -1;"
"754F1B42 Main CALL KERNELBA.VirtualProtectEx ;"
"754F1B47 Main POP EBP;"
"754F1B48 Main RETN 10;"
"7551389A Principal MOV EAX, DWORD PTR SS: [EBP + 8];"
"7551389D ADD principal EAX, -0C;"
"755138A0 Main PUSH EAX;"
755138A1 Principal CALL KERNELBA.754E8E9D
754E8E9D EDI MOV principal, EDI
754E8E9F Main PUSH EBP
"754E8EA0 Main MOV EBP,ESP ;"
754E8EA2 Main PUSH DWORD PTR SS: [EBP + 8]
"754E8EA5 Principal MOV EAX, DWORD PTR FS: [18];"
"754E8EAB Principal MOV EAX, DWORD PTR DS: [EAX + 30];"
754E8EAE Main PUSH 0
754E8EB0 Main PUSH DWORD PTR DS: [EAX + 18]
"754E8EB3 Principal CALL DWORD PTR DS: [<& ntdll.RtlFreeHeap>];"
"754E8EB9 Main POP EBP;"
754E8EBA Main RETN 4
"755138A6 Main JMP SHORT KERNELBA.755138B5;"
754EBDC1 Main PUSH EBP
"754EBDC2 Main MOV EBP,ESP ;"
754EBDC4 Main PUSH ECX
754EBDC5 Main PUSH ECX
754EBDC6 Main PUSH DWORD PTR SS: [EBP + 8]
"754EBDC9 Principal LEA EAX, DWORD PTR SS: [EBP-8];"
754EBDCC Main PUSH EAX
"754EBDCD Main CALL KERNELBA.754E8745;"
754EBDD2 TEST EAX principal, EAX
754EBDD4 Principal JE SHORT KERNELBA.754EBDF4
754EBDD6 Main PUSH ESI
"754EBDD7 Main PUSH DWORD PTR SS: [EBP + 10];"
"754EBDDA Main PUSH DWORD PTR SS: [EBP + C];"
"754EBDDD Main PUSH DWORD PTR SS: [EBP-4];"
"754EBDE0 Main CALL KERNELBA.LoadLibraryExW;"
"754EBDE5 Principal MOV ESI, EAX;"
"754EBDE7 Main LEA EAX, DWORD PTR SS: [EBP-8];"
754EBDEA Main PUSH EAX
754EBDEB Main CALL DWORD PTR DS: [<& ntdll.RtlFreeUnicodeSt
"754EBDF1 Principal MOV EAX, ESI;"
"754EBDF3 Main POP ESI;"
"754EBDF4 Main LEAVE;"
"754EBDF5 Main RETN 0C;"
754EE623 Main PUSH EBP
"754EE624 Main MOV EBP,ESP ;"
754EE626 Main PUSH ESI
754EE627 Main PUSH DWORD PTR SS: [EBP + 10]
754EE62A Principal XOR ESI, ESI
754EE62C Main PUSH DWORD PTR SS: [EBP + C]
754EE62F Main PUSH DWORD PTR SS: [EBP + 8]
"754EE632 Main CALL KERNELBA.754EE597;"
"754EE637 Main DEC EAX;"
754EE638 Principal JE SHORT KERNELBA.754EE653
"754EE63A Principal DEC EAX;"
754EE63B Principal JE SHORT KERNELBA.754EE650
754EE63D Main PUSH DWORD PTR SS: [EBP + 10]
754EE640 Main PUSH DWORD PTR SS: [EBP + C]
754EE643 Main PUSH DWORD PTR SS: [EBP + 8]
754EE646 Main PUSH ESI
"754EE647 Main CALL KERNELBA.754E8512;"
"754EBE7F Main PUSH DWORD PTR SS: [EBP-24];"
"754EBE82 Main PUSH DWORD PTR SS: [EBP-28];"
754EBE85 Main CALL KERNELBA.BaseReleaseProcessDllPath
BaseReleaseProces> MOV EDI, EDI
754EB544 Main PUSH EBP
"754EB545 Main MOV EBP,ESP ;"
"754EB547 Main PUSH DWORD PTR SS: [EBP + C];"
"754EB54A Principal MOV EAX, DWORD PTR SS: [EBP + 8];"
"754EB54D Main ADD EAX, -4;"
"754EB550 Main PUSH EAX;"
"754EB551 Main CALL KERNELBA.7551388F;"
"754EB556 Main POP EBP;"
754EB557 Main RETN 8
"754EBE8A Main RETN;"
754EE64C TEST EAX principal, EAX
754EE64E Principal JE SHORT KERNELBA.754EE653
754EE653 Principal MOV EAX, ESI
754EE655 Main POP ESI
"754EE656 Main POP EBP;"
"754EE657 Main RETN 0C;"
"KiFastSystemCallR> RETN;"
"754E8A72 Principal MOV EAX, ECX;"
"754E8A74 Principal XOR ECX, ECX;"
754E8A76 Main PUSH ESI
754E8A77 Principal MOV ESI, EAX
754E8A79 Main CMP WORD PTR DS:[EAX],CX
754E8A7C Principal JE SHORT KERNELBA.754E8AF1
754E8A7E Main PUSH 2
"754E8A80 Main POP EDX;"
"754E8A81 ADD EAX, EDX;"
754E8A83 Main CMP WORD PTR DS:[EAX],CX
754E8A86 Principal JE SHORT KERNELBA.754E8AF1
"754E8A88 ADD EAX, EDX;"
754E8A8A Main CMP WORD PTR DS:[EAX],CX
754E8A8D Principal JE SHORT KERNELBA.754E8AF1
"754E8A8F ADD EAX, EDX;"
754E8A91 Main CMP WORD PTR DS:[EAX],CX
754E8A94 Principal JE SHORT KERNELBA.754E8AF1
"754E8A96 ADD principal EAX, EDX;"
754E8A98 Main CMP WORD PTR DS:[EAX],CX
754E8A9B Principal JE SHORT KERNELBA.754E8AF1
"754E8A9D Main ADD EAX, EDX;"
754E8A9F Main CMP WORD PTR DS:[EAX],CX
754E8AA2 Principal JE SHORT KERNELBA.754E8AF1
"754E8AA4 ADD EAX, EDX;"
754E8AA6 Main CMP WORD PTR DS:[EAX],CX
754E8AA9 Principal JE SHORT KERNELBA.754E8AF1
"754E8AAB ADD EAX, EDX;"
754E8AAD Main CMP WORD PTR DS:[EAX],CX
754E8AB0 Principal JE SHORT KERNELBA.754E8AF1
"754E8AB2 ADD EAX, EDX;"
754E8AB4 Main CMP WORD PTR DS:[EAX],CX
754E8AB7 Principal JE SHORT KERNELBA.754E8AF1
"754E8AB9 Main ADD EAX, EDX;"
754E8ABB Main CMP WORD PTR DS:[EAX],CX
754E8ABE Principal JE SHORT KERNELBA.754E8AF1
"754E8AC0 ADD EAX, EDX;"
754E8AC2 Main CMP WORD PTR DS:[EAX],CX
754E8AC5 Principal JE SHORT KERNELBA.754E8AF1
"754E8AC7 ADD EAX, EDX;"
754E8AC9 Main CMP WORD PTR DS:[EAX],CX
754E8ACC Principal JE SHORT KERNELBA.754E8AF1
"754E8ACE Main ADD EAX, EDX;"
754E8AD0 Main CMP WORD PTR DS:[EAX],CX
754E8AD3 Principal JE SHORT KERNELBA.754E8AF1
"754E8AD5 ADD EAX, EDX;"
754E8AD7 Main CMP WORD PTR DS:[EAX],CX
754E8ADA Principal JE SHORT KERNELBA.754E8AF1
"754E8ADC ADD EAX, EDX;"
754E8ADE Main CMP WORD PTR DS:[EAX],CX
754E8AE1 Principal JE SHORT KERNELBA.754E8AF1
"754E8AE3 ADD EAX, EDX;"
754E8AE5 Main CMP WORD PTR DS:[EAX],CX
754E8AE8 Principal JE SHORT KERNELBA.754E8AF1
"754E8AEA ADD EAX, EDX;"
754E8AEC Main CMP WORD PTR DS:[EAX],CX
754E8AEF Main JNZ SHORT KERNELBA.754E8A81
"754E8AF1 Principal SUB EAX, ESI;"
"754E8AF3 SAR principal EAX, 1;"
754E8AF5 Principal POP ESI
"754E8AF6 Main RETN;"
754EE650 Principal XOR ESI, ESI
"754EE652 Main INC ESI;"
75513C21 EDI MOV principal, EDI
75513C23 Main PUSH EBP
"75513C24 Main MOV EBP,ESP ;"
75513C26 Main PUSH EBX
"75513C27 Principal MOV EBX, DWORD PTR SS: [EBP + 10];"
75513C2A Main PUSH ESI
75513C2B Main PUSH EDI
"75513C2C MOV principal EDI, 1000;"
75513C31 Main CMP DWORD PTR SS: [EBP + C], EDI
75513C34 Main JNZ SHORT KERNELBA.75513C7B
75513C7B Main PUSH DWORD PTR SS: [EBP + C]
75513C7E Main PUSH DWORD PTR SS: [EBP + 8]
75513C81 Principal CALL KERNELBA.75513A7B
75513A7B Main PUSH 30
75513A7D Main PUSH KERNELBA.75513B60
"75513A82 Main CALL KERNELBA.754E16A0;"
"75513A87 Principal MOV ECX, DWORD PTR SS: [EBP + C];"
75513A8A TEST ECX principal, 1000
75513A90 Principal JE SHORT KERNELBA.75513A98
"75513A98 Principal XOR EBX, EBX;"
"75513A9A Principal XOR EAX, EAX;"
"75513A9C Principal XOR EDX, EDX;"
"75513A9E Main INC EDX;"
75513A9F TEST ECX principal, 100
75513AA5 Principal JE SHORT KERNELBA.75513AB0
75513AB0 TEST ECX principal, 200
75513AB6 Principal JE SHORT KERNELBA.75513AC1
75513AC1 TEST ECX principal, 400
75513AC7 Principal JE SHORT KERNELBA.75513ADC
75513ADC Principal MOV DWORD PTR SS: [EBP + C], EBX
75513ADF TEST ECX principal, 800
75513AE5 Principal JE SHORT KERNELBA.75513AF0
75513AE7 Main MOV DWORD PTR SS: [EBP + EAX * 4-40], 9
"75513AEF Main INC EAX;"
75513AF0 Principal MOV DWORD PTR SS: [EBP + EAX * 4-40], EBX
"75513AF4 Principal XOR EDI, EDI;"
"75513AF6 Principal MOV ESI, DWORD PTR SS: [EBP + 8];"
75513AF9 Principal CMP ESI, EBX
75513AFB Principal JE SHORT KERNELBA.75513B0F
75513B0F Main CMP DWORD PTR SS: [EBP + C], EBX
75513B12 Principal JE SHORT KERNELBA.75513B1F
75513B1F Main MOV DWORD PTR SS: [EBP-4], EBX
75513B22 Main PUSH EDI
75513B23 Main PUSH ESI
75513B24 Main PUSH EBX
"75513B25 Principal LEA EAX, DWORD PTR SS: [EBP-40];"
75513B28 Main PUSH EAX
"75513B29 Main CALL KERNELBA.754F1C7F;"
"75513B2E Principal MOV ESI, EAX;"
75513B30 Main PUSH -2
"75513B32 Main LEA EAX, DWORD PTR SS: [EBP-10];"
75513B35 Main PUSH EAX
75513B36 Main PUSH KERNELBA.755259A0
75513B3B Main CALL KERNELBA.755088B4
755088B4 Main PUSH EBX
755088B5 Main PUSH ESI
755088B6 Main PUSH EDI
"755088B7 Main MOV EDX,DWORD PTR SS:[ESP+10] ;"
755088BB Main MOV EAX,DWORD PTR SS:[ESP+14]
"755088BF Main MOV ECX,DWORD PTR SS:[ESP+18] ;"
755088C3 Main PUSH EBP
755088C4 Main PUSH EDX
755088C5 Main PUSH EAX
755088C6 Main PUSH ECX
755088C7 Main PUSH ECX
755088C8 Main PUSH KERNELBA.75508944
755088CD Main PUSH DWORD PTR FS: [0]
"755088D4 Principal MOV EAX, DWORD PTR DS: [755259A0];"
"755088D9 Main XOR EAX,ESP ;"
755088DB Main MOV DWORD PTR SS:[ESP+8],EAX
755088DF Main MOV DWORD PTR FS:[0],ESP
"755088E6 Main MOV EAX,DWORD PTR SS:[ESP+30] ;"
"755088EA Principal MOV EBX, DWORD PTR DS: [EAX + 8];"
"755088ED Main MOV ECX,DWORD PTR SS:[ESP+2C] ;"
"755088F1 Principal XOR EBX, DWORD PTR DS: [ECX];"
"755088F3 Principal MOV ESI, DWORD PTR DS: [EAX + C];"
755088F6 Principal CMP ESI, -2
755088F9 Principal JE SHORT KERNELBA.75508936
"755088FB Main MOV EDX,DWORD PTR SS:[ESP+34] ;"
755088FF Principal CMP EDX, -2
75508902 Mão I SHORT KERNELBA.75508908
75508908 Principal LEA ESI, DWORD PTR DS: [ESI + ESI * 2]
"7550890B Principal LEA EBX, DWORD PTR DS: [EBX + ESI * 4 + 10];"
"7550890F Principal MOV ECX, DWORD PTR DS: [EBX];"
75508911 Principal MOV DWORD PTR DS: [EAX + C], ECX
75508914 Main CMP DWORD PTR DS: [EBX + 4], 0
75508918 Principal JNZ SHORT KERNELBA.755088E6
7550891A Main PUSH 101
"7550891F MOV Principal EAX, DWORD PTR DS: [EBX + 8];"
75508922 Principal CALL KERNELBA.755007D4
755007D4 Main PUSH EBX
755007D5 Main PUSH ECX
"755007D6 Principal MOV EBX, KERNELBA.75525790;"
"755007DB Main MOV ECX,DWORD PTR SS:[ESP+C] ;"
755007DF Principal MOV DWORD PTR DS: [EBX + 8], ECX
755007E2 Principal MOV DWORD PTR DS: [EBX + 4], EAX
755007E5 Principal MOV DWORD PTR DS: [EBX + C], EBP
755007E8 Main PUSH EBP
755007E9 Main PUSH ECX
755007EA Main PUSH EAX
755007EB Main EAX POP
755007EC Main POP ECX
755007ED Principal POP EBP
"755007EE Main POP ECX;"
"755007EF Main POP EBX;"
755007F0 Main RETN 4
"75508927 Principal MOV ECX, 1;"
7550892C Principal MOV EAX, DWORD PTR DS: [EBX + 8]
7550892F Principal CALL KERNELBA.755089A1
755089A1 Principal CALL EAX
75513B4D Main CMP DWORD PTR SS: [EBP + C], 0
755089A3 Main RETN
"75508934 Main JMP SHORT KERNELBA.755088E6;"
75508936 Main POP DWORD PTR FS: [0]
7550893D Principal ADD ESP, 18
75508940 POP EDI principal
"75508941 Main POP ESI;"
"75508942 Main POP EBX;"
75508943 Main RETN
75513B40 Main ADD ESP,0C
"75513B43 Principal MOV EAX, ESI;"
"75513B45 Main CALL KERNELBA.754E17F0;"
75513B4A Main RETN 8
75513C86 Main OR DWORD PTR DS: [EBX], FFFFFFFF
"75513C89 ADD EAX principal, 0C;"
"75513C8C POP POP principal;"
75513C8D Main POP ESI
"75513C8E Main POP EBX;"
"75513C8F Main POP EBP;"
"75513C90 Main RETN 0C;"
"KiFastSystemCallR> RETN;"
7551391C EDI principal MOV, EDI
7551391E Main PUSH EBP
"7551391F Main MOV EBP,ESP ;"
75513921 Main CMP DWORD PTR SS: [EBP + C], - 1
75513925 Main JNZ SHORT KERNELBA.75513935
"75513927 Principal MOV EAX, DWORD PTR SS: [EBP + 8];"
"7551392A ADD EAX, -0C;"
"7551392D Main PUSH EAX;"
"7551392E Main CALL KERNELBA.754E8E9D;"
75513933 Principal JMP SHORT KERNELBA.75513942
"75513942 Main POP EBP;"
"75513943 Main RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
NlsIsUserDefaultL> MOV EDI, EDI
754F8277 Main PUSH EBP
"754F8278 Main MOV EBP,ESP ;"
"754F827A Main CALL KERNELBA.754E6FB9;"
"754F827F MOV principal EDX, DWORD PTR SS: [EBP + 8];"
"754F8282 Main XOR ECX, ECX;"
754F8284 Main CMP EDX, DWORD PTR DS: [EAX + 8]
754F8287 Main SETE CL
"754F828A MOV principal EAX, ECX;"
"754F828C Main POP EBP;"
"754F828D Main RETN 4;"
754EF62C Main PUSH EBP
"754EF62D Main MOV EBP,ESP ;"
"754EF62F Principal MOV ECX, DWORD PTR SS: [EBP + 8];"
"754EF632 Main XOR EDX, EDX;"
"754EF634 Main CALL KERNELBA.GetNamedLocaleHashNode;"
"754EF639 Main POP EBP;"
"754EF63A Main RETN 4;"
7551971B Main PUSH EBP
"7551971C Main MOV EBP,ESP ;"
"7551971E Principal LEA EAX, DWORD PTR SS: [EBP + C];"
75519721 Main PUSH EAX
75519722 Main PUSH DWORD PTR SS: [EBP + C]
"75519725 Main CALL KERNELBA.755018D8;"
7551972A TEST EAX principal, EAX
7551972C Principal JGE SHORT KERNELBA.75519739
"75519739 Main CALL KERNELBA.754E6FB9;"
7551973E Main PUSH DWORD PTR DS: [EAX + 8]
"75519741 Main CALL KERNELBA.754E6EE0;"
"75519746 Main PUSH EAX;"
"75519747 Main PUSH DWORD PTR SS: [EBP + C];"
"7551974A Main PUSH DWORD PTR SS: [EBP + 8];"
"7551974D Main CALL KERNELBA.754ECF95;"
75519752 TEST EAX principal, EAX
75519754 Main JGE SHORT KERNELBA.7551975D
"7551975D Principal LEA EAX, DWORD PTR SS: [EBP + 8];"
75519760 Main PUSH EAX
75519761 Main PUSH 55
75519763 Main PUSH DWORD PTR SS: [EBP + 8]
"75519766 Main CALL KERNELBA.754FA018;"
"7551976B Main LEA EAX, DWORD PTR SS: [EBP + 8];"
7551976E Main PUSH EAX
7551976F Main PUSH DWORD PTR SS: [EBP + 8]
"75519772 Main CALL KERNELBA.754E700B;"
"75519777 Main MOV EAX, DWORD PTR SS: [EBP + 8];"
"7551977A Principal INC EAX;"
"7551977B Main POP EBP;"
"7551977C Main RETN 8;"
754ECFD1 EDI principal MOV, EDI
754ECFD3 Main PUSH EBP
"754ECFD4 Main MOV EBP,ESP ;"
"754ECFD6 MOV principal EDX, DWORD PTR SS: [EBP + C];"
754ECFD9 Main PUSH EBX
"754ECFDA Principal XOR EAX, EAX;"
754ECFDC Main PUSH EDI
"754ECFDD Principal MOV EBX, 7FFFFFFF;"
754ECFE2 TEST principal EDX, EDX
754ECFE4 Principal JE SHORT KERNELBA.754ED030
754ECFE6 Main CMP EDX, EBX
754ECFE8 Main JA SHORT KERNELBA.754ED030
"754ECFEA MOV PRINCIPAL EDI, DWORD PTR SS: [EBP + 8];"
754ECFED Principal TEST EAX, EAX
754ECFEF Principal JL SHORT KERNELBA.754ED040
754ECFF1 Main AND DWORD PTR SS: [EBP + C], 0
754ECFF5 Principal XOR ECX, ECX
754ECFF7 Main PUSH ESI
"754ECFF8 Principal MOV ESI, EDX;"
"754ECFFA Principal MOV EAX, EDI;"
754ECFFC Main CMP EDX, ECX
754ECFFE Principal JE SHORT KERNELBA.754ED037
754ED000 Main CMP WORD PTR DS:[EAX],CX
754ED003 Principal JE SHORT KERNELBA.754ED00A
"754ED005 Main INC EAX;"
"754ED006 Principal INC EAX;"
"754ED007 Main DEC ESI;"
"754ED008 Main JNZ SHORT KERNELBA.754ED000;"
754ED00A Principal CMP ESI, ECX
754ED00C Principal JE SHORT KERNELBA.754ED037
"754ED00E Principal MOV ECX, EDX;"
"754ED010 Principal SUB ECX, ESI;"
"754ED012 Principal MOV EAX, DWORD PTR SS: [EBP + C];"
"754ED015 Main POP ESI;"
754ED016 TEST principal EAX, EAX
754ED018 Main JL SHORT KERNELBA.754ED02A
"754ED01A Principal MOV EAX, DWORD PTR SS: [EBP + 10];"
754ED01D Main PUSH EBX
"754ED01E Principal SUB EDX, ECX;"
754ED020 Main PUSH 0
"754ED022 Principal LEA ECX, DWORD PTR DS: [EDI + ECX * 2];"
"754ED025 Main CALL KERNELBA.754ECF3C;"
"754ED02A POP EDI principal;"
"754ED02B Main POP EBX;"
"754ED02C Main POP EBP;"
"754ED02D Main RETN 0C;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C Main RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
754E7342 Main PUSH EBP
"754E7343 Main MOV EBP,ESP ;"
754E7345 Main PUSH DWORD PTR SS: [EBP + C]
754E7348 Main PUSH DWORD PTR SS: [EBP + 8]
754E734B Main CALL DWORD PTR DS: [<& ntdll.RtlInitializeCri
754E7351 Principal XOR EAX, EAX
"754E7353 Main INC EAX;"
"754E7354 Main POP EBP;"
"754E7355 Main RETN 8;"
"GetCommandLineA MOV EAX, DWORD PTR DS: [7552578C];"
"754F194C Main RETN;"
754F1954 Main PUSH EBP
"754F1955 Main MOV EBP,ESP ;"
754F1957 Main PUSH DWORD PTR SS: [EBP + 8]
"754F195A MOV principal EAX, DWORD PTR FS: [18];"
"754F1960 Principal MOV EAX, DWORD PTR DS: [EAX + 30];"
754F1963 Main PUSH 0
754F1965 Main PUSH DWORD PTR DS: [EAX + 18]
"754F1968 Main CALL DWORD PTR DS: [<& ntdll.RtlFreeHeap>];"
754F196E Principal MOVZX EAX, AL
"754F1971 Main POP EBP;"
"754F1972 Main RETN 4;"
"GetACP MOV EAX, DWORD PTR DS: [75525054];"
"754E92F8 Main RETN;"
"KiFastSystemCallR> RETN;"
754F9241 EDI MOV principal, EDI
754F9243 Main PUSH EBP
"754F9244 Main MOV EBP,ESP ;"
"754F9246 Principal MOV AX, WORD PTR SS: [EBP + 8];"
754F924A Main CMP AX, WORD PTR SS: [EBP + 10]
754F924E Main JA SHORT KERNELBA.754F925D
754F9250 Main CMP AX, WORD PTR SS: [EBP + C]
754F9254 Principal MOVZX EAX, AX
754F9257 Main JB SHORT KERNELBA.754F925D
"754F9259 Main POP EBP;"
"754F925A Main RETN 0C;"
"KiFastSystemCallR> RETN;"
"GetVersion MOV EAX, DWORD PTR FS: [18];"
"754EC20D Principal MOV ECX, DWORD PTR DS: [EAX + 30];"
"754EC210 Principal MOV EAX, DWORD PTR DS: [ECX + B0];"
"754EC216 Principal MOVZX EDX, WORD PTR DS: [ECX + AC];"
"754EC21D Principal XOR EAX, FFFFFFFE;"
"754EC220 Main SHL EAX, 0E;"
"754EC223 Main OR EAX, EDX;"
"754EC225 Main SHL EAX, 8;"
"754EC228 Main OR EAX, DWORD PTR DS: [ECX + A8];"
"754EC22E Main SHL EAX, 8;"
"754EC231 Main OR EAX, DWORD PTR DS: [ECX + A4];"
"754EC237 Main RETN;"
"754E7058 Principal XOR EAX, EAX;"
"754E705A Main JMP SHORT KERNELBA.754E7053;"
754ED5D5 Main PUSH DWORD PTR SS: [EBP-30]
754ED5D8 Principal CALL KERNELBA.BaseDllFreeResourceId
754ED5DD Main PUSH DWORD PTR SS: [EBP-2C]
754ED5E0 Principal CALL KERNELBA.BaseDllFreeResourceId
"754ED5E5 Main RETN;"
SetHandleCount MOV EDI, EDI
754E92E4 Main PUSH EBP
"754E92E5 Main MOV EBP,ESP ;"
754E92E7 MOV principal EAX, DWORD PTR SS: [EBP + 8]
"754E92EA Main POP EBP;"
"754E92EB Main RETN 4;"
"KiFastSystemCallR> RETN;"
754E9ADF 00000574 PUSH EBP
"754E9AE0 00000574 MOV EBP,ESP ;"
754E9AE2 00000574 PUSH DWORD PTR SS: [EBP + 10]
754E9AE5 00000574 PUSH 2
754E9AE7 00000574 PUSH DWORD PTR SS: [EBP + C]
754E9AEA 00000574 PUSH 0
754E9AEC 00000574 PUSH 0C
754E9AEE 00000574 PUSH DWORD PTR SS: [EBP + 8]
"754E9AF1 00000574 CALL KERNELBA.DuplicateTokenEx ;"
"754E9AF6 00000574 POP EBP;"
"754E9AF7 00000574 RETN 0C;"
"GetOEMCP MOV EAX, DWORD PTR DS: [75525048];"
"754ED9B4 Main RETN;"
"NlsGetCacheUpdate> MOV EAX, DWORD PTR DS: [7552504C];"
"754E9308 Principal MOV EAX, DWORD PTR DS: [EAX + 5C8];"
"754E930E Main RETN;"
754F4628 Main PUSH EBP
"754F4629 Main MOV EBP,ESP ;"
754F462B Main PUSH 0
"754F462D Principal LEA EAX, DWORD PTR SS: [EBP + 8];"
754F4630 Main PUSH EAX
"754F4631 Main CALL KERNELBA.NlsValidateLocale;"
754F4636 TEST principal EAX, EAX
754F4638 Principal JE SHORT KERNELBA.754F4640
"754F463A Principal MOV EAX, DWORD PTR DS: [EAX];"
"754F463C Main POP EBP;"
"754F463D Main RETN 4;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"GetCommandLineW MOV EAX, DWORD PTR DS: [7552506C];"
"754ED9A9 Main RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
754F0C45 EDI MOV principal, EDI
754F0C47 Main PUSH EBP
"754F0C48 Main MOV EBP,ESP ;"
754F0C4A Main PUSH ECX
754F0C4B Main AND DWORD PTR SS: [EBP-4], 0
754F0C4F Main PUSH EDI
"754F0C50 Principal XOR EDI, EDI;"
754F0C52 Main PUSH EDI
754F0C53 Main PUSH 20019
754F0C58 Main PUSH DWORD PTR SS: [EBP + C]
"754F0C5B Principal LEA EAX, DWORD PTR SS: [EBP-4];"
754F0C5E Main PUSH KERNELBA.754ED3C0
754F0C63 Main PUSH EAX
"754F0C64 Main CALL KERNELBA.OpenRegKey;"
754F0C69 TEST EAX principal, EAX
754F0C6B Main JL SHORT KERNELBA.754F0C9C
754F0C6D Main PUSH EDI
754F0C6E Main PUSH 1
754F0C70 Main PUSH 214
"754F0C75 Principal LEA EAX, DWORD PTR SS: [EBP + 10];"
754F0C78 Main PUSH EAX
754F0C79 Main PUSH DWORD PTR SS: [EBP + 8]
754F0C7C Main PUSH DWORD PTR SS: [EBP-4]
"754F0C7F Main CALL KERNELBA.754ED2F0;"
"754F0C84 Main XOR ECX, ECX;"
754F0C86 TEST principal EAX, EAX
754F0C88 Main SETGE CL
754F0C8B Main CMP DWORD PTR SS: [EBP-4], 0
754F0C8F MOV Principal EDI, ECX
754F0C91 Principal JE SHORT KERNELBA.754F0C9C
"754F0C93 Main PUSH DWORD PTR SS: [EBP-4];"
"754F0C96 Main CALL DWORD PTR DS: [<& ntdll.NtClose>];"
754F0C9C Principal MOV EAX, EDI
"754F0C9E POP EDI principal;"
"754F0C9F Main LEAVE;"
"754F0CA0 Main RETN 0C;"
754F252B Main PUSH EBP
"754F252C Main MOV EBP,ESP ;"
"754F252E Principal MOV EAX, DWORD PTR FS: [18];"
"754F2534 Principal MOV EAX, DWORD PTR DS: [EAX + 30];"
754F2537 Main PUSH 30
754F2539 Main PUSH 8
754F253B Main PUSH DWORD PTR DS: [EAX + 18]
754F253E Main CALL DWORD PTR DS: [<& ntdll.RtlAllocateHeap>
754F2544 Principal TEST EAX, EAX
754F2546 Principal JE SHORT KERNELBA.754F254D
"754F2548 Principal MOV ECX, DWORD PTR SS: [EBP + 8];"
754F254B Principal MOV DWORD PTR DS: [EAX], ECX
"754F254D Main POP EBP;"
"754F254E Main RETN 4;"
754E74DD Principal XOR EAX, EAX
"754E74DF Main INC EAX;"
"754E74E0 Main JMP SHORT KERNELBA.754E74D9;"
754EACBB Main PUSH EBP
"754EACBC Main MOV EBP,ESP ;"
754EACBE Principal MOVZX EAX, BYTE PTR SS: [EBP + 8]
754EACC2 Main PUSH EAX
754EACC3 Principal CALL DWORD PTR DS: [<& ntdll.RtlLengthRequire
"754EACC9 Main POP EBP;"
"754EACCA Main RETN 4;"
OpenEventA MOV EDI, EDI
754EE697 Main PUSH EBP
"754EE698 Main MOV EBP,ESP ;"
754EE69A Main PUSH ECX
754EE69B Main PUSH ECX
754EE69C Main CMP DWORD PTR SS: [EBP + 10], 0
754EE6A0 Principal JE SHORT KERNELBA.754EE6DA
754EE6A2 Main PUSH DWORD PTR SS: [EBP + 10]
"754EE6A5 Principal LEA EAX, DWORD PTR SS: [EBP-8];"
754EE6A8 Main PUSH EAX
"754EE6A9 Main CALL KERNELBA.754E8745;"
754EE6AE TEST EAX principal, EAX
754EE6B0 Principal JE SHORT KERNELBA.754EE6D6
754EE6B2 Main PUSH ESI
"754EE6B3 Main PUSH DWORD PTR SS: [EBP-4];"
"754EE6B6 Main PUSH DWORD PTR SS: [EBP + C];"
"754EE6B9 Main PUSH DWORD PTR SS: [EBP + 8];"
"754EE6BC Main CALL KERNELBA.OpenEventW;"
754EE6C1 Main CMP DWORD PTR SS: [EBP + 10], 0
"754EE6C5 Principal MOV ESI, EAX;"
754EE6C7 Principal JE SHORT KERNELBA.754EE6D3
"754EE6C9 Principal LEA EAX, DWORD PTR SS: [EBP-8];"
754EE6CC Main PUSH EAX
754EE6CD Main CALL DWORD PTR DS: [<& ntdll.RtlFreeUnicodeSt
754EE6D3 Principal MOV EAX, ESI
"754EE6D5 Main POP ESI;"
"754EE6D6 Main LEAVE;"
"754EE6D7 Main RETN 0C;"
"KiFastSystemCallR> RETN;"
75513BED EDI MOV principal, EDI
75513BEF Main PUSH EBP
"75513BF0 Main MOV EBP,ESP ;"
75513BF2 Main PUSH ECX
"75513BF3 Principal LEA EAX, DWORD PTR SS: [EBP-4];"
75513BF6 Main PUSH EAX
75513BF7 Main PUSH 0
"75513BF9 Main CALL KERNELBA.754EB67A;"
75513BFE Main PUSH DWORD PTR SS: [EBP + 8]
75513C01 Main PUSH 0
75513C03 Main PUSH DWORD PTR SS: [EBP-4]
75513C06 Main PUSH EAX
75513C07 Main PUSH 0
75513C09 Main PUSH KERNELBA.754F2473
75513C0E Main PUSH KERNELBA.75525800
"75513C13 Main CALL KERNELBA.754EB5CB;"
754F1BC8 Main CMP DWORD PTR SS: [EBP + C], EBX
754F1BCB Main JNZ SHORT KERNELBA.754F1BD3
754F1BCD Main CALL DWORD PTR DS: [<& ntdll.RtlReleasePebLoc
"754F1BD3 Main RETN;"
"75513C18 LEA PRINCIPAL;"
"75513C19 Main RETN 4;"
754F2458 Main PUSH EBP
"754F2459 Main MOV EBP,ESP ;"
"754F245B Main PUSH DWORD PTR SS: [EBP + C];"
"754F245E Principal MOV EAX, DWORD PTR SS: [EBP + 8];"
"754F2461 Main ADD EAX, -4;"
"754F2464 Main PUSH EAX;"
754F2465 Principal CHAMADA KERNELBA.755138ED
755138ED EDI MOV principal, EDI
755138EF Main PUSH EBP
"755138F0 Main MOV EBP,ESP ;"
755138F2 Main CMP DWORD PTR SS: [EBP + C], - 1
755138F6 Main JNZ SHORT KERNELBA.75513906
75513906 Main PUSH DWORD PTR SS: [EBP + C]
75513909 Main PUSH KERNELBA.75525800
"7551390E Main CALL KERNELBA.754EB4E5;"
"75513913 Main POP EBP;"
75513914 Main RETN 8
"754F246A Main POP EBP;"
"754F246B Main RETN 8;"
"KiFastSystemCallR> RETN;"
754F5048 EDI MOV principal, EDI
754F504A Main PUSH EBP
"754F504B Main MOV EBP,ESP ;"
"754F504D MOV principal EAX, DWORD PTR SS: [EBP + C];"
"754F5050 Principal MOVZX EAX, BYTE PTR DS: [EAX];"
"754F5053 Principal MOV ECX, DWORD PTR SS: [EBP + 8];"
"754F5056 Main MOV CX,WORD PTR DS:[ECX+EAX*2] ;"
"754F505A MOV principal EAX, DWORD PTR SS: [EBP + 10];"
754F505D Main PUSH DWORD PTR SS: [EBP + 14]
754F5060 Main MOV WORD PTR DS:[EAX],CX
754F5063 Main PUSH EAX
"754F5064 Main CALL KERNELBA.754F5072;"
"754F5069 Main POP EBP;"
"754F506A Main RETN 10;"
"KiFastSystemCallR> RETN;"
754E180B 00000EB0 PUSH EBP
"754E180C 00000EB0 MOV EBP,ESP ;"
"754E180E 00000EB0 PUSH 0;"
"754E1810 00000EB0 PUSH DWORD PTR SS: [EBP + 8];"
"754E1813 00000EB0 CHAMAR KERNELBA.SleepEx;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C Main RETN 8;"
GetTimeZoneInform> MOI EDI, EDI
754F6E3C Main PUSH EBP
"754F6E3D Main MOV EBP,ESP ;"
754F6E3F Main PUSH 1
754F6E41 Main PUSH DWORD PTR SS: [EBP + 8]
"754F6E44 Main CALL KERNELBA.754F6E52;"
"754E71E4 Principal MOV EAX, DWORD PTR DS: [75525044];"
"754E71E9 Principal MOV EAX, DWORD PTR DS: [EAX + 91C];"
754E71EF Principal XOR ECX, ECX
754E71F1 Principal CMP EAX, -1
754E71F4 Main SETNE CL
"754E71F7 Principal MOV EAX, ECX;"
"754E71F9 Main RETN;"
754F6F80 EDI MOV principal, EDI
754F6F82 Main PUSH EBP
"754F6F83 Main MOV EBP,ESP ;"
754F6F85 Main SUB ESP,218
"754F6F8B MOV principal EAX, DWORD PTR DS: [755259A0];"
"754F6F90 Principal XOR EAX, EBP;"
754F6F92 Principal MOV DWORD PTR SS: [EBP-4], EAX
754F6F95 Main PUSH EBX
"754F6F96 Principal MOV EBX, DWORD PTR SS: [EBP + C];"
754F6F99 Main PUSH EDI
"754F6F9A MOV Principal EDI, DWORD PTR SS: [EBP + 8];"
754F6F9D Main PUSH EDI
754F6F9E Main PUSH 20
754F6FA0 Main PUSH EBX
"754F6FA1 Main CALL <JMP. & Ntdll.wcscpy_s>;"
754F6FA6 Main ADD ESP,0C
754F6FA9 Main CMP WORD PTR DS: [EDI], 40
754F6FAD Main JNZ KERNELBA.754F707F
754F6FB3 Main PUSH ESI
"754F6FB4 Principal MOV ESI, DWORD PTR DS: [<& ntdll.wcschr>];"
"754F6FBA Main PUSH 5C;"
"754F6FBC Main PUSH EDI;"
"754F6FBD Main CALL ESI;"
"754F6FBF Main POP ECX;"
"754F6FC0 Main POP ECX;"
754F6FC1 TEST EAX principal, EAX
754F6FC3 Main JNZ KERNELBA.754F707E
754F6FC9 Main PUSH 2F
754F6FCB Main PUSH EDI
"754F6FCC Main CALL ESI;"
"754F6FCE Main POP ECX;"
"754F6FCF Main POP ECX;"
754F6FD0 TEST principal EAX, EAX
754F6FD2 Main JNZ KERNELBA.754F707E
754F6FD8 Main PUSH 2C
754F6FDA Main PUSH EDI
"754F6FDB Main CALL ESI;"
"754F6FDD Principal MOV ESI, EAX;"
"754F6FDF Main POP ECX;"
"754F6FE0 Main POP ECX;"
754F6FE1 Principal TEST ESI, ESI
754F6FE3 Principal JE KERNELBA.754F707E
754F6FE9 Main CMP WORD PTR DS: [ESI + 2], 2D
754F6FEE Main JNZ KERNELBA.754F707E
"754F6FF4 Principal LEA EAX, DWORD PTR DS: [ESI + 4];"
754F6FF7 Main PUSH EAX
"754F6FF8 Principal LEA EAX, DWORD PTR SS: [EBP-218];"
754F6FFE Main PUSH EAX
754F6FFF Main CALL DWORD PTR DS: [<& ntdll.RtlInitUnicodeSt
"754F7005 Principal LEA EAX, DWORD PTR SS: [EBP-210];"
754F700B Main PUSH EAX
754F700C Main PUSH 0A
"754F700E Principal LEA EAX, DWORD PTR SS: [EBP-218];"
754F7014 Main PUSH EAX
754F7015 Main CALL DWORD PTR DS: [<& ntdll.RtlUnicodeString
754F701B TEST EAX principal, EAX
754F701D Main JL SHORT KERNELBA.754F707E
"754F701F Main CALL KERNELBA.KernelBaseGetGlobalData;"
"754F7024 Principal SUB ESI, EDI;"
"754F7026 Main ADD EAX, 3C;"
"754F7029 Principal LEA ECX, DWORD PTR DS: [EDI + 2];"
754F702C Main PUSH ECX
"754F702D Principal SAR ESI, 1;"
"754F702F Main DEC ESI;"
754F7030 Main PUSH ESI
754F7031 Main PUSH DWORD PTR DS: [EAX + 4]
"754F7034 Principal LEA EAX, DWORD PTR SS: [EBP-20C];"
754F703A Main PUSH KERNELBA.754F7090
754F703F Main PUSH 208
754F7044 Main PUSH EAX
"754F7045 Main CALL KERNELBA.754ED42B;"
754F704A Main ADD ESP,18
754F704D TEST EAX principal, EAX
754F704F Main JL SHORT KERNELBA.754F707E
"754F7051 Main PUSH 2;"
"754F7053 Main PUSH 0;"
"754F7055 Principal LEA EAX, DWORD PTR SS: [EBP-20C];"
"754F705B Main PUSH EAX;"
"754F705C Main CALL KERNELBA.LoadLibraryExW;"
"754F7061 Principal MOV ESI, EAX;"
754F7063 TEST Principal ESI, ESI
754F7065 Principal JE SHORT KERNELBA.754F707E
754F7067 Main PUSH 0
754F7069 Main PUSH 20
754F706B Main PUSH EBX
754F706C Main PUSH DWORD PTR SS: [EBP-210]
754F7072 Main PUSH ESI
"754F7073 Main CALL KERNELBA.LoadStringBaseExW;"
"754F7078 Main PUSH ESI;"
"754F7079 Main CALL KERNELBA.FreeLibrary;"
"754F707E Main POP ESI;"
"754F707F MOV principal ECX, DWORD PTR SS: [EBP-4];"
"754F7082 Main POP EDI;"
"754F7083 Main XOR ECX, EBP;"
"754F7085 Main POP EBX;"
754F7086 Principal CALL KERNELBA.754E68A6
"754F708B Main LEAVE;"
"754F708C Main RETN 8;"
"754F6E49 Main POP EBP;"
"754F6E4A Main RETN 4;"
754FAEA0 Main PUSH EBP
"754FAEA1 Main MOV EBP,ESP ;"
754FAEA3 Main PUSH 1
754FAEA5 Main PUSH DWORD PTR SS: [EBP + 8]
"754FAEA8 Main CALL KERNELBA.754FC37C;"
754FC3F5 EDI principal MOV, EDI
754FC3F7 Main PUSH EBP
"754FC3F8 Main MOV EBP,ESP ;"
754FC3FA Main PUSH ESI
754FC3FB Main PUSH EDI
754FC3FC Principal MOV EAX, DWORD PTR SS: [EBP + 8]
"754FC3FF Principal MOV ECX, DWORD PTR DS: [EAX];"
"754FC401 Principal MOV EDX, DWORD PTR SS: [EBP + C];"
754FC404 Principal MOV DWORD PTR DS: [EDX], ECX
"754FC406 Principal MOV ECX, DWORD PTR DS: [EAX + 54];"
754FC409 Principal MOV DWORD PTR DS: [EDX + 54], ECX
"754FC40C Principal MOV ECX, DWORD PTR DS: [EAX + A8];"
754FC412 Principal MOV DWORD PTR DS: [EDX + A8], ECX
"754FC418 Main MOV CX,WORD PTR DS:[EAX+44] ;"
754FC41C Main MOV WORD PTR DS:[EDX+44],CX
"754FC420 Main MOV CX,WORD PTR DS:[EAX+46] ;"
754FC424 Main MOV WORD PTR DS:[EDX+46],CX
"754FC428 Main MOV CX,WORD PTR DS:[EAX+52] ;"
754FC42C Main MOV WORD PTR DS:[EDX+48],CX
"754FC430 Main MOV CX,WORD PTR DS:[EAX+48] ;"
754FC434 Main MOV WORD PTR DS:[EDX+4A],CX
"754FC438 Main MOV CX,WORD PTR DS:[EAX+4A] ;"
754FC43C Main MOV WORD PTR DS:[EDX+4C],CX
"754FC440 Main MOV CX,WORD PTR DS:[EAX+4C] ;"
754FC444 Main MOV WORD PTR DS:[EDX+4E],CX
754FC448 Main MOV CX,WORD PTR DS:[EAX+4E]
754FC44C Main MOV WORD PTR DS:[EDX+50],CX
"754FC450 Main MOV CX,WORD PTR DS:[EAX+50] ;"
754FC454 Main MOV WORD PTR DS:[EDX+52],CX
"754FC458 Main MOV CX,WORD PTR DS:[EAX+98] ;"
754FC45F Main MOV WORD PTR DS:[EDX+98],CX
"754FC466 Main MOV CX,WORD PTR DS:[EAX+9A] ;"
754FC46D Main MOV WORD PTR DS:[EDX+9A],CX
"754FC474 Main MOV CX,WORD PTR DS:[EAX+A6] ;"
754FC47B Main MOV WORD PTR DS:[EDX+9C],CX
"754FC482 Main MOV CX,WORD PTR DS:[EAX+9C] ;"
754FC489 Main MOV WORD PTR DS:[EDX+9E],CX
"754FC490 Main MOV CX,WORD PTR DS:[EAX+9E] ;"
754FC497 Main MOV WORD PTR DS:[EDX+A0],CX
"754FC49E Main MOV CX,WORD PTR DS:[EAX+A0] ;"
754FC4A5 Main MOV WORD PTR DS:[EDX+A2],CX
754FC4AC Main MOV CX,WORD PTR DS:[EAX+A2]
754FC4B3 Main MOV WORD PTR DS:[EDX+A4],CX
"754FC4BA Main MOV CX,WORD PTR DS:[EAX+A4] ;"
754FC4C1 Main PUSH 40
754FC4C3 Main MOV WORD PTR DS:[EDX+A6],CX
"754FC4CA Main POP ECX;"
"754FC4CB Principal LEA ESI, DWORD PTR DS: [EAX + AC];"
"754FC4D1 Principal LEA EDI, DWORD PTR DS: [EDX + AC];"
754FC4D7 Main REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[E
"754FC4D9 Principal MOV AL, BYTE PTR DS: [EAX + 1AC];"
"754FC4DF Main POP EDI;"
754FC4E0 Principal MOV BYTE PTR DS: [EDX + 1AC], AL
"754FC4E6 Main POP ESI;"
"754FC4E7 Main POP EBP;"
"754FC4E8 Main RETN 8;"
"754FAEAD Main POP EBP;"
"754FAEAE Main RETN 4;"
755045D4 Main PUSH EBP
"755045D5 Main MOV EBP,ESP ;"
755045D7 Main PUSH ESI
755045D8 Main PUSH DWORD PTR SS: [EBP + 20]
"755045DB Principal XOR ESI, ESI;"
755045DD Main PUSH DWORD PTR SS: [EBP + 1C]
"755045E0 Principal INC ESI;"
755045E1 Main PUSH DWORD PTR SS: [EBP + 18]
755045E4 Main PUSH DWORD PTR SS: [EBP + 14]
755045E7 Main PUSH DWORD PTR SS: [EBP + 10]
755045EA Main PUSH DWORD PTR SS: [EBP + C]
755045ED Main PUSH DWORD PTR SS: [EBP + 8]
755045F0 Main CALL DWORD PTR DS: [<& ntdll.RtlGetFileMUIPat
755045F6 Principal TEST EAX, EAX
755045F8 Main JL SHORT KERNELBA.75504601
"755045FA Principal MOV EAX, ESI;"
"755045FC Main POP ESI;"
"755045FD Main POP EBP;"
"755045FE Main RETN 1C;"
754FC14D Main PUSH EBP
"754FC14E Main MOV EBP,ESP ;"
754FC150 Principal XOR EAX, EAX
754FC152 TEST principal ECX, ECX
754FC154 Principal JE SHORT KERNELBA.754FC15F
754FC156 Main CMP ECX, DWORD PTR SS: [EBP + 8]
754FC159 Main JA SHORT KERNELBA.754FC15F
"754FC15B Main POP EBP;"
"754FC15C Main RETN 4;"
754FC0CE Main PUSH EBP
"754FC0CF Main MOV EBP,ESP ;"
754FC0D1 Main PUSH EBX
"754FC0D2 Principal MOV EBX, DWORD PTR SS: [EBP + C];"
754FC0D5 Main PUSH ESI
754FC0D6 Principal MOV ESI, EAX
754FC0D8 Main PUSH EDI
"754FC0D9 Principal XOR EAX, EAX;"
"754FC0DB Principal XOR EDI, EDI;"
754FC0DD TEST PRINCIPAL ESI, ESI
754FC0DF Principal JE SHORT KERNELBA.754FC117
754FC0E1 Main CMP DWORD PTR SS: [EBP + 10], EAX
754FC0E4 Principal JE SHORT KERNELBA.754FC0FE
"754FC0E6 Principal MOVZX EDX, WORD PTR DS: [EBX];"
754FC0E9 TEST principal DX, DX
754FC0EC Principal JE SHORT KERNELBA.754FC0FE
754FC0EE Main MOV WORD PTR DS: [ECX], DX
"754FC0F1 Main INC ECX;"
"754FC0F2 Main INC ECX;"
"754FC0F3 Principal INC EBX;"
"754FC0F4 Main INC EBX;"
"754FC0F5 Main DEC ESI;"
754FC0F6 Principal DEC DWORD PTR SS: [EBP + 10]
"754FC0F9 Principal INC EDI;"
754FC0FA Main TEST ESI, ESI
"754FC0FC Main JNZ SHORT KERNELBA.754FC0E1;"
754FC0FE Main TEST ESI, ESI
754FC100 Principal JE SHORT KERNELBA.754FC117
754FC102 Principal XOR EDX, EDX
754FC104 Main MOV WORD PTR DS: [ECX], DX
"754FC107 Principal MOV ECX, DWORD PTR SS: [EBP + 8];"
754FC10A TEST principal ECX, ECX
754FC10C Principal JE SHORT KERNELBA.754FC110
754FC10E Principal MOV DWORD PTR DS: [ECX], EDI
"754FC110 Main POP EDI;"
"754FC111 Main POP ESI;"
"754FC112 Main POP EBX;"
"754FC113 Main POP EBP;"
"754FC114 Main RETN 0C;"
754F798C Main PUSH DWORD PTR DS: [75525034]
"754F7992 Main CALL DWORD PTR DS: [<& ntdll.RtlUnlockHeap>];"
"754F7998 Main RETN;"
"KiFastSystemCallR> RETN;"
"GetThreadLocale MOV EAX, DWORD PTR FS: [18];"
"754E9218 Principal MOV EAX, DWORD PTR DS: [EAX + C4];"
"754E921E Main RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
754EFC49 Main PUSH DWORD PTR DS: [75525034]
"754EFC4F Principal CALL DWORD PTR DS: [<& ntdll.RtlUnlockHeap>];"
"754EFC55 Main RETN;"
754EFA9D Main PUSH DWORD PTR DS: [75525034]
"754EFAA3 Main CALL DWORD PTR DS: [<& ntdll.RtlUnlockHeap>];"
"754EFAA9 Main RETN;"
754EFAAF Main PUSH DWORD PTR DS: [75525034]
"754EFAB5 Main CALL DWORD PTR DS: [<& ntdll.RtlUnlockHeap>];"
"754EFABB Main RETN;"
754EE815 Main PUSH DWORD PTR DS: [75525034]
"754EE81B Main CALL DWORD PTR DS: [<& ntdll.RtlUnlockHeap>];"
"754EE821 Main RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
lstrlenA PUSH 8
754E7375 Main PUSH KERNELBA.754E73B0
"754E737A Main CALL KERNELBA.754E16A0;"
"754E737F MOV principal EAX, DWORD PTR SS: [EBP + 8];"
754E7382 TEST principal EAX, EAX
754E7384 Principal JE SHORT KERNELBA.754E73A5
754E7386 Main AND DWORD PTR SS: [EBP-4], 0
"754E738A Principal LEA EDX, DWORD PTR DS: [EAX + 1];"
"754E738D Principal MOV CL, BYTE PTR DS: [EAX];"
"754E738F Main INC EAX;"
754E7390 Main TEST CL, CL
"754E7392 Main JNZ SHORT KERNELBA.754E738D;"
"754E7394 Principal SUB EAX, EDX;"
754E7396 Principal MOV DWORD PTR SS: [EBP-4], - 2
"754E739D Main CALL KERNELBA.754E17F0;"
"754E73A2 Main RETN 4;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
754EC1CA Main PUSH DWORD PTR DS: [75525034]
"754EC1D0 Main CALL DWORD PTR DS: [<& ntdll.RtlUnlockHeap>];"
"754EC1D6 Main RETN;"
SwitchToThread CALL DWORD PTR DS: [<& ntdll.NtYieldExecution
"ZwYieldExecution MOV EAX, 190;"
"754EC2D4 00000A28 XOR ECX, ECX;"
754EC2D6 00000A28 CMP EAX, 40000024
"754EC2DB 00000A28 SETNE CL;"
"754EC2DE 00000A28 MOV EAX, ECX;"
"754EC2E0 00000A28 RETN;"
"KiFastSystemCallR> RETN;"
754EE32D Main PUSH EBP
"754EE32E Main MOV EBP,ESP ;"
754EE330 Main PUSH DWORD PTR SS: [EBP + 18]
754EE333 Main PUSH DWORD PTR SS: [EBP + 14]
754EE336 Main PUSH DWORD PTR SS: [EBP + 10]
754EE339 Main PUSH DWORD PTR SS: [EBP + C]
754EE33C Main PUSH DWORD PTR SS: [EBP + 8]
754EE33F Main CALL DWORD PTR DS: [<& ntdll.NtQuerySecurityO
754EE345 TEST EAX principal, EAX
754EE347 Main JGE SHORT KERNELBA.754EE355
"754EE349 Main PUSH EAX;"
"754EE34A Main CALL KERNELBA.754E6BA5;"
"754EE34F Principal XOR EAX, EAX;"
"754EE351 Main POP EBP;"
"754EE352 Main RETN 14;"
754EE355 Principal XOR EAX, EAX
"754EE357 Main INC EAX;"
"754EE358 Main JMP SHORT KERNELBA.754EE351;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
754F41BA Main PUSH EBP
"754F41BB Main MOV EBP,ESP ;"
754F41BD Main PUSH DWORD PTR SS: [EBP + C]
"754F41C0 Principal MOV EAX, DWORD PTR SS: [EBP + 8];"
"754F41C3 ADD EAX, EAX;"
754F41C5 Main PUSH EAX
754F41C6 Principal CALL DWORD PTR DS: [<& ntdll.RtlGetCurrentDir
"754F41CC Main SHR EAX, 1;"
"754F41CE Main POP EBP;"
"754F41CF Main RETN 8;"
"FreeResource XOR EAX, EAX;"
"754E917A Main RETN 4;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C Main RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C Main RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
754FCAA4 EDI principal MOV, EDI
754FCAA6 Main PUSH EBP
"754FCAA7 Main MOV EBP,ESP ;"
754FCAA9 Principal MOV EAX, DWORD PTR SS: [EBP + 8]
"754FCAAC Principal MOV ECX, DWORD PTR DS: [EAX];"
"754FCAAE Principal MOV EDX, DWORD PTR SS: [EBP + C];"
754FCAB1 Principal MOV DWORD PTR DS: [EDX], ECX
"754FCAB3 Principal MOV ECX, DWORD PTR DS: [EAX + 54];"
754FCAB6 Principal MOV DWORD PTR DS: [EDX + 54], ECX
"754FCAB9 Principal MOV ECX, DWORD PTR DS: [EAX + A8];"
754FCABF Principal MOV DWORD PTR DS: [EDX + A8], ECX
754FCAC5 Main PUSH ESI
754FCAC6 Main PUSH EDI
754FCAC7 Main PUSH 10
"754FCAC9 Main POP ECX;"
754FCACA Main PUSH 10
"754FCACC Main LEA ESI, DWORD PTR DS: [EAX + 4];"
"754FCACF Main LEA EDI, DWORD PTR DS: [EDX + 4];"
754FCAD2 Main REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[E
"754FCAD4 Main POP ECX;"
"754FCAD5 Principal LEA ESI, DWORD PTR DS: [EAX + 58];"
"754FCAD8 Principal LEA EDI, DWORD PTR DS: [EDX + 58];"
754FCADB Main REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[E
754FCADD Main MOV CX,WORD PTR DS:[EAX+44]
754FCAE1 Main MOV WORD PTR DS:[EDX+44],CX
"754FCAE5 Main MOV CX,WORD PTR DS:[EAX+46] ;"
754FCAE9 Main MOV WORD PTR DS:[EDX+46],CX
"754FCAED Main MOV CX,WORD PTR DS:[EAX+48] ;"
754FCAF1 Main MOV WORD PTR DS:[EDX+52],CX
"754FCAF5 Main MOV CX,WORD PTR DS:[EAX+4A] ;"
754FCAF9 Main MOV WORD PTR DS:[EDX+48],CX
"754FCAFD Main MOV CX,WORD PTR DS:[EAX+4C] ;"
754FCB01 Main MOV WORD PTR DS:[EDX+4A],CX
"754FCB05 Main MOV CX,WORD PTR DS:[EAX+4E] ;"
754FCB09 Main MOV WORD PTR DS:[EDX+4C],CX
754FCB0D Main MOV CX,WORD PTR DS:[EAX+50]
754FCB11 Main MOV WORD PTR DS:[EDX+4E],CX
"754FCB15 Main MOV CX,WORD PTR DS:[EAX+52] ;"
754FCB19 Main MOV WORD PTR DS:[EDX+50],CX
"754FCB1D Main MOV CX,WORD PTR DS:[EAX+98] ;"
754FCB24 Main MOV WORD PTR DS:[EDX+98],CX
"754FCB2B Main MOV CX,WORD PTR DS:[EAX+9A] ;"
754FCB32 Main MOV WORD PTR DS:[EDX+9A],CX
"754FCB39 Main MOV CX,WORD PTR DS:[EAX+9C] ;"
754FCB40 Main MOV WORD PTR DS:[EDX+A6],CX
"754FCB47 Main MOV CX,WORD PTR DS:[EAX+9E] ;"
754FCB4E Main MOV WORD PTR DS:[EDX+9C],CX
"754FCB55 Main MOV CX,WORD PTR DS:[EAX+A0] ;"
754FCB5C Main MOV WORD PTR DS:[EDX+9E],CX
"754FCB63 Main MOV CX,WORD PTR DS:[EAX+A2] ;"
754FCB6A Main MOV WORD PTR DS:[EDX+A0],CX
754FCB71 Main MOV CX,WORD PTR DS:[EAX+A4]
754FCB78 Main MOV WORD PTR DS:[EDX+A2],CX
"754FCB7F Main MOV CX,WORD PTR DS:[EAX+A6] ;"
754FCB86 Main PUSH 40
754FCB88 Main MOV WORD PTR DS:[EDX+A4],CX
"754FCB8F Main POP ECX;"
"754FCB90 Main LEA ESI, DWORD PTR DS: [EAX + AC];"
"754FCB96 Principal LEA EDI, DWORD PTR DS: [EDX + AC];"
754FCB9C Main REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[E
"754FCB9E Principal MOV AL, BYTE PTR DS: [EAX + 1AC];"
"754FCBA4 Main POP EDI;"
754FCBA5 Principal MOV BYTE PTR DS: [EDX + 1AC], AL
"754FCBAB Main POP ESI;"
"754FCBAC Main POP EBP;"
"754FCBAD Main RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C Main RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C Main RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C Main RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
754EF25F Main PUSH EBP
"754EF260 Main MOV EBP,ESP ;"
754EF262 Main PUSH 0
754EF264 Main PUSH DWORD PTR SS: [EBP + 14]
754EF267 Main PUSH DWORD PTR SS: [EBP + 10]
754EF26A Main PUSH DWORD PTR SS: [EBP + C]
754EF26D Main PUSH DWORD PTR SS: [EBP + 8]
"754EF270 Main CALL KERNELBA.LoadStringBaseExW;"
"754EF275 Main POP EBP;"
"754EF276 Main RETN 10;"
754F818C Main PUSH EBP
"754F818D Main MOV EBP,ESP ;"
754F818F Main PUSH DWORD PTR SS: [EBP + 8]
754F8192 Main PUSH 1
754F8194 Main CALL DWORD PTR DS: [<& ntdll.RtlWow64EnableFs
754F819A TEST EAX principal, EAX
754F819C Principal JGE SHORT KERNELBA.754F81AA
"754F819E Main PUSH EAX;"
"754F819F Main CALL KERNELBA.754E6BA5;"
"754F81A4 Principal XOR EAX, EAX;"
"754F81A6 Main POP EBP;"
"754F81A7 Main RETN 4;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
FormatMessageW MOV EDI,EDI
754EECA2 Main PUSH EBP
"754EECA3 Main MOV EBP,ESP ;"
754EECA5 Main PUSH DWORD PTR SS: [EBP + 20]
754EECA8 Main PUSH DWORD PTR SS: [EBP + 1C]
754EECAB Main PUSH DWORD PTR SS: [EBP + 18]
754EECAE Main PUSH DWORD PTR SS: [EBP + 14]
754EECB1 Main PUSH DWORD PTR SS: [EBP + 10]
754EECB4 Main PUSH DWORD PTR SS: [EBP + C]
754EECB7 Main PUSH DWORD PTR SS: [EBP + 8]
754EECBA Main PUSH 0
"754EECBC Main CALL KERNELBA.754EEACC;"
"754EECC1 Main POP EBP;"
"754EECC2 Main RETN 1C;"
"754E1818 Main POP EBP;"
"754E1819 Main RETN 4;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
75504E5F Main PUSH EBP
"75504E60 Main MOV EBP,ESP ;"
75504E62 Main PUSH 1
75504E64 Main PUSH DWORD PTR SS: [EBP + 10]
75504E67 Main PUSH DWORD PTR SS: [EBP + C]
75504E6A Main PUSH DWORD PTR SS: [EBP + 8]
"75504E6D Main CALL KERNELBA.754FC63A;"
"75504E72 Main POP EBP;"
"75504E73 Main RETN 0C;"
"KiFastSystemCallR> RETN;"
"774F658C 00000E80 RETN 8;"
754FFE14 EDI MOV principal, EDI
754FFE16 Main PUSH EBP
"754FFE17 Main MOV EBP,ESP ;"
754FFE19 Main PUSH ESI
"754FFE1A Principal MOV ESI, DWORD PTR SS: [EBP + 8];"
"754FFE1D Principal MOV ECX, DWORD PTR DS: [ESI];"
754FFE1F CMP principal ECX, 9
754FFE22 Main JA SHORT KERNELBA.754FFE71
754FFE24 Main CMP DWORD PTR DS: [ESI + 4], 1
754FFE28 Main JA SHORT KERNELBA.754FFE71
754FFE2A Main CMP DWORD PTR DS: [ESI + 8], 270F
754FFE31 Main JA SHORT KERNELBA.754FFE71
754FFE33 Main CMP DWORD PTR DS: [ESI + 14], 4
754FFE37 Main JA SHORT KERNELBA.754FFE71
"754FFE39 Principal MOV EAX, DWORD PTR DS: [ESI + C];"
754FFE3C TEST EAX principal, EAX
754FFE3E Principal JE SHORT KERNELBA.754FFE71
"754FFE40 Main XOR EDX, EDX;"
754FFE42 TEST PRINCIPAL ECX, ECX
754FFE44 Main SETNE DL
754FFE47 Main PUSH EDX
754FFE48 Main PUSH 4
754FFE4A Main PUSH EAX
"754FFE4B Main CALL KERNELBA.754FFE7A;"
754FFE50 TEST EAX principal, EAX
754FFE52 Principal JE SHORT KERNELBA.754FFE71
"754FFE54 Principal MOV ESI, DWORD PTR DS: [ESI + 10];"
754FFE57 TEST PRINCIPAL ESI, ESI
754FFE59 Principal JE SHORT KERNELBA.754FFE71
754FFE5B Main PUSH 0
754FFE5D Main PUSH 4
754FFE5F Main PUSH ESI
754FFE60 Main CALL KERNELBA.754FFE7A
754FFE65 TEST EAX principal, EAX
754FFE67 Principal JE SHORT KERNELBA.754FFE71
"754FFE69 Principal XOR EAX, EAX;"
"754FFE6B Main INC EAX;"
"754FFE6C Main POP ESI;"
"754FFE6D Main POP EBP;"
"754FFE6E Main RETN 4;"
"KiFastSystemCallR> RETN;"
[17:11:34] Thread 00000864 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
[17:11:35] Exceção 000006BA
754E845D 00000E14 LEAVE
"774F6BC9 00000E14 MOV ECX,DWORD PTR SS:[ESP+4] ;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C 00000E14 RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C 00000E14 RETN 8;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C Main RETN 8;"
[17:12:01] Thread 00000968 encerrado, código de saída 0
"KiFastSystemCallR> RETN;"
"KiFastSystemCallR> RETN;"
"774F658C 00000AD0 RETN 8;"
KiFastSystemCallR> DIR
"774F658C 00000AD0 RETN 8;"
KiFastSystemCallR> DIR
"774F658C 00000AD0 RETN 8;"
"KiFastSystemCallR> RETN;"
"774F658C 00000AD0 RETN 8;"
[17:12:47] Thread 00000DC0 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:12:49] Thread 00000C04 encerrado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:13:03] Thread 0000007C encerrado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:13:08] Thread 00000410 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:13:09] Thread 00000E80 encerrado, código de saída 0
[17:13:09] Thread 00000E14 encerrado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:13:09] Thread 00000344 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:13:09] Thread 00000AD0 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:14:19] Thread 00000498 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:15:49] Thread 00000BB8 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:16:20] Thread 00000EB0 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:17:19] Thread 00000D00 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:18:42] Thread 00000188 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:20:19] Thread 00000964 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:21:49] Thread 00000BB0 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:23:19] Thread 00000E74 encerrado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:24:49] Thread 000004E8 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:26:19] Thread 00000C5C encerrado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:27:49] Thread 00000F44 encerrado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:29:19] Thread 00000930 encerrado, código de saída 0
[17:30:49] Thread 00000708 terminado, código de saída 0
"KiFastSystemCallR> RETN;"
[17:32:19] Thread 00000C00 terminou, código de saída 0
KiFastSystemCallR> DIR
Executar o traçado fechas

se usar qualquer programa de comparação vão ver que a linha 754E16A0 Main PUSH KERNELBA.755006BD e a linha que determina se o arquivo e verdadeiro ou não onde diz ( JMP) pular para não iguais

Ainda analisando em assembly foi possível ver um padrão no arquivo ntb onde por definição e ser um arquivo de calculo não existe um numero de Mac escondido dentro do arquivo NTB , pq o arquivo todo é o numero de Mac. ( como isso é possível? ) o numero de mac é usado como uma senha de ativação onde os 12 dígitos são gerados inúmeras vezes aleatoriamente e quando é realocado pelo programa tools é feita varias somas para a confirmação de validação do arquivo .

Utilizando Linguagem de alto nível em editor de cod fonte dnSpy ( lembando que toda a extensão dos três arquivos em base de 32bits ) então vc deve usar um sistema operacional de 86x.

Eu pude constatar que arquivo NTB tem a crytp M5 Exatamente a mesma que o ios usa podem baixar qualquer firmware do ios que verão ser a mesma cryt (M5)

apos a analise total dos arquivos ficou claro que o BOOT é o arquivo funcional - o TOOLS é o programa de ativação e relocação - o NTB é a chave de autentificação .

e chave é gerada por um software de crypt M5 ( ios )

( Lembrando que NTB é uma extensão criada pela HP a qual é utilizada para a atualização de firmwares remotamente )

( isso pode dizer que desenvolvedor pode ter um servidor que gera este arquivo e se esta for a forma utilizada mesmo que se gere um arquivo exato pode não ativar devido a não ter se gerado ao servido )

e ainda tem a possibilidade de o desenvolvedor simplesmente desligar a maquina .

Click to expand...

this software generates a firmware but it does not work, since it lacks a key in it that I have no idea whatsoever.
na caixa de assinatura bk


this software generates a firmware but it does not work, since it lacks a key in it that I have no idea whatsoever.
in the bk-signature box

============================================================