[讨论]程序分析!-软件逆向-看雪-安全社区|安全招聘|kanxue.com

最新回复 (39) ◀ 1 2
hyueling 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 29 粉丝 0 关注私信	hyueling 26 楼 7C93238E 897E 38 mov [esi+38], edi 7C932391 897E 28 mov [esi+28], edi 7C932394 897E 2C mov [esi+2C], edi 7C932397 ^ E9 51F2FFFF jmp 7C9315ED 7C93239C 90 nop 7C93239D 90 nop 7C93239E 90 nop 7C93239F 90 nop 7C9323A0 90 nop 7C9323A1 8BFF mov edi, edi 7C9323A3 55 push ebp 7C9323A4 8BEC mov ebp, esp 7C9323A6 51 push ecx 7C9323A7 51 push ecx 7C9323A8 56 push esi ; ntdll.ZwTerminateProcess 7C9323A9 6A 0D push 0D 7C9323AB FF35 FC23937C push dword ptr [7C9323FC] 7C9323B1 FF35 F823937C push dword ptr [7C9323F8] 7C9323B7 FF70 04 push dword ptr [eax+4] 7C9323BA FF30 push dword ptr [eax] 7C9323BC E8 C611FFFF call RtlExtendedMagicDivide 7C9323C1 6A 1A push 1A 7C9323C3 FF35 0424937C push dword ptr [7C932404] 7C9323C9 8BF0 mov esi, eax 7C9323CB FF35 0024937C push dword ptr [7C932400] 7C9323D1 52 push edx ; msvcrt.77C31AE8 7C9323D2 56 push esi ; ntdll.ZwTerminateProcess 7C9323D3 E8 AF11FFFF call RtlExtendedMagicDivide 7C9323D8 8B4D 08 mov ecx, [ebp+8] 7C9323DB 8901 mov [ecx], eax 7C9323DD 69C0 005C2605 imul eax, eax, 5265C00 7C9323E3 2BF0 sub esi, eax 7C9323E5 8B45 0C mov eax, [ebp+C] ; RPCRT4.77E8F3B0 7C9323E8 8930 mov [eax], esi ; ntdll.ZwTerminateProcess 7C9323EA 8955 FC mov [ebp-4], edx ; msvcrt.77C31AE8 7C9323ED 5E pop esi ; ntdll.7C92E89A 7C9323EE C9 leave 7C9323EF C2 0800 retn 8 7C9323F2 90 nop 7C9323F3 90 nop 7C9323F4 90 nop 7C9323F5 90 nop 7C9323F6 90 nop 7C9323F7 90 nop 7C9323F8 2C 65 sub al, 65 7C9323FA 19E2 sbb edx, esp 7C9323FC 58 pop eax ; ntdll.7C92E89A 7C9323FD 17 pop ss 7C9323FE B7 D1 mov bh, 0D1 7C932400 0E push cs 7C932401 B9 67FAEB50 mov ecx, 50EBFA67 7C932406 D7 xlat byte ptr [ebx+al] 7C932407 C6 ??? ; 未知命令 7C932408 90 nop 7C932409 90 nop 7C93240A 90 nop 7C93240B 90 nop 7C93240C 90 nop 7C93240D > 8BFF mov edi, edi 7C93240F 55 push ebp 7C932410 8BEC mov ebp, esp 7C932412 51 push ecx 7C932413 53 push ebx 7C932414 56 push esi ; ntdll.ZwTerminateProcess 7C932415 57 push edi 7C932416 8D45 FC lea eax, [ebp-4] 7C932419 50 push eax 7C93241A 8D45 08 lea eax, [ebp+8] 7C93241D 50 push eax 7C93241E 8B45 08 mov eax, [ebp+8] 7C932421 E8 7BFFFFFF call 7C9323A1 7C932426 8B4D 08 mov ecx, [ebp+8] 7C932429 6A 07 push 7 7C93242B 5E pop esi ; ntdll.7C92E89A 7C93242C 8D41 01 lea eax, [ecx+1] 7C93242F 33D2 xor edx, edx ; msvcrt.77C31AE8 7C932431 F7F6 div esi ; ntdll.ZwTerminateProcess 7C932433 8B75 0C mov esi, [ebp+C] ; RPCRT4.77E8F3B0 7C932436 51 push ecx 7C932437 66:8956 0E mov [esi+E], dx 7C93243B E8 35020000 call 7C932675 7C932440 8BC8 mov ecx, eax 7C932442 33D2 xor edx, edx ; msvcrt.77C31AE8 7C932444 BF 90010000 mov edi, 190 7C932449 F7F7 div edi 7C93244B 8BF9 mov edi, ecx 7C93244D 69FF 93FEFFFF imul edi, edi, -16D 7C932453 33D2 xor edx, edx ; msvcrt.77C31AE8 7C932455 6A 64 push 64 7C932457 5B pop ebx ; ntdll.7C92E89A 7C932458 2BF8 sub edi, eax 7C93245A 8BC1 mov eax, ecx 7C93245C C1E8 02 shr eax, 2 7C93245F 2BF8 sub edi, eax 7C932461 8BC1 mov eax, ecx 7C932463 F7F3 div ebx 7C932465 33D2 xor edx, edx ; msvcrt.77C31AE8 7C932467 BB 90010000 mov ebx, 190 7C93246C 0345 08 add eax, [ebp+8] 7C93246F 03F8 add edi, eax 7C932471 8D41 01 lea eax, [ecx+1] 7C932474 F7F3 div ebx 7C932476 85D2 test edx, edx ; msvcrt.77C31AE8 7C932478 74 1D je short 7C932497 7C93247A 6A 64 push 64 7C93247C 33D2 xor edx, edx ; msvcrt.77C31AE8 7C93247E 8D41 01 lea eax, [ecx+1] 7C932481 5B pop ebx ; ntdll.7C92E89A 7C932482 F7F3 div ebx 7C932484 85D2 test edx, edx ; msvcrt.77C31AE8 7C932486 0F84 44240000 je 7C9348D0 7C93248C 8D41 01 lea eax, [ecx+1] 7C93248F A8 03 test al, 3 7C932491 0F85 39240000 jnz 7C9348D0 7C932497 0FB687 0025937C movzx eax, byte ptr [edi+7C932500] 7C93249E 8945 08 mov [ebp+8], eax 7C9324A1 0FBF0445 F02693>movsx eax, word ptr [eax2+7C9326F0] 7C9324A9 2BF8 sub edi, eax 7C9324AB 8B45 FC mov eax, [ebp-4] 7C9324AE 33D2 xor edx, edx ; msvcrt.77C31AE8 7C9324B0 BB E8030000 mov ebx, 3E8 7C9324B5 F7F3 div ebx 7C9324B7 6A 3C push 3C 7C9324B9 5B pop ebx ; ntdll.7C92E89A 7C9324BA 81C1 41060000 add ecx, 641 7C9324C0 66:890E mov [esi], cx 7C9324C3 8B4D 08 mov ecx, [ebp+8] 7C9324C6 6A 3C push 3C 7C9324C8 8955 0C mov [ebp+C], edx ; msvcrt.77C31AE8 7C9324CB 33D2 xor edx, edx ; msvcrt.77C31AE8 7C9324CD F7F3 div ebx 7C9324CF 41 inc ecx 7C9324D0 66:894E 02 mov [esi+2], cx 7C9324D4 59 pop ecx ; ntdll.7C92E89A 7C9324D5 47 inc edi 7C9324D6 66:897E 04 mov [esi+4], di 7C9324DA 5F pop edi ; ntdll.7C92E89A 7C9324DB 8BDA mov ebx, edx ; msvcrt.77C31AE8 7C9324DD 33D2 xor edx, edx ; msvcrt.77C31AE8 7C9324DF F7F1 div ecx 7C9324E1 66:895E 0A mov [esi+A], bx 7C9324E5 66:8946 06 mov [esi+6], ax 7C9324E9 66:8B45 0C mov ax, [ebp+C] 7C9324ED 66:8956 08 mov [esi+8], dx 7C9324F1 66:8946 0C mov [esi+C], ax 7C9324F5 5E pop esi ; ntdll.7C92E89A 7C9324F6 5B pop ebx ; ntdll.7C92E89A 7C9324F7 C9 leave 7C9324F8 C2 0800 retn 8 7C9324FB 90 nop 7C9324FC 90 nop 7C9324FD 90 nop 7C9324FE 90 nop 7C9324FF 90 nop 7C932500 0000 add [eax], al 7C932502 0000 add [eax], al 7C932504 0000 add [eax], al 7C932506 0000 add [eax], al 7C932508 0000 add [eax], al 7C93250A 0000 add [eax], al 7C93250C 0000 add [eax], al 7C93250E 0000 add [eax], al 7C932510 0000 add [eax], al 7C932512 0000 add [eax], al 7C932514 0000 add [eax], al 7C932516 0000 add [eax], al 7C932518 0000 add [eax], al 7C93251A 0000 add [eax], al 7C93251C 0000 add [eax], al 7C93251E 0001 add [ecx], al 7C932520 0101 add [ecx], eax 7C932522 0101 add [ecx], eax 7C932524 0101 add [ecx], eax 7C932526 0101 add [ecx], eax 7C932528 0101 add [ecx], eax 7C93252A 0101 add [ecx], eax 7C93252C 0101 add [ecx], eax 7C93252E 0101 add [ecx], eax 7C932530 0101 add [ecx], eax 7C932532 0101 add [ecx], eax 7C932534 0101 add [ecx], eax 7C932536 0101 add [ecx], eax 7C932538 0101 add [ecx], eax 7C93253A 0101 add [ecx], eax 7C93253C 0202 add al, [edx] 7C93253E 0202 add al, [edx] 7C932540 0202 add al, [edx] 7C932542 0202 add al, [edx] 7C932544 0202 add al, [edx] 7C932546 0202 add al, [edx] 7C932548 0202 add al, [edx] 7C93254A 0202 add al, [edx] 7C93254C 0202 add al, [edx] 7C93254E 0202 add al, [edx] 7C932550 0202 add al, [edx] 7C932552 0202 add al, [edx] 7C932554 0202 add al, [edx] 7C932556 0202 add al, [edx] 7C932558 0202 add al, [edx] 7C93255A 0203 add al, [ebx] 7C93255C 0303 add eax, [ebx] 7C93255E 0303 add eax, [ebx] 7C932560 0303 add eax, [ebx] 7C932562 0303 add eax, [ebx] 7C932564 0303 add eax, [ebx] 7C932566 0303 add eax, [ebx] 7C932568 0303 add eax, [ebx] 7C93256A 0303 add eax, [ebx] 7C93256C 0303 add eax, [ebx] 7C93256E 0303 add eax, [ebx] 7C932570 0303 add eax, [ebx] 7C932572 0303 add eax, [ebx] 7C932574 0303 add eax, [ebx] 7C932576 0303 add eax, [ebx] 7C932578 030404 add eax, [esp+eax] 7C93257B 04 04 add al, 4 7C93257D 04 04 add al, 4 7C93257F 04 04 add al, 4 7C932581 04 04 add al, 4 7C932583 04 04 add al, 4 7C932585 04 04 add al, 4 7C932587 04 04 add al, 4 7C932589 04 04 add al, 4 7C93258B 04 04 add al, 4 7C93258D 04 04 add al, 4 7C93258F 04 04 add al, 4 7C932591 04 04 add al, 4 7C932593 04 04 add al, 4 7C932595 04 04 add al, 4 7C932597 04 05 add al, 5 7C932599 05 05050505 add eax, 5050505 7C93259E 05 05050505 add eax, 5050505 7C9325A3 05 05050505 add eax, 5050505 7C9325A8 05 05050505 add eax, 5050505 7C9325AD 05 05050505 add eax, 5050505 7C9325B2 05 05050506 add eax, 6050505 7C9325B7 06 push es 7C9325B8 06 push es 7C9325B9 06 push es 7C9325BA 06 push es 7C9325BB 06 push es 7C9325BC 06 push es 7C9325BD 06 push es 7C9325BE 06 push es 7C9325BF 06 push es 7C9325C0 06 push es 7C9325C1 06 push es 7C9325C2 06 push es 7C9325C3 06 push es 7C9325C4 06 push es 7C9325C5 06 push es 7C9325C6 06 push es 7C9325C7 06 push es 7C9325C8 06 push es 7C9325C9 06 push es 7C9325CA 06 push es 7C9325CB 06 push es 7C9325CC 06 push es 7C9325CD 06 push es 7C9325CE 06 push es 7C9325CF 06 push es 7C9325D0 06 push es 7C9325D1 06 push es 7C9325D2 06 push es 7C9325D3 06 push es 7C9325D4 06 push es 7C9325D5 07 pop es 7C9325D6 07 pop es 7C9325D7 07 pop es 7C9325D8 07 pop es 7C9325D9 07 pop es 7C9325DA 07 pop es 7C9325DB 07 pop es 7C9325DC 07 pop es 7C9325DD 07 pop es 7C9325DE 07 pop es 7C9325DF 07 pop es 7C9325E0 07 pop es 7C9325E1 07 pop es 7C9325E2 07 pop es 7C9325E3 07 pop es 7C9325E4 07 pop es 7C9325E5 07 pop es 7C9325E6 07 pop es 7C9325E7 07 pop es 7C9325E8 07 pop es 7C9325E9 07 pop es 7C9325EA 07 pop es 7C9325EB 07 pop es 7C9325EC 07 pop es 7C9325ED 07 pop es 7C9325EE 07 pop es 7C9325EF 07 pop es 7C9325F0 07 pop es 7C9325F1 07 pop es 7C9325F2 07 pop es 7C9325F3 07 pop es 7C9325F4 0808 or [eax], cl 7C9325F6 0808 or [eax], cl 7C9325F8 0808 or [eax], cl 7C9325FA 0808 or [eax], cl 7C9325FC 0808 or [eax], cl 7C9325FE 0808 or [eax], cl 7C932600 0808 or [eax], cl 7C932602 0808 or [eax], cl 7C932604 0808 or [eax], cl 7C932606 0808 or [eax], cl 7C932608 0808 or [eax], cl 7C93260A 0808 or [eax], cl 7C93260C 0808 or [eax], cl 7C93260E 0808 or [eax], cl 7C932610 0808 or [eax], cl 7C932612 0909 or [ecx], ecx 7C932614 0909 or [ecx], ecx 7C932616 0909 or [ecx], ecx 7C932618 0909 or [ecx], ecx 7C93261A 0909 or [ecx], ecx 7C93261C 0909 or [ecx], ecx 7C93261E 0909 or [ecx], ecx 7C932620 0909 or [ecx], ecx 7C932622 0909 or [ecx], ecx 7C932624 0909 or [ecx], ecx 7C932626 0909 or [ecx], ecx 7C932628 0909 or [ecx], ecx 7C93262A 0909 or [ecx], ecx 7C93262C 0909 or [ecx], ecx 7C93262E 0909 or [ecx], ecx 7C932630 090A or [edx], ecx 7C932632 0A0A or cl, [edx] 7C932634 0A0A or cl, [edx] 7C932636 0A0A or cl, [edx] 7C932638 0A0A or cl, [edx] 7C93263A 0A0A or cl, [edx] 7C93263C 0A0A or cl, [edx] 7C93263E 0A0A or cl, [edx] 7C932640 0A0A or cl, [edx] 7C932642 0A0A or cl, [edx] 7C932644 0A0A or cl, [edx] 7C932646 0A0A or cl, [edx] 7C932648 0A0A or cl, [edx] 7C93264A 0A0A or cl, [edx] 7C93264C 0A0A or cl, [edx] 7C93264E 0A0B or cl, [ebx] 7C932650 0B0B or ecx, [ebx] 7C932652 0B0B or ecx, [ebx] 7C932654 0B0B or ecx, [ebx] 7C932656 0B0B or ecx, [ebx] 7C932658 0B0B or ecx, [ebx] 7C93265A 0B0B or ecx, [ebx] 7C93265C 0B0B or ecx, [ebx] 7C93265E 0B0B or ecx, [ebx] 7C932660 0B0B or ecx, [ebx] 7C932662 0B0B or ecx, [ebx] 7C932664 0B0B or ecx, [ebx] 7C932666 0B0B or ecx, [ebx] 7C932668 0B0B or ecx, [ebx] 7C93266A 0B0B or ecx, [ebx] 7C93266C 0B0B or ecx, [ebx] 7C93266E 0000 add [eax], al 7C932670 90 nop 7C932671 90 nop 7C932672 90 nop 7C932673 90 nop 7C932674 90 nop 7C932675 8BFF mov edi, edi 7C932677 55 push ebp 7C932678 8BEC mov ebp, esp 7C93267A 8B4D 08 mov ecx, [ebp+8] 7C93267D 53 push ebx 7C93267E 33D2 xor edx, edx ; msvcrt.77C31AE8 7C932680 56 push esi ; ntdll.ZwTerminateProcess 7C932681 8BC1 mov eax, ecx 7C932683 BE B13A0200 mov esi, 23AB1 7C932688 F7F6 div esi ; ntdll.ZwTerminateProcess 7C93268A 33D2 xor edx, edx ; msvcrt.77C31AE8 7C93268C 57 push edi 7C93268D BF 49BB3700 mov edi, 37BB49 7C932692 BB B5050000 mov ebx, 5B5 7C932697 8BF0 mov esi, eax 7C932699 69C0 4FC5FDFF imul eax, eax, FFFDC54F 7C93269F 03C8 add ecx, eax 7C9326A1 8BC1 mov eax, ecx 7C9326A3 6BC0 64 imul eax, eax, 64 7C9326A6 83C0 4B add eax, 4B 7C9326A9 F7F7 div edi 7C9326AB 33D2 xor edx, edx ; msvcrt.77C31AE8 7C9326AD 8BF8 mov edi, eax 7C9326AF 69C0 5471FFFF imul eax, eax, FFFF7154 7C9326B5 03C8 add ecx, eax 7C9326B7 8BC1 mov eax, ecx 7C9326B9 F7F3 div ebx 7C9326BB 8BD8 mov ebx, eax 7C9326BD 8BD3 mov edx, ebx 7C9326BF 69D2 B5050000 imul edx, edx, 5B5 ; msvcrt.77C31AE8 7C9326C5 8BC1 mov eax, ecx 7C9326C7 2BC2 sub eax, edx ; msvcrt.77C31AE8 7C9326C9 6BC0 64 imul eax, eax, 64 7C9326CC 83C0 4B add eax, 4B 7C9326CF 33D2 xor edx, edx ; msvcrt.77C31AE8 7C9326D1 B9 AD8E0000 mov ecx, 8EAD 7C9326D6 F7F1 div ecx 7C9326D8 8D0CB7 lea ecx, [edi+esi4] 7C9326DB 6BC9 19 imul ecx, ecx, 19 7C9326DE 5F pop edi ; ntdll.7C92E89A 7C9326DF 03CB add ecx, ebx 7C9326E1 5E pop esi ; ntdll.7C92E89A 7C9326E2 5B pop ebx ; ntdll.7C92E89A 7C9326E3 8D0488 lea eax, [eax+ecx4] 7C9326E6 5D pop ebp ; ntdll.7C92E89A 7C9326E7 C2 0400 retn 4 7C9326EA 90 nop 7C9326EB 90 nop 7C9326EC 90 nop 7C9326ED 90 nop 7C9326EE 90 nop 7C9326EF 90 nop 7C9326F0 0000 add [eax], al 7C9326F2 1F pop ds 7C9326F3 003C00 add [eax+eax], bh 7C9326F6 5B pop ebx ; ntdll.7C92E89A 7C9326F7 0079 00 add [ecx], bh 7C9326FA 98 cwde 7C9326FB 00B6 00D500F4 add [esi+F400D500], dh 7C932701 0012 add [edx], dl 7C932703 0131 add [ecx], esi ; ntdll.ZwTerminateProcess 7C932705 014F 01 add [edi+1], ecx 7C932708 6E outs dx, byte ptr es:[edi] 7C932709 0100 add [eax], eax 7C93270B 0090 90909090 add [eax+90909090], dl 7C932711 8BFF mov edi, edi 7C932713 55 push ebp 7C932714 8BEC mov ebp, esp 7C932716 8B45 10 mov eax, [ebp+10] 7C932719 53 push ebx 7C93271A 8B5D 08 mov ebx, [ebp+8] 7C93271D F7C3 0000FFFF test ebx, FFFF0000 7C932723 56 push esi ; ntdll.ZwTerminateProcess 7C932724 57 push edi 7C932725 0F85 E78A0100 jnz 7C94B212 7C93272B 8B08 mov ecx, [eax] 7C93272D 85C9 test ecx, ecx 7C93272F 0F88 1D8B0100 js 7C94B252 7C932735 8BC3 mov eax, ebx 7C932737 2BC1 sub eax, ecx 7C932739 5F pop edi ; ntdll.7C92E89A 7C93273A 5E pop esi ; ntdll.7C92E89A 7C93273B 5B pop ebx ; ntdll.7C92E89A 7C93273C 5D pop ebp ; ntdll.7C92E89A 7C93273D C2 0C00 retn 0C 7C932740 66:85DB test bx, bx 7C932743 74 2C je short 7C932771 7C932745 56 push esi ; ntdll.ZwTerminateProcess 7C932746 8B5D AC mov ebx, [ebp-54] 7C932749 53 push ebx 7C93274A 8B45 0C mov eax, [ebp+C] ; RPCRT4.77E8F3B0 7C93274D FF30 push dword ptr [eax] 7C93274F E8 BDFFFFFF call 7C932711 7C932754 8945 84 mov [ebp-7C], eax 7C932757 85C0 test eax, eax 7C932759 75 16 jnz short 7C932771 7C93275B 8B76 04 mov esi, [esi+4] 7C93275E 85F6 test esi, esi ; ntdll.ZwTerminateProcess 7C932760 0F89 8A030000 jns 7C932AF0 7C932766 81E6 FFFFFF7F and esi, 7FFFFFFF 7C93276C 03F3 add esi, ebx 7C93276E 8975 B4 mov [ebp-4C], esi ; ntdll.ZwTerminateProcess 7C932771 8345 0C 04 add dword ptr [ebp+C], 4 7C932775 8B75 A4 mov esi, [ebp-5C] 7C932778 8B45 B4 mov eax, [ebp-4C] 7C93277B 8A5D D3 mov bl, [ebp-2D] 7C93277E 8B4D E4 mov ecx, [ebp-1C] 7C932781 EB 5D jmp short 7C9327E0 7C932783 90 nop 7C932784 90 nop 7C932785 90 nop 7C932786 90 nop 7C932787 90 nop 7C932788 68 A0000000 push 0A0 7C93278D 68 C028937C push 7C9328C0 7C932792 E8 2BC6FFFF call 7C92EDC2 7C932797 8B7D 0C mov edi, [ebp+C] ; RPCRT4.77E8F3B0 7C93279A 897D 9C mov [ebp-64], edi 7C93279D 8B45 10 mov eax, [ebp+10] 7C9327A0 8945 94 mov [ebp-6C], eax 7C9327A3 32DB xor bl, bl 7C9327A5 885D D3 mov [ebp-2D], bl 7C9327A8 8365 FC 00 and dword ptr [ebp-4], 0 7C9327AC 8D45 D4 lea eax, [ebp-2C] 7C9327AF 50 push eax 7C9327B0 6A 02 push 2 7C9327B2 6A 01 push 1 7C9327B4 FF75 08 push dword ptr [ebp+8] 7C9327B7 E8 9AE0FFFF call RtlImageDirectoryEntryToData 7C9327BC 8945 AC mov [ebp-54], eax 7C9327BF 85C0 test eax, eax 7C9327C1 0F84 198A0100 je 7C94B1E0 7C9327C7 8B45 AC mov eax, [ebp-54] 7C9327CA 8945 B4 mov [ebp-4C], eax 7C9327CD B9 FFFF0000 mov ecx, 0FFFF 7C9327D2 894D E4 mov [ebp-1C], ecx 7C9327D5 33F6 xor esi, esi ; ntdll.ZwTerminateProcess 7C9327D7 8975 C4 mov [ebp-3C], esi ; ntdll.ZwTerminateProcess 7C9327DA 8975 A4 mov [ebp-5C], esi ; ntdll.ZwTerminateProcess 7C9327DD 2175 A8 and [ebp-58], esi ; ntdll.ZwTerminateProcess 7C9327E0 85C0 test eax, eax 7C9327E2 0F84 04010000 je 7C9328EC 7C9327E8 8B55 10 mov edx, [ebp+10] 7C9327EB FF4D 10 dec dword ptr [ebp+10] 7C9327EE 85D2 test edx, edx ; msvcrt.77C31AE8 7C9327F0 0F84 8B810100 je 7C94A981 7C9327F6 837D 10 00 cmp dword ptr [ebp+10], 0 7C9327FA 0F84 3A010000 je 7C93293A 7C932800 837D A8 00 cmp dword ptr [ebp-58], 0 7C932804 0F85 F0020000 jnz 7C932AFA 7C93280A 8A5D D3 mov bl, [ebp-2D] 7C93280D 66:8B50 0C mov dx, [eax+C] 7C932811 66:8955 B0 mov [ebp-50], dx 7C932815 8D70 10 lea esi, [eax+10] 7C932818 8975 90 mov [ebp-70], esi ; ntdll.ZwTerminateProcess 7C93281B 8B55 0C mov edx, [ebp+C] ; RPCRT4.77E8F3B0 7C93281E 66:F742 02 FFFF test word ptr [edx+2], 0FFFF 7C932824 75 11 jnz short 7C932837 7C932826 0FB755 B0 movzx edx, word ptr [ebp-50] 7C93282A 8D34D6 lea esi, [esi+edx8] 7C93282D 8975 90 mov [ebp-70], esi ; ntdll.ZwTerminateProcess 7C932830 0FB740 0E movzx eax, word ptr [eax+E] 7C932834 8945 B0 mov [ebp-50], eax 7C932837 33C0 xor eax, eax 7C932839 66:3945 B0 cmp [ebp-50], ax 7C93283D 0F84 D3920100 je 7C94BB16 7C932843 3945 A8 cmp [ebp-58], eax 7C932846 0F85 80000000 jnz 7C9328CC 7C93284C 8945 B4 mov [ebp-4C], eax 7C93284F 8B5D B0 mov ebx, [ebp-50] ; ntdll.7C92EE18 7C932852 0FB7C3 movzx eax, bx 7C932855 8D44C6 F8 lea eax, [esi+eax8-8] 7C932859 8945 8C mov [ebp-74], eax 7C93285C 3B75 8C cmp esi, [ebp-74] 7C93285F ^ 0F87 0CFFFFFF ja 7C932771 7C932865 0FB7C3 movzx eax, bx 7C932868 D1E8 shr eax, 1 7C93286A 8945 98 mov [ebp-68], eax 7C93286D 66:85C0 test ax, ax 7C932870 ^ 0F84 CAFEFFFF je 7C932740 7C932876 8975 88 mov [ebp-78], esi ; ntdll.ZwTerminateProcess 7C932879 885D CB mov [ebp-35], bl 7C93287C 0FB7D8 movzx ebx, ax 7C93287F 8065 CB 01 and byte ptr [ebp-35], 1 7C932883 8D3CDE lea edi, [esi+ebx8] 7C932886 75 04 jnz short 7C93288C 7C932888 8D7CDE F8 lea edi, [esi+ebx8-8] 7C93288C 897D 88 mov [ebp-78], edi 7C93288F 57 push edi 7C932890 FF75 AC push dword ptr [ebp-54] 7C932893 8B45 0C mov eax, [ebp+C] ; RPCRT4.77E8F3B0 7C932896 FF30 push dword ptr [eax] 7C932898 E8 74FEFFFF call 7C932711 7C93289D 8945 84 mov [ebp-7C], eax 7C9328A0 85C0 test eax, eax 7C9328A2 0F84 B6030000 je 7C932C5E 7C9328A8 0F8C 0C040000 jl 7C932CBA 7C9328AE 8D77 08 lea esi, [edi+8] 7C9328B1 8975 90 mov [ebp-70], esi ; ntdll.ZwTerminateProcess 7C9328B4 8B5D 98 mov ebx, [ebp-68] 7C9328B7 895D B0 mov [ebp-50], ebx 7C9328BA 8B7D 9C mov edi, [ebp-64] 7C9328BD ^ EB 9D jmp short 7C93285C 7C9328BF 90 nop 7C9328C0 FFFF ??? ; 未知命令 7C9328C2 FFFF ??? ; 未知命令 7C9328C4 8E2A mov gs, [edx] 7C9328C6 93 xchg eax, ebx 7C9328C7 ^ 7C A1 jl short 7C93286A 7C9328C9 2A93 7C8B4D0C sub dl, [ebx+C4D8B7C] 7C9328CF 8139 FFFF0000 cmp dword ptr [ecx], 0FFFF 7C9328D5 ^ 0F85 71FFFFFF jnz 7C93284C 7C9328DB 8945 B4 mov [ebp-4C], eax 7C9328DE 8B0E mov ecx, [esi] 7C9328E0 894D E4 mov [ebp-1C], ecx 7C9328E3 8B76 04 mov esi, [esi+4] 7C9328E6 0375 AC add esi, [ebp-54] 7C9328E9 8975 A4 mov [ebp-5C], esi ; ntdll.ZwTerminateProcess 7C9328EC 85F6 test esi, esi ; ntdll.ZwTerminateProcess 7C9328EE 0F85 67020000 jnz 7C932B5B 7C9328F4 85C0 test eax, eax 7C9328F6 0F85 8D800100 jnz 7C94A989 7C9328FC 8B45 94 mov eax, [ebp-6C] ; trscd.004B027C 7C9328FF 2B45 10 sub eax, [ebp+10] 7C932902 48 dec eax 7C932903 0F84 891F0000 je 7C934892 7C932909 48 dec eax 7C93290A 0F84 951F0000 je 7C9348A5 7C932910 48 dec eax 7C932911 0F85 B5000000 jnz 7C9329CC 7C932917 C745 CC 040200C>mov dword ptr [ebp-34], C0000204 7C93291E 817D CC 040200C>cmp dword ptr [ebp-34], C0000204 7C932925 0F84 48020000 je 7C932B73 7C93292B 834D FC FF or dword ptr [ebp-4], FFFFFFFF 7C93292F 8B45 CC mov eax, [ebp-34] 7C932932 E8 CBC4FFFF call 7C92EE02 7C932937 C2 1400 retn 14 7C93293A 837D 94 03 cmp dword ptr [ebp-6C], 3 7C93293E ^ 0F85 BCFEFFFF jnz 7C932800 7C932944 8945 A8 mov [ebp-58], eax 7C932947 ^ E9 B4FEFFFF jmp 7C932800 7C93294C 90 nop 7C93294D 90 nop 7C93294E 90 nop 7C93294F 90 nop 7C932950 90 nop 7C932951 6A 2C push 2C 7C932953 68 C029937C push 7C9329C0 7C932958 E8 65C4FFFF call 7C92EDC2 7C93295D 8365 D8 00 and dword ptr [ebp-28], 0 7C932961 8365 FC 00 and dword ptr [ebp-4], 0 7C932965 8D45 C8 lea eax, [ebp-38] 7C932968 50 push eax 7C932969 6A 02 push 2 7C93296B 6A 01 push 1 7C93296D FF75 08 push dword ptr [ebp+8] 7C932970 E8 E1DEFFFF call RtlImageDirectoryEntryToData 7C932975 8945 E0 mov [ebp-20], eax 7C932978 85C0 test eax, eax 7C93297A 0F84 37450300 je 7C966EB7 7C932980 F645 08 01 test byte ptr [ebp+8], 1 7C932984 0F85 AF040000 jnz 7C932E39 7C93298A 33F6 xor esi, esi ; ntdll.ZwTerminateProcess 7C93298C 8975 DC mov [ebp-24], esi ; ntdll.ZwTerminateProcess 7C93298F 8B45 10 mov eax, [ebp+10] 7C932992 85C0 test eax, eax 7C932994 74 0C je short 7C9329A2 7C932996 8B4D 0C mov ecx, [ebp+C] ; RPCRT4.77E8F3B0 7C932999 8B09 mov ecx, [ecx] 7C93299B 2BCE sub ecx, esi ; ntdll.ZwTerminateProcess 7C93299D 034D 08 add ecx, [ebp+8] 7C9329A0 8908 mov [eax], ecx 7C9329A2 8B45 14 mov eax, [ebp+14] 7C9329A5 85C0 test eax, eax 7C9329A7 ^ 0F85 5BEEFFFF jnz 7C931808 7C9329AD 834D FC FF or dword ptr [ebp-4], FFFFFFFF 7C9329B1 8B45 D8 mov eax, [ebp-28] 7C9329B4 E8 49C4FFFF call 7C92EE02 7C9329B9 C2 1000 retn 10 7C9329BC 90 nop 7C9329BD 90 nop 7C9329BE 90 nop 7C9329BF 90 nop 7C9329C0 FFFF ??? ; 未知命令 7C9329C2 FFFF ??? ; 未知命令 7C9329C4 CA 6E96 retf 966E 7C9329C7 ^ 7C DD jl short 7C9329A6 7C9329C9 6E outs dx, byte ptr es:[edi] 7C9329CA 96 xchg eax, esi ; ntdll.ZwTerminateProcess 7C9329CB ^ 7C C7 jl short 7C932994 7C9329CD 45 inc ebp 7C9329CE CC int3 7C9329CF 0D 0000C0E9 or eax, E9C00000 7C9329D4 46 inc esi ; ntdll.ZwTerminateProcess 7C9329D5 FFFF ??? ; 未知命令 7C9329D7 FF84DB 753D668B inc dword ptr [ebx+ebx8+8B663D75] 7C9329DE 45 inc ebp 7C9329DF A0 663B45E0 mov al, [E0453B66] 7C9329E4 74 33 je short 7C932A19 7C9329E6 8B07 mov eax, [edi] 7C9329E8 8945 B8 mov [ebp-48], eax 7C9329EB 8B47 04 mov eax, [edi+4] 7C9329EE 8945 BC mov [ebp-44], eax 7C9329F1 0FB745 A0 movzx eax, word ptr [ebp-60] 7C9329F5 8945 C0 mov [ebp-40], eax 7C9329F8 FF75 18 push dword ptr [ebp+18] ; trscd.00454965 7C9329FB 8B45 14 mov eax, [ebp+14] 7C9329FE 83C8 04 or eax, 4 7C932A01 50 push eax 7C932A02 6A 03 push 3 7C932A04 8D45 B8 lea eax, [ebp-48] 7C932A07 50 push eax 7C932A08 56 push esi ; ntdll.ZwTerminateProcess 7C932A09 E8 7AFDFFFF call 7C932788 7C932A0E 8945 CC mov [ebp-34], eax 7C932A11 85C0 test eax, eax 7C932A13 0F8D CC870100 jge 7C94B1E5 7C932A19 8B07 mov eax, [edi] 7C932A1B 8945 B8 mov [ebp-48], eax 7C932A1E 8B47 04 mov eax, [edi+4] 7C932A21 8945 BC mov [ebp-44], eax 7C932A24 0FB745 E0 movzx eax, word ptr [ebp-20] 7C932A28 8945 C0 mov [ebp-40], eax 7C932A2B FF75 18 push dword ptr [ebp+18] ; trscd.00454965 7C932A2E 8B45 14 mov eax, [ebp+14] 7C932A31 83C8 04 or eax, 4 7C932A34 50 push eax 7C932A35 6A 03 push 3 7C932A37 8D45 B8 lea eax, [ebp-48] 7C932A3A 50 push eax 7C932A3B 56 push esi ; ntdll.ZwTerminateProcess 7C932A3C E8 47FDFFFF call 7C932788 7C932A41 8945 CC mov [ebp-34], eax 7C932A44 85C0 test eax, eax 7C932A46 0F8C 9B540100 jl 7C947EE7 7C932A4C E9 94870100 jmp 7C94B1E5 7C932A51 64:A1 18000000 mov eax, fs:[18] 7C932A57 8985 68FFFFFF mov [ebp-98], eax 7C932A5D E9 57010000 jmp 7C932BB9 7C932A62 68 3AC0997C push 7C99C03A 7C932A67 E8 EEB5FFFF call ZwQueryInstallUILanguage 7C932A6C 8945 CC mov [ebp-34], eax 7C932A6F 85C0 test eax, eax 7C932A71 0F8C 70540100 jl 7C947EE7 7C932A77 E9 C3310200 jmp 7C955C3F 7C932A7C 8365 DC 00 and dword ptr [ebp-24], 0 7C932A80 8345 C4 02 add dword ptr [ebp-3C], 2 7C932A84 E9 97000000 jmp 7C932B20 7C932A89 90 nop 7C932A8A 90 nop 7C932A8B 90 nop 7C932A8C 90 nop 7C932A8D 90 nop 7C932A8E 8B45 EC mov eax, [ebp-14] 7C932A91 8B00 mov eax, [eax] 7C932A93 8B00 mov eax, [eax] 7C932A95 8945 80 mov [ebp-80], eax 7C932A98 33C0 xor eax, eax 7C932A9A 40 inc eax 7C932A9B C3 retn 7C932A9C 90 nop 7C932A9D 90 nop 7C932A9E 90 nop 7C932A9F 90 nop 7C932AA0 90 nop 7C932AA1 8B65 E8 mov esp, [ebp-18] 7C932AA4 8B45 80 mov eax, [ebp-80] ; ntdll.7C931993 7C932AA7 8945 CC mov [ebp-34], eax 7C932AAA ^ E9 7CFEFFFF jmp 7C93292B 7C932AAF 90 nop 7C932AB0 1A2B sbb ch, [ebx] 7C932AB2 93 xchg eax, ebx 7C932AB3 ^ 7C C5 jl short 7C932A7A 7C932AB5 2B93 7C832B93 sub edx, [ebx+932B837C] 7C932ABB ^ 7C 89 jl short 7C932A46 7C932ABD 2B93 7C197E94 sub edx, [ebx+947E197C] 7C932AC3 ^ 7C 8A jl short 7C932A4F 7C932AC5 ^ 7E 94 jle short 7C932A5B 7C932AC7 ^ 7C EF jl short 7C932AB8 7C932AC9 ^ 7E 94 jle short 7C932A5F 7C932ACB 7C 1D jl short 7C932AEA 7C932ACD 5C pop esp ; ntdll.7C92E89A 7C932ACE 95 xchg eax, ebp 7C932ACF 7C 31 jl short 7C932B02 7C932AD1 5C pop esp ; ntdll.7C92E89A 7C932AD2 95 xchg eax, ebp 7C932AD3 7C 4A jl short 7C932B1F 7C932AD5 5C pop esp ; ntdll.7C92E89A 7C932AD6 95 xchg eax, ebp 7C932AD7 ^ 7C 80 jl short 7C932A59 7C932AD9 5C pop esp ; ntdll.7C92E89A 7C932ADA 95 xchg eax, ebp 7C932ADB ^ 7C 9E jl short 7C932A7B 7C932ADD 5C pop esp ; ntdll.7C92E89A 7C932ADE 95 xchg eax, ebp 7C932ADF ^ 7C A9 jl short 7C932A8A 7C932AE1 5C pop esp ; ntdll.7C92E89A 7C932AE2 95 xchg eax, ebp 7C932AE3 ^ 7C 9E jl short 7C932A83 7C932AE5 5C pop esp ; ntdll.7C92E89A 7C932AE6 95 xchg eax, ebp 7C932AE7 ^ 7C CF jl short 7C932AB8 7C932AE9 5C pop esp ; ntdll.7C92E89A 7C932AEA 95 xchg eax, ebp 7C932AEB ^ 7C DB jl short 7C932AC8 7C932AED 5C pop esp ; ntdll.7C92E89A 7C932AEE 95 xchg eax, ebp 7C932AEF 7C 03 jl short 7C932AF4 7C932AF1 F3: prefix rep: 7C932AF2 8975 A4 mov [ebp-5C], esi ; ntdll.ZwTerminateProcess 7C932AF5 ^ E9 77FCFFFF jmp 7C932771 7C932AFA 33DB xor ebx, ebx 7C932AFC 66:8B5F 08 mov bx, [edi+8] 7C932B00 895D A0 mov [ebp-60], ebx 7C932B03 66:81E3 FF03 and bx, 3FF 7C932B08 66:F7DB neg bx 7C932B0B 1BDB sbb ebx, ebx 7C932B0D 43 inc ebx 7C932B0E 885D D3 mov [ebp-2D], bl 7C932B11 EB 1F jmp short 7C932B32 7C932B13 - FF2485 B02A937C jmp [eax4+7C932AB0] 7C932B1A 8B45 A0 mov eax, [ebp-60] ; ntdll.7C99C080 7C932B1D 8945 E0 mov [ebp-20], eax 7C932B20 66:837D E0 FF cmp word ptr [ebp-20], 0FFFF 7C932B25 74 1C je short 7C932B43 7C932B27 0FB745 E0 movzx eax, word ptr [ebp-20] 7C932B2B 8B4D E4 mov ecx, [ebp-1C] 7C932B2E 3BC1 cmp eax, ecx 7C932B30 75 11 jnz short 7C932B43 7C932B32 8B45 C4 mov eax, [ebp-3C] ; ntdll.7C92F0AA 7C932B35 FF45 C4 inc dword ptr [ebp-3C] ; ntdll.7C92F0AA 7C932B38 83F8 0F cmp eax, 0F 7C932B3B 0F87 E58F0100 ja 7C94BB26 7C932B41 ^ EB D0 jmp short 7C932B13 7C932B43 0FB74D E0 movzx ecx, word ptr [ebp-20] 7C932B47 894D E4 mov [ebp-1C], ecx 7C932B4A 8D45 E4 lea eax, [ebp-1C] 7C932B4D 8945 0C mov [ebp+C], eax 7C932B50 8B45 A8 mov eax, [ebp-58] ; ntdll.7C92EE18 7C932B53 8945 B4 mov [ebp-4C], eax 7C932B56 ^ E9 B2FCFFFF jmp 7C93280D 7C932B5B F645 14 02 test byte ptr [ebp+14], 2 7C932B5F ^ 0F85 8FFDFFFF jnz 7C9328F4 7C932B65 8B45 18 mov eax, [ebp+18] ; trscd.00454965 7C932B68 8930 mov [eax], esi ; ntdll.ZwTerminateProcess 7C932B6A 8365 CC 00 and dword ptr [ebp-34], 0 7C932B6E ^ E9 ABFDFFFF jmp 7C93291E 7C932B73 837D A8 00 cmp dword ptr [ebp-58], 0 7C932B77 ^ 0F84 AEFDFFFF je 7C93292B 7C932B7D 8365 A4 00 and dword ptr [ebp-5C], 0 7C932B81 ^ EB AF jmp short 7C932B32 7C932B83 8365 E0 00 and dword ptr [ebp-20], 0 7C932B87 ^ EB 97 jmp short 7C932B20 7C932B89 84DB test bl, bl 7C932B8B 0F84 69530100 je 7C947EFA 7C932B91 64:A1 18000000 mov eax, fs:[18] 7C932B97 8985 6CFFFFFF mov [ebp-94], eax 7C932B9D 8B40 30 mov eax, [eax+30] 7C932BA0 8B40 10 mov eax, [eax+10] 7C932BA3 8378 10 00 cmp dword ptr [eax+10], 0 7C932BA7 0F84 3A530100 je 7C947EE7 7C932BAD 64:A1 18000000 mov eax, fs:[18] 7C932BB3 8985 50FFFFFF mov [ebp-B0], eax 7C932BB9 0FB780 C4000000 movzx eax, word ptr [eax+C4] 7C932BC0 ^ E9 58FFFFFF jmp 7C932B1D 7C932BC5 F645 14 04 test byte ptr [ebp+14], 4 7C932BC9 0F85 578F0100 jnz 7C94BB26 7C932BCF 8B45 A0 mov eax, [ebp-60] ; ntdll.7C99C080 7C932BD2 25 FF03FFFF and eax, FFFF03FF 7C932BD7 ^ E9 41FFFFFF jmp 7C932B1D 7C932BDC 90 nop 7C932BDD 90 nop 7C932BDE 90 nop 7C932BDF 90 nop 7C932BE0 90 nop 7C932BE1 8BFF mov edi, edi 7C932BE3 55 push ebp 7C932BE4 8BEC mov ebp, esp 7C932BE6 83EC 1C sub esp, 1C 7C932BE9 53 push ebx 7C932BEA 8B5D 08 mov ebx, [ebp+8] 7C932BED 8D45 08 lea eax, [ebp+8] 7C932BF0 50 push eax 7C932BF1 6A 02 push 2 7C932BF3 6A 01 push 1 7C932BF5 53 push ebx 7C932BF6 E8 5BDCFFFF call RtlImageDirectoryEntryToData 7C932BFB 85C0 test eax, eax 7C932BFD 0F84 F1020000 je 7C932EF4 7C932C03 3945 0C cmp [ebp+C], eax 7C932C06 0F82 DF420300 jb 7C966EEB 7C932C0C 8BC3 mov eax, ebx 7C932C0E 83E0 FE and eax, FFFFFFFE 7C932C11 50 push eax 7C932C12 E8 32DCFFFF call RtlImageNtHeader 7C932C17 85C0 test eax, eax 7C932C19 74 27 je short 7C932C42 7C932C1B 56 push esi ; ntdll.ZwTerminateProcess 7C932C1C 8BF3 mov esi, ebx 7C932C1E 83E6 FE and esi, FFFFFFFE 7C932C21 F6C3 01 test bl, 1 7C932C24 0F85 A8020000 jnz 7C932ED2 7C932C2A 8B40 50 mov eax, [eax+50] 7C932C2D 3975 0C cmp [ebp+C], esi ; ntdll.ZwTerminateProcess 7C932C30 0F82 CB420300 jb 7C966F01 7C932C36 03C6 add eax, esi ; ntdll.ZwTerminateProcess 7C932C38 3945 0C cmp [ebp+C], eax 7C932C3B 0F83 C0420300 jnb 7C966F01 7C932C41 5E pop esi ; ntdll.7C92E89A 7C932C42 85DB test ebx, ebx 7C932C44 0F84 AA020000 je 7C932EF4 7C932C4A FF75 14 push dword ptr [ebp+14] 7C932C4D FF75 10 push dword ptr [ebp+10] 7C932C50 FF75 0C push dword ptr [ebp+C] ; RPCRT4.77E8F3B0 7C932C53 53 push ebx 7C932C54 E8 F8FCFFFF call 7C932951 7C932C59 5B pop ebx ; ntdll.7C92E89A 7C932C5A C9 leave 7C932C5B C2 1000 retn 10 7C932C5E 8B47 04 mov eax, [edi+4] 7C932C61 8B7D 9C mov edi, [ebp-64] 7C932C64 85C0 test eax, eax 7C932C66 0F89 00600200 jns 7C958C6C 7C932C6C 25 FFFFFF7F and eax, 7FFFFFFF 7C932C71 0345 AC add eax, [ebp-54] 7C932C74 8945 B4 mov [ebp-4C], eax 7C932C77 ^ E9 F5FAFFFF jmp 7C932771 7C932C7C 90 nop 7C932C7D 90 nop 7C932C7E 90 nop 7C932C7F 90 nop 7C932C80 90 nop 7C932C81 > 8BFF mov edi, edi 7C932C83 55 push ebp 7C932C84 8BEC mov ebp, esp 7C932C86 FF75 14 push dword ptr [ebp+14] 7C932C89 6A 00 push 0 7C932C8B FF75 10 push dword ptr [ebp+10] 7C932C8E FF75 0C push dword ptr [ebp+C] ; RPCRT4.77E8F3B0 7C932C91 FF75 08 push dword ptr [ebp+8] 7C932C94 E8 EFFAFFFF call 7C932788 7C932C99 5D pop ebp ; ntdll.7C92E89A 7C932C9A C2 1000 retn 10 7C932C9D 90 nop 7C932C9E 90 nop 7C932C9F 90 nop 7C932CA0 90 nop 7C932CA1 90 nop 7C932CA2 > FF7424 10 push dword ptr [esp+10] 7C932CA6 FF7424 10 push dword ptr [esp+10] 7C932CAA FF7424 10 push dword ptr [esp+10] 7C932CAE FF7424 10 push dword ptr [esp+10] 7C932CB2 E8 2AFFFFFF call 7C932BE1 7C932CB7 C2 1000 retn 10 7C932CBA 83C7 F8 add edi, -8 7C932CBD 897D 8C mov [ebp-74], edi 7C932CC0 807D CB 00 cmp byte ptr [ebp-35], 0 7C932CC4 ^ 0F85 EAFBFFFF jnz 7C9328B4 7C932CCA 4B dec ebx 7C932CCB ^ E9 E7FBFFFF jmp 7C9328B7 7C932CD0 90 nop 7C932CD1 90 nop 7C932CD2 90 nop 7C932CD3 90 nop 7C932CD4 90 nop 7C932CD5 > 68 2C0D0000 push 0D2C 7C932CDA 68 382D937C push 7C932D38 7C932CDF E8 DEC0FFFF call 7C92EDC2 7C932CE4 A1 34C0997C mov eax, [7C99C034] 7C932CE9 8945 E4 mov [ebp-1C], eax 7C932CEC 8B7D 08 mov edi, [ebp+8] 7C932CEF 89BD 44F3FFFF mov [ebp-CBC], edi 7C932CF5 8B75 0C mov esi, [ebp+C] ; RPCRT4.77E8F3B0 7C932CF8 33DB xor ebx, ebx 7C932CFA 899D 60F3FFFF mov [ebp-CA0], ebx 7C932D00 899D 90F3FFFF mov [ebp-C70], ebx 7C932D06 899D 88F3FFFF mov [ebp-C78], ebx 7C932D0C 889D A7F3FFFF mov [ebp-C59], bl 7C932D12 899D 8CF3FFFF mov [ebp-C74], ebx 7C932D18 E8 38000000 call LdrAlternateResourcesEnabled 7C932D1D 84C0 test al, al 7C932D1F 0F85 6B460300 jnz 7C967390 7C932D25 33C0 xor eax, eax 7C932D27 8B4D E4 mov ecx, [ebp-1C] 7C932D2A E8 58D6FFFF call 7C930387 7C932D2F E8 CEC0FFFF call 7C92EE02 7C932D34 C2 0800 retn 8 7C932D37 90 nop 7C932D38 FFFF ??? ; 未知命令 7C932D3A FFFF ??? ; 未知命令 7C932D3C 0000 add [eax], al 7C932D3E 0000 add [eax], al 7C932D40 7A 7A jpe short 7C932DBC 7C932D42 96 xchg eax, esi ; ntdll.ZwTerminateProcess 7C932D43 7C 00 jl short 7C932D45 7C932D45 0000 add [eax], al 7C932D47 0000 add [eax], al 7C932D49 0000 add [eax], al 7C932D4B 0006 add [esi], al 7C932D4D ^ 76 96 jbe short 7C932CE5 7C932D4F ^ 7C 90 jl short 7C932CE1 7C932D51 90 nop 7C932D52 90 nop 7C932D53 90 nop 7C932D54 90 nop 7C932D55 > 66:833D 38C0997>cmp word ptr [7C99C038], 0 7C932D5D 0F84 E1BC0000 je 7C93EA44 7C932D63 64:A1 18000000 mov eax, fs:[18] 7C932D69 83B8 980F0000 0>cmp dword ptr [eax+F98], 0 7C932D70 0F85 CEBC0000 jnz 7C93EA44 7C932D76 66:833D 3AC0997>cmp word ptr [7C99C03A], 0 7C932D7E 0F84 EFEB0000 je 7C941973 7C932D84 66:A1 3AC0997C mov ax, [7C99C03A] 7C932D8A 66:3905 38C0997>cmp [7C99C038], ax 7C932D91 0F95C0 setne al 7C932D94 C3 retn 7C932D95 3B50 54 cmp edx, [eax+54] 7C932D98 ^ 0F82 37DBFFFF jb 7C9308D5 7C932D9E 52 push edx ; msvcrt.77C31AE8 7C932D9F FF75 08 push dword ptr [ebp+8] 7C932DA2 50 push eax 7C932DA3 E8 0A000000 call RtlAddressInSectionTable 7C932DA8 ^ E9 2DDBFFFF jmp 7C9308DA 7C932DAD 90 nop 7C932DAE 90 nop 7C932DAF 90 nop 7C932DB0 90 nop 7C932DB1 90 nop 7C932DB2 > 8BFF mov edi, edi 7C932DB4 55 push ebp 7C932DB5 8BEC mov ebp, esp 7C932DB7 FF75 10 push dword ptr [ebp+10] 7C932DBA FF75 0C push dword ptr [ebp+C] ; RPCRT4.77E8F3B0 7C932DBD FF75 08 push dword ptr [ebp+8] 7C932DC0 E8 1F000000 call RtlImageRvaToSection 7C932DC5 8BC8 mov ecx, eax 7C932DC7 85C9 test ecx, ecx 7C932DC9 74 10 je short 7C932DDB 7C932DCB 8B41 14 mov eax, [ecx+14] 7C932DCE 2B41 0C sub eax, [ecx+C] 7C932DD1 0345 0C add eax, [ebp+C] ; RPCRT4.77E8F3B0 7C932DD4 0345 10 add eax, [ebp+10] 7C932DD7 5D pop ebp ; ntdll.7C92E89A 7C932DD8 C2 0C00 retn 0C 7C932DDB 33C0 xor eax, eax 7C932DDD ^ EB F8 jmp short 7C932DD7 7C932DDF 90 nop 7C932DE0 90 nop 7C932DE1 90 nop 7C932DE2 90 nop 7C932DE3 90 nop 7C932DE4 > 8BFF mov edi, edi 7C932DE6 55 push ebp 7C932DE7 8BEC mov ebp, esp 7C932DE9 8B4D 08 mov ecx, [ebp+8] 7C932DEC 0FB741 14 movzx eax, word ptr [ecx+14] 7C932DF0 8D4408 18 lea eax, [eax+ecx+18] 7C932DF4 0FB749 06 movzx ecx, word ptr [ecx+6] 7C932DF8 56 push esi ; ntdll.ZwTerminateProcess 7C932DF9 33F6 xor esi, esi ; ntdll.ZwTerminateProcess 7C932DFB 85C9 test ecx, ecx 7C932DFD 57 push edi 7C932DFE 76 22 jbe short 7C932E22 7C932E00 8B50 0C mov edx, [eax+C] 7C932E03 3955 10 cmp [ebp+10], edx ; msvcrt.77C31AE8 7C932E06 72 0A jb short 7C932E12 7C932E08 8B78 10 mov edi, [eax+10] 7C932E0B 03FA add edi, edx ; msvcrt.77C31AE8 7C932E0D 397D 10 cmp [ebp+10], edi 7C932E10 72 0A jb short 7C932E1C 7C932E12 83C0 28 add eax, 28 7C932E15 46 inc esi ; ntdll.ZwTerminateProcess 7C932E16 3BF1 cmp esi, ecx 7C932E18 73 08 jnb short 7C932E22 7C932E1A ^ EB E4 jmp short 7C932E00 7C932E1C 5F pop edi ; ntdll.7C92E89A 7C932E1D 5E pop esi ; ntdll.7C92E89A 7C932E1E 5D pop ebp ; ntdll.7C92E89A 7C932E1F C2 0C00 retn 0C 7C932E22 33C0 xor eax, eax 7C932E24 ^ EB F6 jmp short 7C932E1C 7C932E26 83E3 FE and ebx, FFFFFFFE 7C932E29 C645 0C 00 mov byte ptr [ebp+C], 0 7C932E2D ^ E9 36DAFFFF jmp 7C930868 7C932E32 33C0 xor eax, eax 7C932E34 ^ E9 5CDAFFFF jmp 7C930895 7C932E39 8365 08 FE and dword ptr [ebp+8], FFFFFFFE 7C932E3D FF75 08 push dword ptr [ebp+8] 7C932E40 E8 04DAFFFF call RtlImageNtHeader 7C932E45 8BD8 mov ebx, eax 7C932E47 895D C4 mov [ebp-3C], ebx 7C932E4A 66:8B43 18 mov ax, [ebx+18] 7C932E4E 66:3D 0B01 cmp ax, 10B 7C932E52 0F85 47400300 jnz 7C966E9F 7C932E58 8B83 88000000 mov eax, [ebx+88] 7C932E5E 8945 E4 mov [ebp-1C], eax 7C932E61 85C0 test eax, eax 7C932E63 0F84 4E400300 je 7C966EB7 7C932E69 8BF0 mov esi, eax 7C932E6B 2B75 E0 sub esi, [ebp-20] 7C932E6E 0375 08 add esi, [ebp+8] 7C932E71 8975 DC mov [ebp-24], esi ; ntdll.ZwTerminateProcess 7C932E74 50 push eax 7C932E75 FF75 08 push dword ptr [ebp+8] 7C932E78 53 push ebx 7C932E79 E8 66FFFFFF call RtlImageRvaToSection 7C932E7E 8945 D4 mov [ebp-2C], eax 7C932E81 85C0 test eax, eax 7C932E83 0F84 2E400300 je 7C966EB7 7C932E89 8B4D 0C mov ecx, [ebp+C] ; RPCRT4.77E8F3B0 7C932E8C 8B09 mov ecx, [ecx] 7C932E8E 3B48 08 cmp ecx, [eax+8] 7C932E91 ^ 0F86 F8FAFFFF jbe 7C93298F 7C932E97 8B40 0C mov eax, [eax+C] 7C932E9A 8945 D0 mov [ebp-30], eax 7C932E9D 51 push ecx 7C932E9E FF75 08 push dword ptr [ebp+8] 7C932EA1 53 push ebx 7C932EA2 E8 3DFFFFFF call RtlImageRvaToSection 7C932EA7 8BF8 mov edi, eax 7C932EA9 897D D4 mov [ebp-2C], edi 7C932EAC 85FF test edi, edi 7C932EAE 0F84 03400300 je 7C966EB7 7C932EB4 FF77 0C push dword ptr [edi+C] 7C932EB7 FF75 08 push dword ptr [ebp+8] 7C932EBA 53 push ebx 7C932EBB E8 F2FEFFFF call RtlAddressInSectionTable 7C932EC0 8B4F 0C mov ecx, [edi+C] 7C932EC3 2B4D D0 sub ecx, [ebp-30] 7C932EC6 034D E0 add ecx, [ebp-20] 7C932EC9 2BC8 sub ecx, eax 7C932ECB 03F1 add esi, ecx 7C932ECD ^ E9 BAFAFFFF jmp 7C93298C 7C932ED2 6A 00 push 0 7C932ED4 6A 1C push 1C 7C932ED6 8D45 E4 lea eax, [ebp-1C] 7C932ED9 50 push eax 7C932EDA 6A 00 push 0 7C932EDC 56 push esi ; ntdll.ZwTerminateProcess 7C932EDD 6A FF push -1 7C932EDF E8 2FB3FFFF call ZwQueryVirtualMemory 7C932EE4 85C0 test eax, eax 7C932EE6 0F8C 0E400300 jl 7C966EFA 7C932EEC 8B45 F0 mov eax, [ebp-10] 7C932EEF ^ E9 39FDFFFF jmp 7C932C2D 7C932EF4 B8 890000C0 mov eax, C0000089 7C932EF9 ^ E9 5BFDFFFF jmp 7C932C59 7C932EFE 85F6 test esi, esi ; ntdll.ZwTerminateProcess 7C932F00 8B45 08 mov eax, [ebp+8] 7C932F03 8945 08 mov [ebp+8], eax 7C932F06 74 38 je short 7C932F40 7C932F08 8B7D 0C mov edi, [ebp+C] ; RPCRT4.77E8F3B0 7C932F0B 85FF test edi, edi 7C932F0D 74 31 je short 7C932F40 7C932F0F 8B4D 14 mov ecx, [ebp+14] 7C932F12 0FB709 movzx ecx, word ptr [ecx] 7C932F15 8B15 60E2997C mov edx, [7C99E260] 7C932F1B 66:8B0C4A mov cx, [edx+ecx2] 7C932F1F 8345 14 02 add dword ptr [ebp+14], 2 7C932F23 66:8BD1 mov dx, cx 7C932F26 66:C1EA 08 shr dx, 8 7C932F2A 84D2 test dl, dl 7C932F2C 74 0B je short 7C932F39 7C932F2E 8BDF mov ebx, edi 7C932F30 4F dec edi 7C932F31 83FB 02 cmp ebx, 2 7C932F34 72 0A jb short 7C932F40 7C932F36 8810 mov [eax], dl 7C932F38 40 inc eax 7C932F39 8808 mov [eax], cl 7C932F3B 40 inc eax 7C932F3C 4F dec edi 7C932F3D 4E dec esi ; ntdll.ZwTerminateProcess 7C932F3E ^ 75 CB jnz short 7C932F0B 7C932F40 8B4D 10 mov ecx, [ebp+10] 7C932F43 85C9 test ecx, ecx 7C932F45 0F84 BB000000 je 7C933006 7C932F4B 2B45 08 sub eax, [ebp+8] 7C932F4E 8901 mov [ecx], eax 7C932F50 E9 B1000000 jmp 7C933006 7C932F55 90 nop 7C932F56 FF2F jmp far fword ptr [edi] 7C932F58 93 xchg eax, ebx 7C932F59 ^ 7C F5 jl short 7C932F50 7C932F5B 2F das 7C932F5C 93 xchg eax, ebx 7C932F5D 7C 0F jl short 7C932F6E 7C932F5F 3093 7C2F3093 xor [ebx+93302F7C], dl 7C932F65 7C 25 jl short 7C932F8C 7C932F67 3093 7C1B3093 xor [ebx+93301B7C], dl 7C932F6D 7C 45 jl short 7C932FB4 7C932F6F 3093 7C3B3093 xor [ebx+93303B7C], dl 7C932F75 7C 51 jl short 7C932FC8 7C932F77 3093 7C5D3093 xor [ebx+93305D7C], dl 7C932F7D 7C 69 jl short 7C932FE8 7C932F7F 3093 7C753093 xor [ebx+9330757C], dl 7C932F85 ^ 7C 81 jl short 7C932F08 7C932F87 3093 7C8D3093 xor [ebx+93308D7C], dl 7C932F8D ^ 7C 99 jl short 7C932F28 7C932F8F 3093 7CA53093 xor [ebx+9330A57C], dl 7C932F95 ^ 7C 90 jl short 7C932F27 7C932F97 90 nop 7C932F98 90 nop 7C932F99 90 nop 7C932F9A 90 nop 7C932F9B > 8BFF mov edi, edi 7C932F9D 55 push ebp 7C932F9E 8BEC mov ebp, esp 7C932FA0 53 push ebx 7C932FA1 56 push esi ; ntdll.ZwTerminateProcess 7C932FA2 8B75 18 mov esi, [ebp+18] ; trscd.00454965 7C932FA5 D1EE shr esi, 1 7C932FA7 803D 10C0997C 0>cmp byte ptr [NlsMbCodePageTag], 0 7C932FAE 57 push edi 7C932FAF ^ 0F85 49FFFFFF jnz 7C932EFE 7C932FB5 8B55 0C mov edx, [ebp+C] ; RPCRT4.77E8F3B0 7C932FB8 3BF2 cmp esi, edx ; msvcrt.77C31AE8 7C932FBA ^ 0F82 1EDDFFFF jb 7C930CDE 7C932FC0 8B45 10 mov eax, [ebp+10] 7C932FC3 85C0 test eax, eax 7C932FC5 74 02 je short 7C932FC9 7C932FC7 8910 mov [eax], edx ; msvcrt.77C31AE8 7C932FC9 8B4D 08 mov ecx, [ebp+8] 7C932FCC 8B45 14 mov eax, [ebp+14] 7C932FCF 8B35 40C0997C mov esi, [7C99C040] 7C932FD5 8BFA mov edi, edx ; msvcrt.77C31AE8 7C932FD7 83E7 0F and edi, 0F 7C932FDA 03CF add ecx, edi 7C932FDC 8D0478 lea eax, [eax+edi2] 7C932FDF 83C1 F1 add ecx, -0F 7C932FE2 83C0 E2 add eax, -1E 7C932FE5 83FF 0F cmp edi, 0F 7C932FE8 0F87 C1000000 ja 7C9330AF 7C932FEE FF24BD 562F937C jmp [edi4+7C932F56] ; ntdll.7C932FFF 7C932FF5 0FB758 1C movzx ebx, word ptr [eax+1C] 7C932FF9 8A1C33 mov bl, [ebx+esi] 7C932FFC 8859 0E mov [ecx+E], bl 7C932FFF 6A 10 push 10 7C933001 2BD7 sub edx, edi 7C933003 5F pop edi ; ntdll.7C92E89A 7C933004 ^ 75 DF jnz short 7C932FE5 7C933006 5F pop edi ; ntdll.7C92E89A 7C933007 5E pop esi ; ntdll.7C92E89A 7C933008 33C0 xor eax, eax 7C93300A 5B pop ebx ; ntdll.7C92E89A 7C93300B 5D pop ebp ; ntdll.7C92E89A 7C93300C C2 1400 retn 14 7C93300F 0FB758 1A movzx ebx, word ptr [eax+1A] 7C933013 8A1C33 mov bl, [ebx+esi] 7C933016 8859 0D mov [ecx+D], bl 7C933019 ^ EB DA jmp short 7C932FF5 7C93301B 0FB758 14 movzx ebx, word ptr [eax+14] 7C93301F 8A1C33 mov bl, [ebx+esi] 7C933022 8859 0A mov [ecx+A], bl 7C933025 0FB758 16 movzx ebx, word ptr [eax+16] 7C933029 8A1C33 mov bl, [ebx+esi] 7C93302C 8859 0B mov [ecx+B], bl 7C93302F 0FB758 18 movzx ebx, word ptr [eax+18] 7C933033 8A1C33 mov bl, [ebx+esi] 7C933036 8859 0C mov [ecx+C], bl 7C933039 ^ EB D4 jmp short 7C93300F 7C93303B 0FB758 10 movzx ebx, word ptr [eax+10] 7C93303F 8A1C33 mov bl, [ebx+esi] 7C933042 8859 08 mov [ecx+8], bl 7C933045 0FB758 12 movzx ebx, word ptr [eax+12] 7C933049 8A1C33 mov bl, [ebx+esi] 7C93304C 8859 09 mov [ecx+9], bl 7C93304F ^ EB CA jmp short 7C93301B 7C933051 0FB758 0E movzx ebx, word ptr [eax+E] 7C933055 8A1C33 mov bl, [ebx+esi] 7C933058 8859 07 mov [ecx+7], bl 7C93305B ^ EB DE jmp short 7C93303B 7C93305D 0FB758 0C movzx ebx, word ptr [eax+C] 7C933061 8A1C33 mov bl, [ebx+esi] 7C933064 8859 06 mov [ecx+6], bl 7C933067 ^ EB E8 jmp short 7C933051 7C933069 0FB758 0A movzx ebx, word ptr [eax+A] 7C93306D 8A1C33 mov bl, [ebx+esi] 7C933070 8859 05 mov [ecx+5], bl 7C933073 ^ EB E8 jmp short 7C93305D 7C933075 0FB758 08 movzx ebx, word ptr [eax+8] 7C933079 8A1C33 mov bl, [ebx+esi] 7C93307C 8859 04 mov [ecx+4], bl 7C93307F ^ EB E8 jmp short 7C933069 7C933081 0FB758 06 movzx ebx, word ptr [eax+6] 7C933085 8A1C33 mov bl, [ebx+esi] 7C933088 8859 03 mov [ecx+3], bl 7C93308B ^ EB E8 jmp short 7C933075 7C93308D 0FB758 04 movzx ebx, word ptr [eax+4] 7C933091 8A1C33 mov bl, [ebx+esi] 7C933094 8859 02 mov [ecx+2], bl 7C933097 ^ EB E8 jmp short 7C933081 7C933099 0FB758 02 movzx ebx, word ptr [eax+2] 7C93309D 8A1C33 mov bl, [ebx+esi] 7C9330A0 8859 01 mov [ecx+1], bl 7C9330A3 ^ EB E8 jmp short 7C93308D 7C9330A5 0FB718 movzx ebx, word ptr [eax] 7C9330A8 8A1C33 mov bl, [ebx+esi] 7C9330AB 8819 mov [ecx], bl 7C9330AD ^ EB EA jmp short 7C933099 7C9330AF 0FB758 1E movzx ebx, word ptr [eax+1E] 7C9330B3 8A1C33 mov bl, [ebx+esi] 7C9330B6 83C0 20 add eax, 20 7C9330B9 83C1 10 add ecx, 10 7C9330BC 8859 FF mov [ecx-1], bl 7C9330BF ^ EB E4 jmp short 7C9330A5 7C9330C1 90 nop 7C9330C2 90 nop 7C9330C3 90 nop 7C9330C4 90 nop 7C9330C5 90 nop 7C9330C6 > 8BFF mov edi, edi 7C9330C8 55 push ebp 7C9330C9 8BEC mov ebp, esp 7C9330CB 51 push ecx 7C9330CC 53 push ebx 7C9330CD 33DB xor ebx, ebx 7C9330CF 381D 10C0997C cmp [NlsMbCodePageTag], bl 7C9330D5 57 push edi 7C9330D6 8B7D 0C mov edi, [ebp+C] ; RPCRT4.77E8F3B0 7C9330D9 895D FC mov [ebp-4], ebx 7C9330DC 0F85 FC930200 jnz 7C95C4DE 7C9330E2 0FB707 movzx eax, word ptr [edi] 7C9330E5 40 inc eax 7C9330E6 40 inc eax 7C9330E7 D1E8 shr eax, 1 7C9330E9 3D FFFF0000 cmp eax, 0FFFF 7C9330EE 0F87 F5930200 ja 7C95C4E9 7C9330F4 385D 10 cmp [ebp+10], bl 7C9330F7 56 push esi ; ntdll.ZwTerminateProcess 7C9330F8 8B75 08 mov esi, [ebp+8] 7C9330FB 8D48 FF lea ecx, [eax-1] 7C9330FE 66:890E mov [esi], cx 7C933101 0F84 C1160000 je 7C9347C8 7C933107 50 push eax 7C933108 66:8946 02 mov [esi+2], ax 7C93310C FF15 C009937C call [7C9309C0] ; ntdll.7C9309C9 7C933112 3BC3 cmp eax, ebx 7C933114 8946 04 mov [esi+4], eax 7C933117 0F84 D6930200 je 7C95C4F3 7C93311D 0FB707 movzx eax, word ptr [edi] 7C933120 50 push eax 7C933121 FF77 04 push dword ptr [edi+4] 7C933124 8D45 0C lea eax, [ebp+C] 7C933127 50 push eax 7C933128 0FB706 movzx eax, word ptr [esi] 7C93312B 50 push eax 7C93312C FF76 04 push dword ptr [esi+4] 7C93312F E8 67FEFFFF call RtlUnicodeToMultiByteN 7C933134 8BF8 mov edi, eax 7C933136 3BFB cmp edi, ebx 7C933138 0F8C DE930200 jl 7C95C51C 7C93313E 8B46 04 mov eax, [esi+4] 7C933141 8B4D 0C mov ecx, [ebp+C] ; RPCRT4.77E8F3B0 7C933144 881C01 mov [ecx+eax], bl 7C933147 8B45 FC mov eax, [ebp-4] 7C93314A 5E pop esi ; ntdll.7C92E89A 7C93314B 5F pop edi ; ntdll.7C92E89A 7C93314C 5B pop ebx ; ntdll.7C92E89A 7C93314D C9 leave 7C93314E C2 0C00 retn 0C 7C933151 90 nop 7C933152 90 nop 7C933153 90 nop 7C933154 90 nop 7C933155 90 nop 7C933156 > 8BFF mov edi, edi 7C933158 55 push ebp 7C933159 8BEC mov ebp, esp 7C93315B 837D 0C 01 cmp dword ptr [ebp+C], 1 7C93315F 0F84 BDF60000 je 7C942822 7C933165 33C0 xor eax, eax 7C933167 40 inc eax 7C933168 5D pop ebp ; ntdll.7C92E89A 7C933169 C2 0C00 retn 0C 7C93316C 90 nop 7C93316D 90 nop 7C93316E 90 nop 7C93316F 90 nop 7C933170 90 nop 7C933171 > 6A 14 push 14 7C933173 68 1832937C push 7C933218 7C933178 E8 45BCFFFF call 7C92EDC2 7C93317D 8A1D 20C1997C mov bl, [7C99C120] 7C933183 8B75 0C mov esi, [ebp+C] ; RPCRT4.77E8F3B0 7C933186 33D2 xor edx, edx ; msvcrt.77C31AE8 7C933188 3BF2 cmp esi, edx ; msvcrt.77C31AE8 7C93318A 0F85 A3530200 jnz 7C958533 7C933190 8B7D 10 mov edi, [ebp+10] 7C933193 3BFA cmp edi, edx ; msvcrt.77C31AE8 7C933195 74 02 je short 7C933199 7C933197 8917 mov [edi], edx ; msvcrt.77C31AE8 7C933199 8B4D 08 mov ecx, [ebp+8] 7C93319C F7C1 FCFFFFFF test ecx, FFFFFFFC 7C9331A2 0F85 8C9F0200 jnz 7C95D134 7C9331A8 3BFA cmp edi, edx ; msvcrt.77C31AE8 7C9331AA 0F84 9D9F0200 je 7C95D14D 7C9331B0 8BC1 mov eax, ecx 7C9331B2 83E0 02 and eax, 2 7C9331B5 0F85 7F530200 jnz 7C95853A 7C9331BB 84DB test bl, bl 7C9331BD 75 4A jnz short 7C933209 7C9331BF 33DB xor ebx, ebx 7C9331C1 43 inc ebx 7C9331C2 84CB test bl, cl 7C9331C4 0F84 7A160000 je 7C934844 7C9331CA 68 D8C0997C push 7C99C0D8 7C9331CF 3BC2 cmp eax, edx ; msvcrt.77C31AE8 7C9331D1 0F85 41540200 jnz 7C958618 7C9331D7 E8 29DEFEFF call RtlEnterCriticalSection 7C9331DC 85F6 test esi, esi ; ntdll.ZwTerminateProcess 7C9331DE 0F85 A69F0200 jnz 7C95D18A 7C9331E4 64:A1 18000000 mov eax, fs:[18] 7C9331EA B9 44C0997C mov ecx, 7C99C044 7C9331EF F0:0FC119 lock xadd [ecx], ebx 7C9331F3 43 inc ebx 7C9331F4 81E3 FFFF0000 and ebx, 0FFFF 7C9331FA 8B40 24 mov eax, [eax+24] 7C9331FD 25 FF0F0000 and eax, 0FFF 7C933202 C1E0 10 shl eax, 10 7C933205 0BD8 or ebx, eax 7C933207 891F mov [edi], ebx 7C933209 33F6 xor esi, esi ; ntdll.ZwTerminateProcess 7C93320B 8BC6 mov eax, esi ; ntdll.ZwTerminateProcess 7C93320D E8 F0BBFFFF call 7C92EE02 7C933212 C2 0C00 retn 0C 7C933215 90 nop 7C933216 90 nop 7C933217 90 nop 7C933218 FFFF ??? ; 未知命令 7C93321A FFFF ??? ; 未知命令 7C93321C C1D1 95 rcl ecx, 95 7C93321F ^ 7C DC jl short 7C9331FD 7C933221 D195 7C909090 rcl dword ptr [ebp+9090907C], 1 7C933227 90 nop 7C933228 90 nop 7C933229 > 6A 0C push 0C 7C93322B 68 9032937C push 7C933290 7C933230 E8 8DBBFFFF call 7C92EDC2 7C933235 8B55 08 mov edx, [ebp+8] 7C933238 F7C2 FEFFFFFF test edx, FFFFFFFE 7C93323E 0F85 26A00200 jnz 7C95D26A 7C933244 8B4D 0C mov ecx, [ebp+C] ; RPCRT4.77E8F3B0 7C933247 85C9 test ecx, ecx 7C933249 74 36 je short 7C933281 7C93324B F7C1 000000F0 test ecx, F0000000 7C933251 0F85 2CA00200 jnz 7C95D283 7C933257 64:A1 18000000 mov eax, fs:[18] 7C93325D C1E9 10 shr ecx, 10 7C933260 3348 24 xor ecx, [eax+24] 7C933263 66:F7C1 FF0F test cx, 0FFF 7C933268 0F85 15A00200 jnz 7C95D283 7C93326E F6C2 01 test dl, 1 7C933271 0F84 9D750100 je 7C94A814 7C933277 68 D8C0997C push 7C99C0D8 7C93327C E8 6CDEFEFF call RtlLeaveCriticalSection 7C933281 33C0 xor eax, eax 7C933283 E8 7ABBFFFF call 7C92EE02 7C933288 C2 0800 retn 8 7C93328B 90 nop 7C93328C 90 nop 7C93328D 90 nop 7C93328E 90 nop 7C93328F 90 nop 7C933290 FFFF ??? ; 未知命令 7C933292 FFFF ??? ; 未知命令 7C933294 A1 D2957CBC mov eax, [BC7C95D2] 7C933299 D295 7C909090 rcl byte ptr [ebp+9090907C], cl 7C93329F 90 nop 7C9332A0 90 nop 7C9332A1 > 8BFF mov edi, edi 7C9332A3 55 push ebp 7C9332A4 8BEC mov ebp, esp 7C9332A6 8B45 14 mov eax, [ebp+14] 7C9332A9 53 push ebx 7C9332AA 33DB xor ebx, ebx 7C9332AC 3BC3 cmp eax, ebx 7C9332AE 56 push esi ; ntdll.ZwTerminateProcess 7C9332AF 8B75 08 mov esi, [ebp+8] 7C9332B2 0F8C 719A0200 jl 7C95CD29 7C9332B8 895E 04 mov [esi+4], ebx 7C9332BB 8BC8 mov ecx, eax 7C9332BD C1E1 10 shl ecx, 10 7C9332C0 0BC8 or ecx, eax 7C9332C2 8B45 10 mov eax, [ebp+10] 7C9332C5 81C1 10002C00 add ecx, 2C0010 7C9332CB 890E mov [esi], ecx 7C9332CD 895E 18 mov [esi+18], ebx 7C9332D0 8946 1C mov [esi+1C], eax 7C9332D3 381D 38C1997C cmp [7C99C138], bl 7C9332D9 0F85 A9E30100 jnz 7C951688 7C9332DF 57 push edi 7C9332E0 8B7D 0C mov edi, [ebp+C] ; RPCRT4.77E8F3B0 7C9332E3 3BFB cmp edi, ebx 7C9332E5 0F85 5EB90000 jnz 7C93EC49 7C9332EB 56 push esi ; ntdll.ZwTerminateProcess 7C9332EC 56 push esi ; ntdll.ZwTerminateProcess 7C9332ED FF35 34C1997C push dword ptr [7C99C134] 7C9332F3 E8 E9B0FFFF call ZwRequestWaitReplyPort 7C9332F8 3BFB cmp edi, ebx 7C9332FA 0F85 68B80000 jnz 7C93EB68 7C933300 5F pop edi ; ntdll.7C92E89A 7C933301 3BC3 cmp eax, ebx 7C933303 0F8C 2B9A0200 jl 7C95CD34 7C933309 8B46 20 mov eax, [esi+20] 7C93330C 5E pop esi ; ntdll.7C92E89A 7C93330D 5B pop ebx ; ntdll.7C92E89A 7C93330E 5D pop ebp ; ntdll.7C92E89A 7C93330F C2 1000 retn 10 7C933312 90 nop 7C933313 90 nop 7C933314 90 nop 7C933315 90 nop 7C933316 90 nop 7C933317 8BFF mov edi, edi 7C933319 55 push ebp 7C93331A 8BEC mov ebp, esp 7C93331C A1 24C1997C mov eax, [7C99C124] 7C933321 85C0 test eax, eax 7C933323 56 push esi ; ntdll.ZwTerminateProcess 7C933324 8B75 08 mov esi, [ebp+8] 7C933327 74 11 je short 7C93333A 7C933329 3970 18 cmp [eax+18], esi ; ntdll.ZwTerminateProcess 7C93332C 75 0C jnz short 7C93333A 7C93332E 8B4D 0C mov ecx, [ebp+C] ; RPCRT4.77E8F3B0 7C933331 8901 mov [ecx], eax 7C933333 B0 01 mov al, 1 7C933335 5E pop esi ; ntdll.7C92E89A 7C933336 5D pop ebp ; ntdll.7C92E89A 7C933337 C2 0800 retn 8 7C93333A 64:A1 18000000 mov eax, fs:[18] 7C933340 8B40 30 mov eax, [eax+30] 7C933343 8B40 0C mov eax, [eax+C] 7C933346 83C0 0C add eax, 0C 7C933349 8B08 mov ecx, [eax] 7C93334B 3BC8 cmp ecx, eax 7C93334D 0F84 29CF0100 je 7C95027C 7C933353 8BD1 mov edx, ecx 7C933355 837A 08 00 cmp dword ptr [edx+8], 0 7C933359 8B09 mov ecx, [ecx] 7C93335B ^ 74 EE je short 7C93334B 7C93335D 3B72 18 cmp esi, [edx+18] ; ntdll.7C99C900 7C933360 ^ 75 E9 jnz short 7C93334B 7C933362 8B45 0C mov eax, [ebp+C] ; RPCRT4.77E8F3B0 7C933365 8915 24C1997C mov [7C99C124], edx ; msvcrt.77C31AE8 7C93336B 8910 mov [eax], edx ; msvcrt.77C31AE8 7C93336D ^ EB C4 jmp short 7C933333 7C93336F 90 nop 7C933370 90 nop 7C933371 90 nop 7C933372 90 nop 7C933373 90 nop 7C933374 > 8BFF mov edi, edi 7C933376 55 push ebp 7C933377 8BEC mov ebp, esp 7C933379 5D pop ebp ; ntdll.7C92E89A 7C93337A 90 nop 7C93337B 90 nop 7C93337C 90 nop 7C93337D 90 nop 7C93337E 90 nop 7C93337F 55 push ebp 7C933380 8BEC mov ebp, esp 7C933382 57 push edi 7C933383 56 push esi ; ntdll.ZwTerminateProcess 7C933384 53 push ebx 7C933385 8B75 0C mov esi, [ebp+C] ; RPCRT4.77E8F3B0 7C933388 8B7D 08 mov edi, [ebp+8] 7C93338B B0 FF mov al, 0FF 7C93338D 8BFF mov edi, edi 7C93338F 0AC0 or al, al 7C933391 74 2E je short 7C9333C1 7C933393 8A06 mov al, [esi] 7C933395 46 inc esi ; ntdll.ZwTerminateProcess 7C933396 8A27 mov ah, [edi] 7C933398 47 inc edi 7C933399 3AE0 cmp ah, al 7C93339B ^ 74 F2 je short 7C93338F 7C93339D 2C 41 sub al, 41 7C93339F 3C 1A cmp al, 1A 7C9333A1 1AC9 sbb cl, cl 7C9333A3 80E1 20 and cl, 20 7C9333A6 02C1 add al, cl 7C9333A8 04 41 add al, 41 7C9333AA 86E0 xchg al, ah 7C9333AC 2C 41 sub al, 41 7C9333AE 3C 1A cmp al, 1A 7C9333B0 1AC9 sbb cl, cl 7C9333B2 80E1 20 and cl, 20 7C9333B5 02C1 add al, cl 7C9333B7 04 41 add al, 41 7C9333B9 3AC4 cmp al, ah 7C9333BB ^ 74 D2 je short 7C93338F 7C9333BD 1AC0 sbb al, al 7C9333BF 1C FF sbb al, 0FF 7C9333C1 0FBEC0 movsx eax, al 7C9333C4 5B pop ebx ; ntdll.7C92E89A 7C9333C5 5E pop esi ; ntdll.7C92E89A 7C9333C6 5F pop edi ; ntdll.7C92E89A 7C9333C7 C9 leave 7C9333C8 C3 retn 7C9333C9 90 nop 7C9333CA 90 nop 7C9333CB 90 nop 7C9333CC 90 nop 7C9333CD 90 nop 7C9333CE > 8BFF mov edi, edi 7C9333D0 55 push ebp 7C9333D1 8BEC mov ebp, esp 7C9333D3 8B4D 08 mov ecx, [ebp+8] 7C9333D6 8B55 0C mov edx, [ebp+C] ; RPCRT4.77E8F3B0 7C9333D9 0FB701 movzx eax, word ptr [ecx] 7C9333DC 53 push ebx 7C9333DD 56 push esi ; ntdll.ZwTerminateProcess 7C9333DE 0FB732 movzx esi, word ptr [edx] 7C9333E1 3BC6 cmp eax, esi ; ntdll.ZwTerminateProcess 7C9333E3 57 push edi 7C9333E4 74 09 je short 7C9333EF 7C9333E6 32C0 xor al, al 7C9333E8 5F pop edi ; ntdll.7C92E89A 7C9333E9 5E pop esi ; ntdll.7C92E89A 7C9333EA 5B pop ebx ; ntdll.7C92E89A 7C9333EB 5D pop ebp ; ntdll.7C92E89A 7C9333EC C2 0C00 retn 0C 7C9333EF 8B71 04 mov esi, [ecx+4] 7C9333F2 8B7A 04 mov edi, [edx+4] 7C9333F5 83E0 FE and eax, FFFFFFFE 7C9333F8 03C6 add eax, esi ; ntdll.ZwTerminateProcess 7C9333FA 807D 10 00 cmp byte ptr [ebp+10], 0 7C9333FE 8BD0 mov edx, eax 7C933400 8955 0C mov [ebp+C], edx ; msvcrt.77C31AE8 7C933403 0F84 C04A0200 je 7C957EC9 7C933409 3BF2 cmp esi, edx ; msvcrt.77C31AE8 7C93340B 73 21 jnb short 7C93342E 7C93340D A1 4CC0997C mov eax, [7C99C04C] 7C933412 66:8B16 mov dx, [esi] 7C933415 33C9 xor ecx, ecx 7C933417 66:8B0F mov cx, [edi] 7C93341A 46 inc esi ; ntdll.ZwTerminateProcess 7C93341B 46 inc esi ; ntdll.ZwTerminateProcess 7C93341C 47 inc edi 7C93341D 47 inc edi 7C93341E 66:3BD1 cmp dx, cx 7C933421 897D 08 mov [ebp+8], edi 7C933424 894D 10 mov [ebp+10], ecx 7C933427 75 09 jnz short 7C933432 7C933429 3B75 0C cmp esi, [ebp+C] ; RPCRT4.77E8F3B0 7C93342C ^ 72 E4 jb short 7C933412 7C93342E B0 01 mov al, 1 7C933430 ^ EB B6 jmp short 7C9333E8 7C933432 66:83FA 61 cmp dx, 61 7C933436 73 24 jnb short 7C93345C 7C933438 0FB7D2 movzx edx, dx 7C93343B 66:83F9 61 cmp cx, 61 7C93343F 72 16 jb short 7C933457 7C933441 66:83F9 7A cmp cx, 7A 7C933445 0FB7C9 movzx ecx, cx 7C933448 0F87 F8750300 ja 7C96AA46 7C93344E 83E9 20 sub ecx, 20 7C933451 3BD1 cmp edx, ecx 7C933453 ^ 75 91 jnz short 7C9333E6 7C933455 ^ EB D2 jmp short 7C933429 7C933457 0FB7C9 movzx ecx, cx 7C93345A ^ EB F5 jmp short 7C933451 7C93345C 66:83FA 7A cmp dx, 7A 7C933460 0F87 AC750300 ja 7C96AA12 7C933466 0FB7D2 movzx edx, dx 7C933469 83EA 20 sub edx, 20 7C93346C ^ EB CD jmp short 7C93343B 7C93346E 90 nop 7C93346F 90 nop 7C933470 90 nop 7C933471 90 nop 7C933472 90 nop 7C933473 > 8BFF mov edi, edi 7C933475 55 push ebp 7C933476 8BEC mov ebp, esp 7C933478 8B4D 08 mov ecx, [ebp+8] 7C93347B 8B55 0C mov edx, [ebp+C] ; RPCRT4.77E8F3B0 7C93347E 66:8B02 mov ax, [edx] 7C933481 66:8901 mov [ecx], ax 7C933484 41 inc ecx 7C933485 41 inc ecx 7C933486 42 inc edx ; msvcrt.77C31AE8 7C933487 42 inc edx ; msvcrt.77C31AE8 7C933488 66:85C0 test ax, ax 7C93348B ^ 75 F1 jnz short 7C93347E 7C93348D 8B45 08 mov eax, [ebp+8] 7C933490 5D pop ebp ; ntdll.7C92E89A 7C933491 C3 retn 7C933492 90 nop 7C933493 90 nop 7C933494 90 nop 7C933495 90 nop 7C933496 90 nop 7C933497 > 6A 08 push 8 7C933499 68 E834937C push 7C9334E8 7C93349E E8 1FB9FFFF call 7C92EDC2 7C9334A3 8365 FC 00 and dword ptr [ebp-4], 0 7C9334A7 8B45 08 mov eax, [ebp+8] 7C9334AA 85C0 test eax, eax 7C9334AC 74 2B je short 7C9334D9 7C9334AE 8A08 mov cl, [eax] 7C9334B0 80E1 0F and cl, 0F 7C9334B3 80F9 01 cmp cl, 1 7C9334B6 75 21 jnz short 7C9334D9 7C9334B8 8A48 01 mov cl, [eax+1] 7C9334BB 80F9 0F cmp cl, 0F 7C9334BE 77 19 ja short 7C9334D9 7C9334C0 84C9 test cl, cl 7C9334C2 76 07 jbe short 7C9334CB 7C9334C4 0FB6C9 movzx ecx, cl 7C9334C7 8B4488 04 mov eax, [eax+ecx4+4] 7C9334CB 834D FC FF or dword ptr [ebp-4], FFFFFFFF 7C9334CF B0 01 mov al, 1 7C9334D1 E8 2CB9FFFF call 7C92EE02 7C9334D6 C2 0400 retn 4 7C9334D9 834D FC FF or dword ptr [ebp-4], FFFFFFFF 7C9334DD 32C0 xor al, al 7C9334DF ^ EB F0 jmp short 7C9334D1 7C9334E1 90 nop 7C9334E2 90 nop 7C9334E3 90 nop 7C9334E4 90 nop 7C9334E5 90 nop 7C9334E6 90 nop 7C9334E7 90 nop 7C9334E8 FFFF ??? ; 未知命令 7C9334EA FFFF ??? ; 未知命令 7C9334EC B7 85 mov bh, 85 7C9334EE 96 xchg eax, esi ; ntdll.ZwTerminateProcess 7C9334EF ^ 7C C0 jl short 7C9334B1 7C9334F1 8596 7C0FB672 test [esi+72B60F7C], edx ; msvcrt.77C31AE8 7C9334F7 1866 8B sbb [esi-75], ah 7C9334FA 34 71 xor al, 71 7C9334FC 66:8970 30 mov [eax+30], si 7C933500 ^ E9 73CBFFFF jmp 7C930078 7C933505 0FB672 19 movzx esi, byte ptr [edx+19] 7C933509 66:8B3471 mov si, [ecx+esi2] 7C93350D 66:8970 32 mov [eax+32], si 7C933511 ^ EB E1 jmp short 7C9334F4 7C933513 0FB672 1B movzx esi, byte ptr [edx+1B] 7C933517 66:8B3471 mov si, [ecx+esi2] 7C93351B 66:8970 36 mov [eax+36], si 7C93351F 0FB672 1A movzx esi, byte ptr [edx+1A] 7C933523 66:8B3471 mov si, [ecx+esi2] 7C933527 66:8970 34 mov [eax+34], si 7C93352B ^ EB D8 jmp short 7C933505 7C93352D 0FB672 1D movzx esi, byte ptr [edx+1D] 7C933531 66:8B3471 mov si, [ecx+esi2] 7C933535 66:8970 3A mov [eax+3A], si 7C933539 0FB672 1C movzx esi, byte ptr [edx+1C] 7C93353D 66:8B3471 mov si, [ecx+esi2] 7C933541 66:8970 38 mov [eax+38], si 7C933545 ^ EB CC jmp short 7C933513 7C933547 0FB672 1E movzx esi, byte ptr [edx+1E] 7C93354B 66:8B3471 mov si, [ecx+esi2] 7C93354F 66:8970 3C mov [eax+3C], si 7C933553 ^ EB D8 jmp short 7C93352D 7C933555 0FB672 1F movzx esi, byte ptr [edx+1F] 7C933559 66:8B3471 mov si, [ecx+esi2] 7C93355D 66:8970 3E mov [eax+3E], si 7C933561 ^ EB E4 jmp short 7C933547 7C933563 2BDF sub ebx, edi 7C933565 83E8 40 sub eax, 40 7C933568 8BF7 mov esi, edi 7C93356A 2BD7 sub edx, edi 7C93356C ^ E9 A3BCFFFF jmp 7C92F214 7C933571 50 push eax 7C933572 66:8946 02 mov [esi+2], ax 7C933576 FF15 C009937C call [7C9309C0] ; ntdll.7C9309C9 7C93357C 3BC3 cmp eax, ebx 7C93357E 8946 04 mov [esi+4], eax 7C933581 0F84 2B8F0200 je 7C95C4B2 7C933587 ^ E9 07BBFFFF jmp 7C92F093 7C93358C 90 nop 7C93358D 90 nop 7C93358E 90 nop 7C93358F 90 nop 7C933590 90 nop 7C933591 > 8BFF mov edi, edi 7C933593 55 push ebp 7C933594 8BEC mov ebp, esp 7C933596 51 push ecx 7C933597 51 push ecx 7C933598 FF75 0C push dword ptr [ebp+C] ; RPCRT4.77E8F3B0 7C93359B 8D45 F8 lea eax, [ebp-8] 7C93359E 50 push eax 7C93359F E8 F5DCFEFF call RtlInitAnsiString 7C9335A4 6A 01 push 1 7C9335A6 8D45 F8 lea eax, [ebp-8] 7C9335A9 50 push eax 7C9335AA FF75 08 push dword ptr [ebp+8] 7C9335AD E8 9ABAFFFF call RtlAnsiStringToUnicodeString 7C9335B2 85C0 test eax, eax 7C9335B4 0F9DC0 setge al 7C9335B7 C9 leave 7C9335B8 C2 0800 retn 8 7C9335BB 90 nop 7C9335BC 90 nop 7C9335BD 90 nop 7C9335BE 90 nop 7C9335BF 90 nop 7C9335C0 > 8BFF mov edi, edi 7C9335C2 55 push ebp 7C9335C3 8BEC mov ebp, esp 7C9335C5 51 push ecx 7C9335C6 51 push ecx 7C9335C7 FF75 08 push dword ptr [ebp+8] 7C9335CA 8D45 F8 lea eax, [ebp-8] 7C9335CD 50 push eax 7C9335CE E8 D2CDFFFF call RtlInitUnicodeStringEx 7C9335D3 85C0 test eax, eax 7C9335D5 0F8C 15930200 jl 7C95C8F0 7C9335DB 8D45 F8 lea eax, [ebp-8] 7C9335DE 50 push eax 7C9335DF E8 09040000 call 7C9339ED 7C9335E4 C9 leave 7C9335E5 C2 0400 retn 4 7C9335E8 48 dec eax 7C9335E9 0F84 33600000 je 7C939622 7C9335EF 48 dec eax 7C9335F0 0F84 F2550200 je 7C958BE8 7C9335F6 48 dec eax 7C9335F7 0F84 0E780000 je 7C93AE0B 7C9335FD 48 dec eax 7C9335FE 0F85 8B8C0200 jnz 7C95C28F 7C933604 6A 08 push 8 7C933606 5F pop edi ; ntdll.7C92E89A 7C933607 897D A0 mov [ebp-60], edi 7C93360A C745 B8 0400000>mov dword ptr [ebp-48], 4 7C933611 8D43 08 lea eax, [ebx+8] 7C933614 E9 406F0000 jmp 7C93A559 7C933619 8B00 mov eax, [eax] 7C93361B 85C0 test eax, eax 7C93361D 0F84 580A0000 je 7C93407B 7C933623 50 push eax 7C933624 8D85 A8FDFFFF lea eax, [ebp-258] 7C93362A 50 push eax 7C93362B E8 75CDFFFF call RtlInitUnicodeStringEx 7C933630 8985 A4FDFFFF mov [ebp-25C], eax 7C933636 85C0 test eax, eax 7C933638 0F8C B15D0000 jl 7C9393EF 7C93363E 0FB785 A8FDFFFF movzx eax, word ptr [ebp-258] 7C933645 D1E8 shr eax, 1 7C933647 2BF0 sub esi, eax 7C933649 8B85 D0FDFFFF mov eax, [ebp-230] ; ntdll.7C931970 7C93364F 8D0470 lea eax, [eax+esi2] 7C933652 8B8D A0FDFFFF mov ecx, [ebp-260] ; ntdll.7C92EE18 7C933658 8901 mov [ecx], eax 7C93365A E9 1C0A0000 jmp 7C93407B 7C93365F 90 nop 7C933660 90 nop 7C933661 90 nop 7C933662 90 nop 7C933663 90 nop 7C933664 > 8BFF mov edi, edi 7C933666 55 push ebp 7C933667 8BEC mov ebp, esp 7C933669 8B45 0C mov eax, [ebp+C] ; RPCRT4.77E8F3B0 7C93366C 8B10 mov edx, [eax] 7C93366E 8B4D 08 mov ecx, [ebp+8] 7C933671 8911 mov [ecx], edx ; msvcrt.77C31AE8 7C933673 8B40 04 mov eax, [eax+4] 7C933676 8941 04 mov [ecx+4], eax 7C933679 5D pop ebp ; ntdll.7C92E89A 7C93367A C2 0800 retn 8 7C93367D 90 nop 7C93367E 90 nop 7C93367F 90 nop 7C933680 90 nop 7C933681 90 nop 7C933682 > 8BFF mov edi, edi 7C933684 55 push ebp 7C933685 8BEC mov ebp, esp 7C933687 8B4D 10 mov ecx, [ebp+10] 7C93368A 0FB641 01 movzx eax, byte ptr [ecx+1] 7C93368E 8D0485 08000000 lea eax, [eax4+8] 7C933695 3B45 08 cmp eax, [ebp+8] 7C933698 0F87 514F0300 ja 7C9685EF 7C93369E 50 push eax 7C93369F 51 push ecx 7C9336A0 FF75 0C push dword ptr [ebp+C] ; RPCRT4.77E8F3B0 2006-1-19 16:04 0
hyueling 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 29 粉丝 0 关注私信	hyueling 27 楼 7C9336A3 E8 92EEFEFF call memmove 7C9336A8 83C4 0C add esp, 0C 7C9336AB 33C0 xor eax, eax 7C9336AD 5D pop ebp ; ntdll.7C92E89A 7C9336AE C2 0C00 retn 0C 7C9336B1 90 nop 7C9336B2 90 nop 7C9336B3 90 nop 7C9336B4 90 nop 7C9336B5 90 nop 7C9336B6 > 8BFF mov edi, edi 7C9336B8 55 push ebp 7C9336B9 8BEC mov ebp, esp 7C9336BB 8B45 08 mov eax, [ebp+8] 7C9336BE 0FB640 01 movzx eax, byte ptr [eax+1] 7C9336C2 8D0485 08000000 lea eax, [eax4+8] 7C9336C9 5D pop ebp ; ntdll.7C92E89A 7C9336CA C2 0400 retn 4 7C9336CD 90 nop 7C9336CE 90 nop 7C9336CF 90 nop 7C9336D0 90 nop 7C9336D1 90 nop 7C9336D2 > 8BFF mov edi, edi 7C9336D4 55 push ebp 7C9336D5 8BEC mov ebp, esp 7C9336D7 8B45 10 mov eax, [ebp+10] 7C9336DA 56 push esi ; ntdll.ZwTerminateProcess 7C9336DB 33F6 xor esi, esi ; ntdll.ZwTerminateProcess 7C9336DD D1E8 shr eax, 1 7C9336DF 803D 10C0997C 0>cmp byte ptr [NlsMbCodePageTag], 0 7C9336E6 0F85 43450300 jnz 7C967C2F 7C9336EC 8B4D 08 mov ecx, [ebp+8] 7C9336EF 8901 mov [ecx], eax 7C9336F1 33C0 xor eax, eax 7C9336F3 5E pop esi ; ntdll.7C92E89A 7C9336F4 5D pop ebp ; ntdll.7C92E89A 7C9336F5 C2 0C00 retn 0C 7C9336F8 90 nop 7C9336F9 90 nop 7C9336FA 90 nop 7C9336FB 90 nop 7C9336FC 90 nop 7C9336FD 8BFF mov edi, edi 7C9336FF 55 push ebp 7C933700 8BEC mov ebp, esp 7C933702 56 push esi ; ntdll.ZwTerminateProcess 7C933703 8B75 08 mov esi, [ebp+8] 7C933706 57 push edi 7C933707 8D7E 08 lea edi, [esi+8] 7C93370A 813F FFEEFFEE cmp dword ptr [edi], EEFFEEFF 7C933710 0F85 D5850300 jnz 7C96BCEB 7C933716 B0 01 mov al, 1 7C933718 5F pop edi ; ntdll.7C92E89A 7C933719 5E pop esi ; ntdll.7C92E89A 7C93371A 5D pop ebp ; ntdll.7C92E89A 7C93371B C2 0800 retn 8 7C93371E 90 nop 7C93371F 90 nop 7C933720 90 nop 7C933721 90 nop 7C933722 90 nop 7C933723 > 8BFF mov edi, edi 7C933725 55 push ebp 7C933726 8BEC mov ebp, esp 7C933728 51 push ecx 7C933729 51 push ecx 7C93372A 56 push esi ; ntdll.ZwTerminateProcess 7C93372B 8B75 08 mov esi, [ebp+8] 7C93372E F646 13 01 test byte ptr [esi+13], 1 7C933732 0F85 A3890200 jnz 7C95C0DB 7C933738 68 7437937C push 7C933774 ; ASCII "RtlLockHeap" 7C93373D 56 push esi ; ntdll.ZwTerminateProcess 7C93373E E8 BAFFFFFF call 7C9336FD 7C933743 84C0 test al, al 7C933745 74 27 je short 7C93376E 7C933747 F646 0C 01 test byte ptr [esi+C], 1 7C93374B 75 12 jnz short 7C93375F 7C93374D FFB6 78050000 push dword ptr [esi+578] 7C933753 E8 ADD8FEFF call RtlEnterCriticalSection 7C933758 66:FF86 8405000>inc word ptr [esi+584] 7C93375F F605 F002FE7F 0>test byte ptr [7FFE02F0], 2 7C933766 0F85 7A890200 jnz 7C95C0E6 7C93376C B0 01 mov al, 1 7C93376E 5E pop esi ; ntdll.7C92E89A 7C93376F C9 leave 7C933770 C2 0400 retn 4 7C933773 90 nop 7C933774 52 push edx ; msvcrt.77C31AE8 7C933775 74 6C je short 7C9337E3 7C933777 4C dec esp 7C933778 6F outs dx, dword ptr es:[edi] 7C933779 636B 48 arpl [ebx+48], bp 7C93377C 65:61 popad 7C93377E 70 00 jo short 7C933780 7C933780 CC int3 7C933781 CC int3 7C933782 CC int3 7C933783 CC int3 7C933784 CC int3 7C933785 CC int3 7C933786 90 nop 7C933787 90 nop 7C933788 90 nop 7C933789 90 nop 7C93378A 90 nop 7C93378B > 8BFF mov edi, edi 7C93378D 55 push ebp 7C93378E 8BEC mov ebp, esp 7C933790 51 push ecx 7C933791 51 push ecx 7C933792 56 push esi ; ntdll.ZwTerminateProcess 7C933793 8B75 08 mov esi, [ebp+8] 7C933796 F646 13 01 test byte ptr [esi+13], 1 7C93379A 0F85 BB890200 jnz 7C95C15B 7C9337A0 68 DC37937C push 7C9337DC ; ASCII "RtlUnlockHeap" 7C9337A5 56 push esi ; ntdll.ZwTerminateProcess 7C9337A6 E8 52FFFFFF call 7C9336FD 7C9337AB 84C0 test al, al 7C9337AD 74 27 je short 7C9337D6 7C9337AF F646 0C 01 test byte ptr [esi+C], 1 7C9337B3 75 12 jnz short 7C9337C7 7C9337B5 FFB6 78050000 push dword ptr [esi+578] 7C9337BB 66:FF8E 8405000>dec word ptr [esi+584] 7C9337C2 E8 26D9FEFF call RtlLeaveCriticalSection 7C9337C7 F605 F002FE7F 0>test byte ptr [7FFE02F0], 2 7C9337CE 0F85 92890200 jnz 7C95C166 7C9337D4 B0 01 mov al, 1 7C9337D6 5E pop esi ; ntdll.7C92E89A 7C9337D7 C9 leave 7C9337D8 C2 0400 retn 4 7C9337DB 90 nop 7C9337DC 52 push edx ; msvcrt.77C31AE8 7C9337DD 74 6C je short 7C93384B 7C9337DF 55 push ebp 7C9337E0 6E outs dx, byte ptr es:[edi] 7C9337E1 6C ins byte ptr es:[edi], dx 7C9337E2 6F outs dx, dword ptr es:[edi] 7C9337E3 636B 48 arpl [ebx+48], bp 7C9337E6 65:61 popad 7C9337E8 70 00 jo short 7C9337EA 7C9337EA CC int3 7C9337EB CC int3 7C9337EC CC int3 7C9337ED CC int3 7C9337EE CC int3 7C9337EF CC int3 7C9337F0 90 nop 7C9337F1 90 nop 7C9337F2 90 nop 7C9337F3 90 nop 7C9337F4 90 nop 7C9337F5 > 8BFF mov edi, edi 7C9337F7 55 push ebp 7C9337F8 8BEC mov ebp, esp 7C9337FA 8B45 0C mov eax, [ebp+C] ; RPCRT4.77E8F3B0 7C9337FD 85C0 test eax, eax 7C9337FF 74 20 je short 7C933821 7C933801 8B4D 08 mov ecx, [ebp+8] 7C933804 3B41 14 cmp eax, [ecx+14] 7C933807 72 18 jb short 7C933821 7C933809 3B41 18 cmp eax, [ecx+18] 7C93380C 73 13 jnb short 7C933821 7C93380E 8B49 04 mov ecx, [ecx+4] 7C933811 49 dec ecx 7C933812 85C8 test eax, ecx 7C933814 75 0B jnz short 7C933821 7C933816 F600 01 test byte ptr [eax], 1 7C933819 74 06 je short 7C933821 7C93381B B0 01 mov al, 1 7C93381D 5D pop ebp ; ntdll.7C92E89A 7C93381E C2 0800 retn 8 7C933821 32C0 xor al, al 7C933823 ^ EB F8 jmp short 7C93381D 7C933825 90 nop 7C933826 90 nop 7C933827 90 nop 7C933828 90 nop 7C933829 90 nop 7C93382A 8BFF mov edi, edi 7C93382C 55 push ebp 7C93382D 8BEC mov ebp, esp 7C93382F 8B45 08 mov eax, [ebp+8] 7C933832 F640 05 08 test byte ptr [eax+5], 8 7C933836 0F85 3D5D0300 jnz 7C969579 7C93383C 0FB708 movzx ecx, word ptr [eax] 7C93383F 8D44C8 F8 lea eax, [eax+ecx8-8] 7C933843 5D pop ebp ; ntdll.7C92E89A 7C933844 C2 0400 retn 4 7C933847 83C1 08 add ecx, 8 7C93384A 894D DC mov [ebp-24], ecx 7C93384D E9 44420000 jmp 7C937A96 7C933852 90 nop 7C933853 90 nop 7C933854 90 nop 7C933855 90 nop 7C933856 90 nop 7C933857 > 8BFF mov edi, edi 7C933859 55 push ebp 7C93385A 8BEC mov ebp, esp 7C93385C 8B55 08 mov edx, [ebp+8] 7C93385F 8B4A 04 mov ecx, [edx+4] 7C933862 53 push ebx 7C933863 56 push esi ; ntdll.ZwTerminateProcess 7C933864 8B75 0C mov esi, [ebp+C] ; RPCRT4.77E8F3B0 7C933867 8BD9 mov ebx, ecx 7C933869 57 push edi 7C93386A 33C0 xor eax, eax 7C93386C C1E9 02 shr ecx, 2 7C93386F 8BFE mov edi, esi ; ntdll.ZwTerminateProcess 7C933871 F3:AB rep stos dword ptr es:[edi] 7C933873 8BCB mov ecx, ebx 7C933875 83E1 03 and ecx, 3 7C933878 F3:AA rep stos byte ptr es:[edi] 7C93387A 8B42 10 mov eax, [edx+10] 7C93387D 8906 mov [esi], eax 7C93387F 5F pop edi ; ntdll.7C92E89A 7C933880 8972 10 mov [edx+10], esi ; ntdll.ZwTerminateProcess 7C933883 5E pop esi ; ntdll.7C92E89A 7C933884 B0 01 mov al, 1 7C933886 5B pop ebx ; ntdll.7C92E89A 7C933887 5D pop ebp ; ntdll.7C92E89A 7C933888 C2 0800 retn 8 7C93388B 90 nop 7C93388C 90 nop 7C93388D 90 nop 7C93388E 90 nop 7C93388F 90 nop 7C933890 > 8BFF mov edi, edi 7C933892 55 push ebp 7C933893 8BEC mov ebp, esp 7C933895 8B55 08 mov edx, [ebp+8] 7C933898 56 push esi ; ntdll.ZwTerminateProcess 7C933899 8B75 0C mov esi, [ebp+C] ; RPCRT4.77E8F3B0 7C93389C 33C0 xor eax, eax 7C93389E 66:8B02 mov ax, [edx] 7C9338A1 66:3D 4100 cmp ax, 41 7C9338A5 72 09 jb short 7C9338B0 7C9338A7 66:3D 5A00 cmp ax, 5A 7C9338AB 8D48 20 lea ecx, [eax+20] 7C9338AE 76 02 jbe short 7C9338B2 7C9338B0 8BC8 mov ecx, eax 7C9338B2 33C0 xor eax, eax 7C9338B4 66:8B06 mov ax, [esi] 7C9338B7 66:3D 4100 cmp ax, 41 7C9338BB 72 06 jb short 7C9338C3 7C9338BD 66:3D 5A00 cmp ax, 5A 7C9338C1 76 19 jbe short 7C9338DC 7C9338C3 42 inc edx ; msvcrt.77C31AE8 7C9338C4 42 inc edx ; msvcrt.77C31AE8 7C9338C5 46 inc esi ; ntdll.ZwTerminateProcess 7C9338C6 46 inc esi ; ntdll.ZwTerminateProcess 7C9338C7 66:85C9 test cx, cx 7C9338CA 74 05 je short 7C9338D1 7C9338CC 66:3BC8 cmp cx, ax 7C9338CF ^ 74 CB je short 7C93389C 7C9338D1 0FB7D0 movzx edx, ax 7C9338D4 0FB7C1 movzx eax, cx 7C9338D7 2BC2 sub eax, edx ; msvcrt.77C31AE8 7C9338D9 5E pop esi ; ntdll.7C92E89A 7C9338DA 5D pop ebp ; ntdll.7C92E89A 7C9338DB C3 retn 7C9338DC 83C0 20 add eax, 20 7C9338DF ^ EB E2 jmp short 7C9338C3 7C9338E1 90 nop 7C9338E2 90 nop 7C9338E3 90 nop 7C9338E4 90 nop 7C9338E5 90 nop 7C9338E6 > 8BFF mov edi, edi 7C9338E8 55 push ebp 7C9338E9 8BEC mov ebp, esp 7C9338EB 8B45 08 mov eax, [ebp+8] 7C9338EE 8B50 04 mov edx, [eax+4] 7C9338F1 0FAF55 0C imul edx, [ebp+C] ; RPCRT4.77E8F3B0 7C9338F5 0350 14 add edx, [eax+14] 7C9338F8 52 push edx ; msvcrt.77C31AE8 7C9338F9 50 push eax 7C9338FA E8 F6FEFFFF call RtlIsValidHandle 7C9338FF 84C0 test al, al 7C933901 74 0B je short 7C93390E 7C933903 8B45 10 mov eax, [ebp+10] 7C933906 8910 mov [eax], edx ; msvcrt.77C31AE8 7C933908 B0 01 mov al, 1 7C93390A 5D pop ebp ; ntdll.7C92E89A 7C93390B C2 0C00 retn 0C 7C93390E 32C0 xor al, al 7C933910 ^ EB F8 jmp short 7C93390A 7C933912 90 nop 7C933913 90 nop 7C933914 90 nop 7C933915 90 nop 7C933916 90 nop 7C933917 > 8BFF mov edi, edi 7C933919 55 push ebp 7C93391A 8BEC mov ebp, esp 7C93391C 51 push ecx 7C93391D 6A 00 push 0 7C93391F 6A 04 push 4 7C933921 8D45 FC lea eax, [ebp-4] 7C933924 50 push eax 7C933925 6A 24 push 24 7C933927 6A FF push -1 7C933929 E8 EDA6FFFF call ZwQueryInformationProcess 7C93392E 8B45 FC mov eax, [ebp-4] 7C933931 3345 08 xor eax, [ebp+8] 7C933934 C9 leave 7C933935 C2 0400 retn 4 7C933938 90 nop 7C933939 90 nop 7C93393A 90 nop 7C93393B 90 nop 7C93393C 90 nop 7C93393D > 8BFF mov edi, edi 7C93393F 55 push ebp 7C933940 8BEC mov ebp, esp 7C933942 5D pop ebp ; ntdll.7C92E89A 7C933943 ^ EB D2 jmp short RtlEncodePointer 7C933945 90 nop 7C933946 90 nop 7C933947 90 nop 7C933948 90 nop 7C933949 90 nop 7C93394A > 8BFF mov edi, edi 7C93394C 55 push ebp 7C93394D 8BEC mov ebp, esp 7C93394F 53 push ebx 7C933950 56 push esi ; ntdll.ZwTerminateProcess 7C933951 8B75 0C mov esi, [ebp+C] ; RPCRT4.77E8F3B0 7C933954 56 push esi ; ntdll.ZwTerminateProcess 7C933955 E8 00CAFFFF call wcslen 7C93395A 59 pop ecx ; ntdll.7C92E89A 7C93395B 8D5C00 02 lea ebx, [eax+eax+2] 7C93395F 53 push ebx 7C933960 FF15 C009937C call [7C9309C0] ; ntdll.7C9309C9 7C933966 85C0 test eax, eax 7C933968 8B55 08 mov edx, [ebp+8] 7C93396B 8942 04 mov [edx+4], eax 7C93396E 74 26 je short 7C933996 7C933970 57 push edi 7C933971 8BCB mov ecx, ebx 7C933973 8BF8 mov edi, eax 7C933975 8BC1 mov eax, ecx 7C933977 C1E9 02 shr ecx, 2 7C93397A F3:A5 rep movs dword ptr es:[edi], dword p> 7C93397C 8BC8 mov ecx, eax 7C93397E 83E1 03 and ecx, 3 7C933981 F3:A4 rep movs byte ptr es:[edi], byte ptr> 7C933983 66:895A 02 mov [edx+2], bx 7C933987 83C3 FE add ebx, -2 7C93398A 66:891A mov [edx], bx 7C93398D B0 01 mov al, 1 7C93398F 5F pop edi ; ntdll.7C92E89A 7C933990 5E pop esi ; ntdll.7C92E89A 7C933991 5B pop ebx ; ntdll.7C92E89A 7C933992 5D pop ebp ; ntdll.7C92E89A 7C933993 C2 0800 retn 8 7C933996 32C0 xor al, al 7C933998 ^ EB F6 jmp short 7C933990 7C93399A 90 nop 7C93399B 90 nop 7C93399C 90 nop 7C93399D 90 nop 7C93399E 90 nop 7C93399F > 8BFF mov edi, edi 7C9339A1 55 push ebp 7C9339A2 8BEC mov ebp, esp 7C9339A4 8B45 08 mov eax, [ebp+8] 7C9339A7 66:8B08 mov cx, [eax] 7C9339AA 6A 5C push 5C 7C9339AC 5A pop edx ; ntdll.7C92E89A 7C9339AD 66:3BCA cmp cx, dx 7C9339B0 0F84 616B0000 je 7C93A517 7C9339B6 66:83F9 2F cmp cx, 2F 7C9339BA 0F84 576B0000 je 7C93A517 7C9339C0 66:85C9 test cx, cx 7C9339C3 0F84 D50E0000 je 7C93489E 7C9339C9 66:8378 02 3A cmp word ptr [eax+2], 3A 7C9339CE 0F85 CA0E0000 jnz 7C93489E 7C9339D4 66:8B40 04 mov ax, [eax+4] 7C9339D8 66:3BC2 cmp ax, dx 7C9339DB 0F85 1A5C0000 jnz 7C9395FB 7C9339E1 6A 02 push 2 7C9339E3 58 pop eax ; ntdll.7C92E89A 7C9339E4 5D pop ebp ; ntdll.7C92E89A 7C9339E5 C2 0400 retn 4 7C9339E8 90 nop 7C9339E9 90 nop 7C9339EA 90 nop 7C9339EB 90 nop 7C9339EC 90 nop 7C9339ED 8BFF mov edi, edi 7C9339EF 55 push ebp 7C9339F0 8BEC mov ebp, esp 7C9339F2 51 push ecx 7C9339F3 51 push ecx 7C9339F4 53 push ebx 7C9339F5 56 push esi ; ntdll.ZwTerminateProcess 7C9339F6 8B75 08 mov esi, [ebp+8] 7C9339F9 57 push edi 7C9339FA 8B7E 04 mov edi, [esi+4] 7C9339FD 57 push edi 7C9339FE 33DB xor ebx, ebx 7C933A00 E8 9AFFFFFF call RtlDetermineDosPathNameType_U 7C933A05 85C0 test eax, eax 7C933A07 7C 12 jl short 7C933A1B 7C933A09 83F8 01 cmp eax, 1 7C933A0C 0F8E 47010000 jle 7C933B59 7C933A12 83F8 06 cmp eax, 6 7C933A15 0F84 876B0000 je 7C93A5A2 7C933A1B 8B06 mov eax, [esi] 7C933A1D 8B4E 04 mov ecx, [esi+4] 7C933A20 8945 F8 mov [ebp-8], eax 7C933A23 33C0 xor eax, eax 7C933A25 66:8B06 mov ax, [esi] 7C933A28 66:D1E8 shr ax, 1 7C933A2B 66:85C0 test ax, ax 7C933A2E 894D FC mov [ebp-4], ecx 7C933A31 0F84 22010000 je 7C933B59 7C933A37 0FB7F0 movzx esi, ax 7C933A3A 66:837C77 FE 3A cmp word ptr [edi+esi2-2], 3A 7C933A40 BA FFFF0000 mov edx, 0FFFF 7C933A45 0F84 C15B0000 je 7C93960C 7C933A4B 66:85C0 test ax, ax 7C933A4E 0F84 05010000 je 7C933B59 7C933A54 0FB7F0 movzx esi, ax 7C933A57 66:8B7471 FE mov si, [ecx+esi2-2] 7C933A5C 66:83FE 2E cmp si, 2E 7C933A60 0F84 86080000 je 7C9342EC 7C933A66 66:83FE 20 cmp si, 20 7C933A6A 0F84 7C080000 je 7C9342EC 7C933A70 33FF xor edi, edi 7C933A72 66:85C0 test ax, ax 7C933A75 0F84 8D000000 je 7C933B08 7C933A7B 0FB7D0 movzx edx, ax 7C933A7E 8D5451 FE lea edx, [ecx+edx2-2] 7C933A82 3BD1 cmp edx, ecx 7C933A84 72 6B jb short 7C933AF1 7C933A86 66:8B32 mov si, [edx] 7C933A89 66:83FE 5C cmp si, 5C 7C933A8D 74 17 je short 7C933AA6 7C933A8F 66:83FE 2F cmp si, 2F 7C933A93 74 11 je short 7C933AA6 7C933A95 66:83FE 3A cmp si, 3A 7C933A99 74 04 je short 7C933A9F 7C933A9B 4A dec edx ; msvcrt.77C31AE8 7C933A9C 4A dec edx ; msvcrt.77C31AE8 7C933A9D ^ EB E3 jmp short 7C933A82 7C933A9F 8D71 02 lea esi, [ecx+2] 7C933AA2 3BD6 cmp edx, esi ; ntdll.ZwTerminateProcess 7C933AA4 ^ 75 F5 jnz short 7C933A9B 7C933AA6 42 inc edx ; msvcrt.77C31AE8 7C933AA7 42 inc edx ; msvcrt.77C31AE8 7C933AA8 66:8B02 mov ax, [edx] 7C933AAB 66:0D 2000 or ax, 20 7C933AAF 66:3D 6C00 cmp ax, 6C 7C933AB3 74 16 je short 7C933ACB 7C933AB5 66:3D 6300 cmp ax, 63 7C933AB9 74 10 je short 7C933ACB 7C933ABB 66:3D 7000 cmp ax, 70 7C933ABF 74 0A je short 7C933ACB 7C933AC1 66:3D 6100 cmp ax, 61 7C933AC5 0F85 C9060000 jnz 7C934194 7C933ACB 52 push edx ; msvcrt.77C31AE8 7C933ACC 8D45 F8 lea eax, [ebp-8] 7C933ACF 8BFA mov edi, edx ; msvcrt.77C31AE8 7C933AD1 50 push eax 7C933AD2 2BF9 sub edi, ecx 7C933AD4 E8 FDD7FEFF call RtlInitUnicodeString 7C933AD9 8B4D FC mov ecx, [ebp-4] 7C933ADC 33C0 xor eax, eax 7C933ADE 66:8B45 F8 mov ax, [ebp-8] 7C933AE2 66:D1E8 shr ax, 1 7C933AE5 2BC3 sub eax, ebx 7C933AE7 69DB FEFF0000 imul ebx, ebx, 0FFFE 7C933AED 66:015D F8 add [ebp-8], bx 7C933AF1 66:8B11 mov dx, [ecx] 7C933AF4 66:83CA 20 or dx, 20 7C933AF8 66:83FA 6C cmp dx, 6C 7C933AFC 74 0A je short 7C933B08 7C933AFE 66:83FA 63 cmp dx, 63 7C933B02 0F85 E0060000 jnz 7C9341E8 7C933B08 0FB7C0 movzx eax, ax 7C933B0B 8D3441 lea esi, [ecx+eax2] 7C933B0E 3BCE cmp ecx, esi ; ntdll.ZwTerminateProcess 7C933B10 8BD1 mov edx, ecx 7C933B12 73 26 jnb short 7C933B3A 7C933B14 66:8B02 mov ax, [edx] 7C933B17 66:3D 2E00 cmp ax, 2E 7C933B1B 74 0C je short 7C933B29 7C933B1D 66:3D 3A00 cmp ax, 3A 7C933B21 74 06 je short 7C933B29 7C933B23 42 inc edx ; msvcrt.77C31AE8 7C933B24 42 inc edx ; msvcrt.77C31AE8 7C933B25 3BD6 cmp edx, esi ; ntdll.ZwTerminateProcess 7C933B27 ^ 72 EB jb short 7C933B14 7C933B29 3BD1 cmp edx, ecx 7C933B2B 76 0D jbe short 7C933B3A 7C933B2D 8D42 FE lea eax, [edx-2] 7C933B30 66:8338 20 cmp word ptr [eax], 20 7C933B34 0F84 32890200 je 7C95C46C 7C933B3A 2BD1 sub edx, ecx 7C933B3C D1FA sar edx, 1 7C933B3E 66:83FA 04 cmp dx, 4 7C933B42 8D0412 lea eax, [edx+edx] 7C933B45 66:8945 F8 mov [ebp-8], ax 7C933B49 0F84 C32B0100 je 7C946712 7C933B4F 66:83FA 03 cmp dx, 3 7C933B53 0F84 4F2C0100 je 7C9467A8 7C933B59 33C0 xor eax, eax 7C933B5B 5F pop edi ; ntdll.7C92E89A 7C933B5C 5E pop esi ; ntdll.7C92E89A 7C933B5D 5B pop ebx ; ntdll.7C92E89A 7C933B5E C9 leave 7C933B5F C2 0400 retn 4 7C933B62 90 nop 7C933B63 90 nop 7C933B64 90 nop 7C933B65 90 nop 7C933B66 90 nop 7C933B67 68 88000000 push 88 7C933B6C 68 003D937C push 7C933D00 7C933B71 E8 4CB2FFFF call 7C92EDC2 7C933B76 A1 34C0997C mov eax, [7C99C034] 7C933B7B 8945 E4 mov [ebp-1C], eax 7C933B7E 8B45 08 mov eax, [ebp+8] 7C933B81 8B4D 10 mov ecx, [ebp+10] 7C933B84 894D C8 mov [ebp-38], ecx 7C933B87 8B4D 14 mov ecx, [ebp+14] 7C933B8A 894D 94 mov [ebp-6C], ecx 7C933B8D 8B4D 18 mov ecx, [ebp+18] ; trscd.00454965 7C933B90 898D 7CFFFFFF mov [ebp-84], ecx 7C933B96 8B5D 1C mov ebx, [ebp+1C] 7C933B99 33F6 xor esi, esi ; ntdll.ZwTerminateProcess 7C933B9B 3BCE cmp ecx, esi ; ntdll.ZwTerminateProcess 7C933B9D 74 03 je short 7C933BA2 7C933B9F C601 00 mov byte ptr [ecx], 0 7C933BA2 817D 0C FFFF000>cmp dword ptr [ebp+C], 0FFFF 7C933BA9 0F87 D4860200 ja 7C95C283 7C933BAF 8933 mov [ebx], esi ; ntdll.ZwTerminateProcess 7C933BB1 8B08 mov ecx, [eax] 7C933BB3 894D 8C mov [ebp-74], ecx 7C933BB6 8B40 04 mov eax, [eax+4] 7C933BB9 8945 90 mov [ebp-70], eax 7C933BBC 8945 9C mov [ebp-64], eax 7C933BBF 0FB7C9 movzx ecx, cx 7C933BC2 8BD1 mov edx, ecx 7C933BC4 D1EA shr edx, 1 7C933BC6 8955 84 mov [ebp-7C], edx ; msvcrt.77C31AE8 7C933BC9 894D B0 mov [ebp-50], ecx 7C933BCC 3BCE cmp ecx, esi ; ntdll.ZwTerminateProcess 7C933BCE ^ 0F84 1FD1FFFF je 7C930CF3 7C933BD4 66:3930 cmp [eax], si 7C933BD7 ^ 0F84 16D1FFFF je 7C930CF3 7C933BDD 8BF9 mov edi, ecx 7C933BDF D1E9 shr ecx, 1 7C933BE1 66:8B4C48 FE mov cx, [eax+ecx2-2] 7C933BE6 66:83F9 20 cmp cx, 20 7C933BEA 0F84 6D6F0100 je 7C94AB5D 7C933BF0 3BFE cmp edi, esi ; ntdll.ZwTerminateProcess 7C933BF2 ^ 0F84 FBD0FFFF je 7C930CF3 7C933BF8 66:8B4450 FE mov ax, [eax+edx2-2] 7C933BFD 66:3D 5C00 cmp ax, 5C 7C933C01 0F84 9C050000 je 7C9341A3 7C933C07 66:3D 2F00 cmp ax, 2F 7C933C0B C645 C7 01 mov byte ptr [ebp-39], 1 7C933C0F 0F84 8E050000 je 7C9341A3 7C933C15 8D45 8C lea eax, [ebp-74] 7C933C18 50 push eax 7C933C19 E8 CFFDFFFF call 7C9339ED 7C933C1E 8BF8 mov edi, eax 7C933C20 3BFE cmp edi, esi ; ntdll.ZwTerminateProcess 7C933C22 0F85 22150100 jnz 7C94514A 7C933C28 8B4D 0C mov ecx, [ebp+C] ; RPCRT4.77E8F3B0 7C933C2B 66:894D A6 mov [ebp-5A], cx 7C933C2F 66:8365 A4 00 and word ptr [ebp-5C], 0 7C933C34 33C0 xor eax, eax 7C933C36 8B7D C8 mov edi, [ebp-38] 7C933C39 8BD1 mov edx, ecx 7C933C3B C1E9 02 shr ecx, 2 7C933C3E F3:AB rep stos dword ptr es:[edi] 7C933C40 8BCA mov ecx, edx ; msvcrt.77C31AE8 7C933C42 83E1 03 and ecx, 3 7C933C45 F3:AA rep stos byte ptr es:[edi] 7C933C47 64:A1 18000000 mov eax, fs:[18] 7C933C4D 8B40 30 mov eax, [eax+30] 7C933C50 8B70 10 mov esi, [eax+10] 7C933C53 83C6 24 add esi, 24 7C933C56 FF75 9C push dword ptr [ebp-64] 7C933C59 E8 41FDFFFF call RtlDetermineDosPathNameType_U 7C933C5E 8945 88 mov [ebp-78], eax 7C933C61 8903 mov [ebx], eax 7C933C63 E8 B5CCFFFF call RtlAcquirePebLock 7C933C68 8365 FC 00 and dword ptr [ebp-4], 0 7C933C6C 8B5D 9C mov ebx, [ebp-64] 7C933C6F 8BCB mov ecx, ebx 7C933C71 894D D8 mov [ebp-28], ecx 7C933C74 33FF xor edi, edi 7C933C76 897D A0 mov [ebp-60], edi 7C933C79 66:897D D0 mov [ebp-30], di 7C933C7D 66:897D D2 mov [ebp-2E], di 7C933C81 897D D4 mov [ebp-2C], edi 7C933C84 8B45 88 mov eax, [ebp-78] ; ntdll.7C931970 7C933C87 48 dec eax 7C933C88 0F84 83360100 je 7C947311 7C933C8E 48 dec eax 7C933C8F ^ 0F85 53F9FFFF jnz 7C9335E8 7C933C95 8B46 04 mov eax, [esi+4] 7C933C98 0FB700 movzx eax, word ptr [eax] 7C933C9B 50 push eax 7C933C9C E8 4FCCFFFF call RtlUpcaseUnicodeChar 7C933CA1 8845 CF mov [ebp-31], al 7C933CA4 33C0 xor eax, eax 7C933CA6 66:8B03 mov ax, [ebx] 7C933CA9 50 push eax 7C933CAA E8 41CCFFFF call RtlUpcaseUnicodeChar 7C933CAF 8845 AF mov [ebp-51], al 7C933CB2 3845 CF cmp [ebp-31], al 7C933CB5 75 06 jnz short 7C933CBD 7C933CB7 56 push esi ; ntdll.ZwTerminateProcess 7C933CB8 E8 99040000 call 7C934156 7C933CBD C745 B8 0300000>mov dword ptr [ebp-48], 3 7C933CC4 66:8B75 D0 mov si, [ebp-30] 7C933CC8 0FB7CE movzx ecx, si 7C933CCB 8B45 B0 mov eax, [ebp-50] ; ntdll.7C92EE18 7C933CCE 8D1401 lea edx, [ecx+eax] 7C933CD1 8995 68FFFFFF mov [ebp-98], edx ; msvcrt.77C31AE8 7C933CD7 3B55 0C cmp edx, [ebp+C] ; RPCRT4.77E8F3B0 7C933CDA 0F83 2E660000 jnb 7C93A30E 7C933CE0 8B45 C8 mov eax, [ebp-38] 7C933CE3 85FF test edi, edi 7C933CE5 75 09 jnz short 7C933CF0 7C933CE7 3945 D4 cmp [ebp-2C], eax 7C933CEA 0F84 1CFC0100 je 7C95390C 7C933CF0 33D2 xor edx, edx ; msvcrt.77C31AE8 7C933CF2 8955 C0 mov [ebp-40], edx ; msvcrt.77C31AE8 7C933CF5 8955 B4 mov [ebp-4C], edx ; msvcrt.77C31AE8 7C933CF8 EB 12 jmp short 7C933D0C 7C933CFA 90 nop 7C933CFB 90 nop 7C933CFC 90 nop 7C933CFD 90 nop 7C933CFE 90 nop 7C933CFF 90 nop 7C933D00 FFFF ??? ; 未知命令 7C933D02 FFFF ??? ; 未知命令 7C933D04 0000 add [eax], al 7C933D06 0000 add [eax], al 7C933D08 34 A3 xor al, 0A3 7C933D0A 93 xchg eax, ebx 7C933D0B 7C 39 jl short 7C933D46 7C933D0D ^ 7D C0 jge short 7C933CCF 7C933D0F 0F82 4C680000 jb 7C93A561 7C933D15 66:897D A4 mov [ebp-5C], di 7C933D19 8955 C0 mov [ebp-40], edx ; msvcrt.77C31AE8 7C933D1C 8955 B4 mov [ebp-4C], edx ; msvcrt.77C31AE8 7C933D1F 0FB74D D0 movzx ecx, word ptr [ebp-30] 7C933D23 394D C0 cmp [ebp-40], ecx 7C933D26 0F82 6E700000 jb 7C93AD9A 7C933D2C 8B4D A4 mov ecx, [ebp-5C] 7C933D2F 8B55 D0 mov edx, [ebp-30] 7C933D32 03D1 add edx, ecx 7C933D34 66:8955 A4 mov [ebp-5C], dx 7C933D38 0FB74D A4 movzx ecx, word ptr [ebp-5C] 7C933D3C 03C8 add ecx, eax 7C933D3E 894D BC mov [ebp-44], ecx 7C933D41 66:8321 00 and word ptr [ecx], 0 7C933D45 6A 5C push 5C 7C933D47 5B pop ebx ; ntdll.7C92E89A 7C933D48 6A 02 push 2 7C933D4A 58 pop eax ; ntdll.7C92E89A 7C933D4B 8B75 D8 mov esi, [ebp-28] 7C933D4E 66:8B3E mov di, [esi] 7C933D51 66:85FF test di, di 7C933D54 74 66 je short 7C933DBC 7C933D56 0FB7D7 movzx edx, di 7C933D59 83EA 2E sub edx, 2E 7C933D5C 0F84 C8700000 je 7C93AE2A 7C933D62 4A dec edx ; msvcrt.77C31AE8 7C933D63 74 05 je short 7C933D6A 7C933D65 83EA 2D sub edx, 2D 7C933D68 75 15 jnz short 7C933D7F 7C933D6A 66:3959 FE cmp [ecx-2], bx 7C933D6E 74 08 je short 7C933D78 7C933D70 66:8919 mov [ecx], bx 7C933D73 03C8 add ecx, eax 7C933D75 894D BC mov [ebp-44], ecx 7C933D78 03F0 add esi, eax 7C933D7A 8975 D8 mov [ebp-28], esi ; ntdll.ZwTerminateProcess 7C933D7D ^ EB CC jmp short 7C933D4B 7C933D7F 66:8B16 mov dx, [esi] 7C933D82 66:3BD3 cmp dx, bx 7C933D85 74 1A je short 7C933DA1 7C933D87 66:83FA 2F cmp dx, 2F 7C933D8B 74 14 je short 7C933DA1 7C933D8D 66:85D2 test dx, dx 7C933D90 74 0F je short 7C933DA1 7C933D92 66:8911 mov [ecx], dx 7C933D95 03C8 add ecx, eax 7C933D97 894D BC mov [ebp-44], ecx 7C933D9A 03F0 add esi, eax 7C933D9C 8975 D8 mov [ebp-28], esi ; ntdll.ZwTerminateProcess 7C933D9F ^ EB DE jmp short 7C933D7F 7C933DA1 66:8B16 mov dx, [esi] 7C933DA4 66:3BD3 cmp dx, bx 7C933DA7 0F85 C3000000 jnz 7C933E70 7C933DAD 8D51 FE lea edx, [ecx-2] 7C933DB0 66:833A 2E cmp word ptr [edx], 2E 7C933DB4 0F84 67860200 je 7C95C421 7C933DBA ^ EB 89 jmp short 7C933D45 7C933DBC 66:8321 00 and word ptr [ecx], 0 7C933DC0 807D C7 00 cmp byte ptr [ebp-39], 0 7C933DC4 74 19 je short 7C933DDF 7C933DC6 8B45 B8 mov eax, [ebp-48] 7C933DC9 8B55 C8 mov edx, [ebp-38] 7C933DCC 8D0442 lea eax, [edx+eax2] 7C933DCF 3BC8 cmp ecx, eax 7C933DD1 76 0C jbe short 7C933DDF 7C933DD3 8D51 FE lea edx, [ecx-2] 7C933DD6 66:391A cmp [edx], bx 7C933DD9 0F84 F26F0000 je 7C93ADD1 7C933DDF 8BF9 mov edi, ecx 7C933DE1 2B7D C8 sub edi, [ebp-38] 7C933DE4 66:897D A4 mov [ebp-5C], di 7C933DE8 3B4D C8 cmp ecx, [ebp-38] 7C933DEB 76 1A jbe short 7C933E07 7C933DED 8D51 FE lea edx, [ecx-2] 7C933DF0 66:8B32 mov si, [edx] 7C933DF3 66:83FE 20 cmp si, 20 7C933DF7 0F84 CE410100 je 7C947FCB 7C933DFD 66:83FE 2E cmp si, 2E 7C933E01 0F84 C4410100 je 7C947FCB 7C933E07 8B75 94 mov esi, [ebp-6C] ; trscd.004B027C 7C933E0A 85F6 test esi, esi ; ntdll.ZwTerminateProcess 7C933E0C 74 3B je short 7C933E49 7C933E0E 83C1 FE add ecx, -2 7C933E11 894D D8 mov [ebp-28], ecx 7C933E14 33D2 xor edx, edx ; msvcrt.77C31AE8 7C933E16 8955 BC mov [ebp-44], edx ; msvcrt.77C31AE8 7C933E19 EB 0A jmp short 7C933E25 7C933E1B 66:3919 cmp [ecx], bx 7C933E1E 74 5F je short 7C933E7F 7C933E20 49 dec ecx 7C933E21 49 dec ecx 7C933E22 894D D8 mov [ebp-28], ecx 7C933E25 3B4D C8 cmp ecx, [ebp-38] 7C933E28 ^ 77 F1 ja short 7C933E1B 7C933E2A 33C9 xor ecx, ecx 7C933E2C 3BD1 cmp edx, ecx 7C933E2E 0F84 09AC0000 je 7C93EA3D 7C933E34 66:390A cmp [edx], cx 7C933E37 0F84 00AC0000 je 7C93EA3D 7C933E3D 837D 88 01 cmp dword ptr [ebp-78], 1 7C933E41 0F84 E5AB0000 je 7C93EA2C 7C933E47 8916 mov [esi], edx ; msvcrt.77C31AE8 7C933E49 834D FC FF or dword ptr [ebp-4], FFFFFFFF 7C933E4D E8 18000000 call 7C933E6A 7C933E52 0FB7C7 movzx eax, di 7C933E55 8B4D E4 mov ecx, [ebp-1C] 7C933E58 E8 2AC5FFFF call 7C930387 7C933E5D E8 A0AFFFFF call 7C92EE02 7C933E62 C2 1800 retn 18 7C933E65 90 nop 7C933E66 90 nop 7C933E67 90 nop 7C933E68 90 nop 7C933E69 90 nop 7C933E6A E8 F2CAFFFF call RtlReleasePebLock 7C933E6F C3 retn 7C933E70 66:83FA 2F cmp dx, 2F 7C933E74 ^ 0F84 33FFFFFF je 7C933DAD 7C933E7A ^ E9 C6FEFFFF jmp 7C933D45 7C933E7F 8D51 02 lea edx, [ecx+2] 7C933E82 8955 BC mov [ebp-44], edx ; msvcrt.77C31AE8 7C933E85 ^ EB A3 jmp short 7C933E2A 7C933E87 90 nop 7C933E88 5C pop esp ; ntdll.7C92E89A 7C933E89 003F add [edi], bh 7C933E8B 003F add [edi], bh 7C933E8D 005C00 00 add [eax+eax], bl 7C933E91 0090 90909090 add [eax+90909090], dl 7C933E97 68 70020000 push 270 7C933E9C 68 C040937C push 7C9340C0 7C933EA1 E8 1CAFFFFF call 7C92EDC2 7C933EA6 A1 34C0997C mov eax, [7C99C034] 7C933EAB 8945 E4 mov [ebp-1C], eax 7C933EAE 8B45 08 mov eax, [ebp+8] 7C933EB1 8B75 0C mov esi, [ebp+C] ; RPCRT4.77E8F3B0 7C933EB4 8B7D 10 mov edi, [ebp+10] 7C933EB7 89BD A0FDFFFF mov [ebp-260], edi 7C933EBD 8B5D 14 mov ebx, [ebp+14] 7C933EC0 33D2 xor edx, edx ; msvcrt.77C31AE8 7C933EC2 8995 D0FDFFFF mov [ebp-230], edx ; msvcrt.77C31AE8 7C933EC8 8995 C8FDFFFF mov [ebp-238], edx ; msvcrt.77C31AE8 7C933ECE C785 9CFDFFFF 0>mov dword ptr [ebp-264], 20A 7C933ED8 8B08 mov ecx, [eax] 7C933EDA 898D C0FDFFFF mov [ebp-240], ecx 7C933EE0 8B40 04 mov eax, [eax+4] 7C933EE3 8985 C4FDFFFF mov [ebp-23C], eax 7C933EE9 66:83F9 08 cmp cx, 8 7C933EED 76 0A jbe short 7C933EF9 7C933EEF 66:8338 5C cmp word ptr [eax], 5C 7C933EF3 0F84 F1650000 je 7C93A4EA 7C933EF9 C685 D5FDFFFF 0>mov byte ptr [ebp-22B], 0 7C933F00 8D85 D8FDFFFF lea eax, [ebp-228] 7C933F06 8985 C8FDFFFF mov [ebp-238], eax 7C933F0C B9 1A020000 mov ecx, 21A 7C933F11 898D 9CFDFFFF mov [ebp-264], ecx 7C933F17 64:A1 18000000 mov eax, fs:[18] 7C933F1D 51 push ecx 7C933F1E 52 push edx ; msvcrt.77C31AE8 7C933F1F 8B40 30 mov eax, [eax+30] 7C933F22 FF70 18 push dword ptr [eax+18] 7C933F25 E8 AAC6FFFF call RtlAllocateHeap 7C933F2A 8985 D0FDFFFF mov [ebp-230], eax 7C933F30 85C0 test eax, eax 7C933F32 0F84 C9890200 je 7C95C901 7C933F38 E8 E0C9FFFF call RtlAcquirePebLock 7C933F3D C685 D7FDFFFF 0>mov byte ptr [ebp-229], 1 7C933F44 8365 FC 00 and dword ptr [ebp-4], 0 7C933F48 C745 FC 0100000>mov dword ptr [ebp-4], 1 7C933F4F 80BD D5FDFFFF 0>cmp byte ptr [ebp-22B], 0 7C933F56 0F85 EA6D0100 jnz 7C94AD46 7C933F5C 8D85 CCFDFFFF lea eax, [ebp-234] 7C933F62 50 push eax 7C933F63 8D85 D6FDFFFF lea eax, [ebp-22A] 7C933F69 50 push eax 7C933F6A 57 push edi 7C933F6B FFB5 C8FDFFFF push dword ptr [ebp-238] ; ntdll.7C931993 7C933F71 BF 08020000 mov edi, 208 7C933F76 57 push edi 7C933F77 8D85 C0FDFFFF lea eax, [ebp-240] 7C933F7D 50 push eax 7C933F7E E8 E4FBFFFF call 7C933B67 7C933F83 8985 B0FDFFFF mov [ebp-250], eax 7C933F89 80BD D6FDFFFF 0>cmp byte ptr [ebp-22A], 0 7C933F90 0F85 59540000 jnz 7C9393EF 7C933F96 85C0 test eax, eax 7C933F98 0F84 51540000 je 7C9393EF 7C933F9E 3BC7 cmp eax, edi 7C933FA0 0F87 49540000 ja 7C9393EF 7C933FA6 8B3D F040937C mov edi, [7C9340F0] 7C933FAC 89BD 94FDFFFF mov [ebp-26C], edi 7C933FB2 A1 F440937C mov eax, [7C9340F4] 7C933FB7 8985 98FDFFFF mov [ebp-268], eax 7C933FBD FFB5 C8FDFFFF push dword ptr [ebp-238] ; ntdll.7C931993 7C933FC3 E8 D7F9FFFF call RtlDetermineDosPathNameType_U 7C933FC8 8985 80FDFFFF mov [ebp-280], eax 7C933FCE 83F8 01 cmp eax, 1 7C933FD1 0F84 14330100 je 7C9472EB 7C933FD7 7E 10 jle short 7C933FE9 7C933FD9 83F8 05 cmp eax, 5 7C933FDC 0F8F F2650000 jg 7C93A5D4 7C933FE2 83A5 B4FDFFFF 0>and dword ptr [ebp-24C], 0 7C933FE9 0FB7FF movzx edi, di 7C933FEC 57 push edi 7C933FED FFB5 98FDFFFF push dword ptr [ebp-268] 7C933FF3 FFB5 D0FDFFFF push dword ptr [ebp-230] ; ntdll.7C931970 7C933FF9 E8 3CE5FEFF call memmove 7C933FFE 8B85 B4FDFFFF mov eax, [ebp-24C] ; ntdll.7C931993 7C934004 8D0C00 lea ecx, [eax+eax] 7C934007 898D 90FDFFFF mov [ebp-270], ecx 7C93400D 8B95 B0FDFFFF mov edx, [ebp-250] ; ntdll.7C931962 7C934013 2BD1 sub edx, ecx 7C934015 52 push edx ; msvcrt.77C31AE8 7C934016 8B8D C8FDFFFF mov ecx, [ebp-238] ; ntdll.7C931993 7C93401C 8D0441 lea eax, [ecx+eax2] 7C93401F 50 push eax 7C934020 8B85 D0FDFFFF mov eax, [ebp-230] ; ntdll.7C931970 7C934026 03C7 add eax, edi 7C934028 50 push eax 7C934029 E8 0CE5FEFF call memmove 7C93402E 83C4 18 add esp, 18 7C934031 8B8D D0FDFFFF mov ecx, [ebp-230] ; ntdll.7C931970 7C934037 894E 04 mov [esi+4], ecx 7C93403A 8B85 B4FDFFFF mov eax, [ebp-24C] ; ntdll.7C931993 7C934040 03C0 add eax, eax 7C934042 8B95 B0FDFFFF mov edx, [ebp-250] ; ntdll.7C931962 7C934048 2BD0 sub edx, eax 7C93404A 0FB7C2 movzx eax, dx 7C93404D 03C7 add eax, edi 7C93404F 66:8906 mov [esi], ax 7C934052 66:8B95 9CFDFFF>mov dx, [ebp-264] 7C934059 66:8956 02 mov [esi+2], dx 7C93405D 0FB7F0 movzx esi, ax 7C934060 D1EE shr esi, 1 7C934062 89B5 84FDFFFF mov [ebp-27C], esi ; ntdll.ZwTerminateProcess 7C934068 66:832471 00 and word ptr [ecx+esi2], 0 7C93406D 8B85 A0FDFFFF mov eax, [ebp-260] ; ntdll.7C92EE18 7C934073 85C0 test eax, eax 7C934075 ^ 0F85 9EF5FFFF jnz 7C933619 7C93407B 85DB test ebx, ebx 7C93407D 74 1C je short 7C93409B 7C93407F 33C0 xor eax, eax 7C934081 66:8903 mov [ebx], ax 7C934084 66:8943 02 mov [ebx+2], ax 7C934088 8943 04 mov [ebx+4], eax 7C93408B 8943 08 mov [ebx+8], eax 7C93408E 83BD CCFDFFFF 0>cmp dword ptr [ebp-234], 5 7C934095 0F84 C26D0000 je 7C93AE5D 7C93409B 8365 FC 00 and dword ptr [ebp-4], 0 7C93409F 834D FC FF or dword ptr [ebp-4], FFFFFFFF 7C9340A3 E8 35000000 call 7C9340DD 7C9340A8 8A85 D7FDFFFF mov al, [ebp-229] 7C9340AE 8B4D E4 mov ecx, [ebp-1C] 7C9340B1 E8 D1C2FFFF call 7C930387 7C9340B6 E8 47ADFFFF call 7C92EE02 7C9340BB C2 1000 retn 10 7C9340BE 90 nop 7C9340BF 90 nop 7C9340C0 FFFF ??? ; 未知命令 7C9340C2 FFFF ??? ; 未知命令 7C9340C4 0000 add [eax], al 7C9340C6 0000 add [eax], al 7C9340C8 DD40 93 fld qword ptr [eax-6D] 7C9340CB 7C 00 jl short 7C9340CD 7C9340CD 0000 add [eax], al 7C9340CF 0020 add [eax], ah 7C9340D1 C9 leave 7C9340D2 95 xchg eax, ebp 7C9340D3 7C 29 jl short 7C9340FE 7C9340D5 C9 leave 7C9340D6 95 xchg eax, ebp 7C9340D7 ^ 7C 90 jl short 7C934069 7C9340D9 90 nop 7C9340DA 90 nop 7C9340DB 90 nop 7C9340DC 90 nop 7C9340DD 80BD D7FDFFFF 0>cmp byte ptr [ebp-229], 0 7C9340E4 0F84 11530000 je 7C9393FB 7C9340EA E8 72C8FFFF call RtlReleasePebLock 7C9340EF C3 retn 7C9340F0 0800 or [eax], al 7C9340F2 0A00 or al, [eax] 7C9340F4 883E mov [esi], bh 7C9340F6 93 xchg eax, ebx 7C9340F7 ^ 7C 90 jl short 7C934089 7C9340F9 90 nop 7C9340FA 90 nop 7C9340FB 90 nop 7C9340FC 90 nop 7C9340FD > 8BFF mov edi, edi 7C9340FF 55 push ebp 7C934100 8BEC mov ebp, esp 7C934102 51 push ecx 7C934103 51 push ecx 7C934104 56 push esi ; ntdll.ZwTerminateProcess 7C934105 8B75 08 mov esi, [ebp+8] 7C934108 33C0 xor eax, eax 7C93410A 3BF0 cmp esi, eax 7C93410C 74 3D je short 7C93414B 7C93410E 56 push esi ; ntdll.ZwTerminateProcess 7C93410F E8 46C2FFFF call wcslen 7C934114 D1E0 shl eax, 1 7C934116 59 pop ecx ; ntdll.7C92E89A 7C934117 8D48 02 lea ecx, [eax+2] 7C93411A 81F9 FEFF0000 cmp ecx, 0FFFE 7C934120 0F83 13810200 jnb 7C95C239 7C934126 8D48 02 lea ecx, [eax+2] 7C934129 66:894D FA mov [ebp-6], cx 7C93412D FF75 14 push dword ptr [ebp+14] 7C934130 66:8945 F8 mov [ebp-8], ax 7C934134 FF75 10 push dword ptr [ebp+10] 7C934137 8D45 F8 lea eax, [ebp-8] 7C93413A FF75 0C push dword ptr [ebp+C] ; RPCRT4.77E8F3B0 7C93413D 8975 FC mov [ebp-4], esi ; ntdll.ZwTerminateProcess 7C934140 50 push eax 7C934141 E8 51FDFFFF call 7C933E97 7C934146 5E pop esi ; ntdll.7C92E89A 7C934147 C9 leave 7C934148 C2 1000 retn 10 7C93414B 66:8945 FA mov [ebp-6], ax 7C93414F ^ EB DC jmp short 7C93412D 7C934151 90 nop 7C934152 90 nop 7C934153 90 nop 7C934154 90 nop 7C934155 90 nop 7C934156 8BFF mov edi, edi 7C934158 55 push ebp 7C934159 8BEC mov ebp, esp 7C93415B 83EC 1C sub esp, 1C 7C93415E A1 34C0997C mov eax, [7C99C034] 7C934163 56 push esi ; ntdll.ZwTerminateProcess 7C934164 8B75 08 mov esi, [ebp+8] 7C934167 8945 FC mov [ebp-4], eax 7C93416A 8B46 08 mov eax, [esi+8] 7C93416D A8 01 test al, 1 7C93416F 0F85 81D70000 jnz 7C9418F6 7C934175 8B0D DC02FE7F mov ecx, [7FFE02DC] 7C93417B 3B0D 50C0997C cmp ecx, [7C99C050] 7C934181 0F85 6FD70000 jnz 7C9418F6 7C934187 8B4D FC mov ecx, [ebp-4] 7C93418A 5E pop esi ; ntdll.7C92E89A 7C93418B E8 F7C1FFFF call 7C930387 7C934190 C9 leave 7C934191 C2 0400 retn 4 7C934194 66:3D 6E00 cmp ax, 6E 7C934198 ^ 0F84 2DF9FFFF je 7C933ACB 7C93419E ^ E9 B6F9FFFF jmp 7C933B59 7C9341A3 C645 C7 00 mov byte ptr [ebp-39], 0 7C9341A7 ^ E9 69FAFFFF jmp 7C933C15 7C9341AC 90 nop 7C9341AD 90 nop 7C9341AE 90 nop 7C9341AF 90 nop 7C9341B0 90 nop 7C9341B1 > 8BFF mov edi, edi 7C9341B3 55 push ebp 7C9341B4 8BEC mov ebp, esp 7C9341B6 51 push ecx 7C9341B7 51 push ecx 7C9341B8 FF75 08 push dword ptr [ebp+8] 7C9341BB 8D45 F8 lea eax, [ebp-8] 7C9341BE 50 push eax 7C9341BF E8 E1C1FFFF call RtlInitUnicodeStringEx 7C9341C4 85C0 test eax, eax 7C9341C6 0F8C AB890200 jl 7C95CB77 7C9341CC 8D45 08 lea eax, [ebp+8] 7C9341CF 50 push eax 7C9341D0 6A 00 push 0 7C9341D2 FF75 14 push dword ptr [ebp+14] 7C9341D5 8D45 F8 lea eax, [ebp-8] 7C9341D8 FF75 10 push dword ptr [ebp+10] 7C9341DB FF75 0C push dword ptr [ebp+C] ; RPCRT4.77E8F3B0 7C9341DE 50 push eax 7C9341DF E8 83F9FFFF call 7C933B67 7C9341E4 C9 leave 7C9341E5 C2 1000 retn 10 7C9341E8 66:83FA 70 cmp dx, 70 7C9341EC ^ 0F84 16F9FFFF je 7C933B08 7C9341F2 66:83FA 61 cmp dx, 61 7C9341F6 ^ 0F84 0CF9FFFF je 7C933B08 7C9341FC 66:83FA 6E cmp dx, 6E 7C934200 ^ 0F85 53F9FFFF jnz 7C933B59 7C934206 ^ E9 FDF8FFFF jmp 7C933B08 7C93420B 90 nop 7C93420C 90 nop 7C93420D 90 nop 7C93420E 90 nop 7C93420F 90 nop 7C934210 > 8BFF mov edi, edi 7C934212 55 push ebp 7C934213 8BEC mov ebp, esp 7C934215 8B45 08 mov eax, [ebp+8] 7C934218 8B4D 0C mov ecx, [ebp+C] ; RPCRT4.77E8F3B0 7C93421B 0FB710 movzx edx, word ptr [eax] 7C93421E 53 push ebx 7C93421F 8B59 04 mov ebx, [ecx+4] 7C934222 57 push edi 7C934223 8B78 04 mov edi, [eax+4] 7C934226 0FB701 movzx eax, word ptr [ecx] 7C934229 3BC2 cmp eax, edx ; msvcrt.77C31AE8 7C93422B 0F82 09940100 jb 7C94D63A 7C934231 D1EA shr edx, 1 7C934233 807D 10 00 cmp byte ptr [ebp+10], 0 7C934237 56 push esi ; ntdll.ZwTerminateProcess 7C934238 8955 08 mov [ebp+8], edx ; msvcrt.77C31AE8 7C93423B 0F84 A1470200 je 7C9589E2 7C934241 85D2 test edx, edx ; msvcrt.77C31AE8 7C934243 74 1F je short 7C934264 7C934245 A1 4CC0997C mov eax, [7C99C04C] 7C93424A 66:8B17 mov dx, [edi] 7C93424D 66:8B33 mov si, [ebx] 7C934250 47 inc edi 7C934251 47 inc edi 7C934252 43 inc ebx 7C934253 43 inc ebx 7C934254 66:3BD6 cmp dx, si 7C934257 897D 10 mov [ebp+10], edi 7C93425A 895D 0C mov [ebp+C], ebx 7C93425D 75 0E jnz short 7C93426D 7C93425F FF4D 08 dec dword ptr [ebp+8] 7C934262 ^ 75 E6 jnz short 7C93424A 7C934264 B0 01 mov al, 1 7C934266 5E pop esi ; ntdll.7C92E89A 7C934267 5F pop edi ; ntdll.7C92E89A 7C934268 5B pop ebx ; ntdll.7C92E89A 7C934269 5D pop ebp ; ntdll.7C92E89A 7C93426A C2 0C00 retn 0C 7C93426D 66:83FA 61 cmp dx, 61 7C934271 0F83 DFD70100 jnb 7C951A56 7C934277 0FB7D2 movzx edx, dx 7C93427A 66:83FE 61 cmp si, 61 7C93427E 0FB7CE movzx ecx, si 7C934281 0F83 80660100 jnb 7C94A907 7C934287 3BD1 cmp edx, ecx 7C934289 0F84 8A660100 je 7C94A919 7C93428F 32C0 xor al, al 7C934291 ^ EB D3 jmp short 7C934266 7C934293 33C9 xor ecx, ecx 7C934295 8D50 18 lea edx, [eax+18] 7C934298 EB 0A jmp short 7C9342A4 7C93429A B8 0D0000C0 mov eax, C000000D 7C93429F E9 5D330000 jmp 7C937601 7C9342A4 F602 04 test byte ptr [edx], 4 7C9342A7 75 0F jnz short 7C9342B8 7C9342A9 41 inc ecx 7C9342AA 83C2 30 add edx, 30 7C9342AD 83F9 20 cmp ecx, 20 7C9342B0 0F83 DAED0200 jnb 7C963090 7C9342B6 ^ EB EC jmp short 7C9342A4 7C9342B8 FF40 FC inc dword ptr [eax-4] 7C9342BB 8D0C49 lea ecx, [ecx+ecx2] 7C9342BE C1E1 04 shl ecx, 4 7C9342C1 8D4C01 10 lea ecx, [ecx+eax+10] 7C9342C5 3BCF cmp ecx, edi 7C9342C7 0F85 29330000 jnz 7C9375F6 7C9342CD E9 BEED0200 jmp 7C963090 7C9342D2 2BCA sub ecx, edx ; msvcrt.77C31AE8 7C9342D4 33C0 xor eax, eax 7C9342D6 8D3C13 lea edi, [ebx+edx] 7C9342D9 8BD1 mov edx, ecx 7C9342DB C1E9 02 shr ecx, 2 7C9342DE F3:AB rep stos dword ptr es:[edi] 7C9342E0 8BCA mov ecx, edx ; msvcrt.77C31AE8 7C9342E2 83E1 03 and ecx, 3 7C9342E5 F3:AA rep stos byte ptr es:[edi] 7C9342E7 E9 BD390000 jmp 7C937CA9 7C9342EC 66:8345 F8 FE add word ptr [ebp-8], 0FFFE 7C9342F1 03C2 add eax, edx ; msvcrt.77C31AE8 7C9342F3 0FB7F0 movzx esi, ax 7C9342F6 66:8B7471 FE mov si, [ecx+esi2-2] 7C9342FB 43 inc ebx 7C9342FC 66:85C0 test ax, ax 7C9342FF ^ 0F84 6BF7FFFF je 7C933A70 7C934305 ^ E9 52F7FFFF jmp 7C933A5C 7C93430A 90 nop 7C93430B 90 nop 7C93430C 90 nop 7C93430D 90 nop 7C93430E 90 nop 7C93430F > 6A 0C push 0C 7C934311 68 9043937C push 7C934390 7C934316 E8 A7AAFFFF call 7C92EDC2 7C93431B 64:A1 18000000 mov eax, fs:[18] 7C934321 8B40 30 mov eax, [eax+30] 7C934324 8B70 10 mov esi, [eax+10] 7C934327 83C6 24 add esi, 24 7C93432A E8 EEC5FFFF call RtlAcquirePebLock 7C93432F 8B46 04 mov eax, [esi+4] 7C934332 0FB736 movzx esi, word ptr [esi] 7C934335 D1EE shr esi, 1 7C934337 8D3C36 lea edi, [esi+esi] 7C93433A 66:837C70 FC 3A cmp word ptr [eax+esi2-4], 3A 7C934340 0F84 E0250200 je 7C956926 7C934346 397D 08 cmp [ebp+8], edi 7C934349 0F82 CB250200 jb 7C95691A 7C93434F 33DB xor ebx, ebx 7C934351 895D FC mov [ebp-4], ebx 7C934354 57 push edi 7C934355 50 push eax 7C934356 8B7D 0C mov edi, [ebp+C] ; RPCRT4.77E8F3B0 7C934359 57 push edi 7C93435A E8 DBE1FEFF call memmove 7C93435F 83C4 0C add esp, 0C 7C934362 66:837C77 FC 3A cmp word ptr [edi+esi2-4], 3A 7C934368 0F84 58840200 je 7C95C7C6 7C93436E 66:895C77 FE mov [edi+esi2-2], bx 7C934373 4E dec esi ; ntdll.ZwTerminateProcess 7C934374 8975 E4 mov [ebp-1C], esi ; ntdll.ZwTerminateProcess 7C934377 834D FC FF or dword ptr [ebp-4], FFFFFFFF 7C93437B E8 E1C5FFFF call RtlReleasePebLock 7C934380 8D0436 lea eax, [esi+esi] 7C934383 E8 7AAAFFFF call 7C92EE02 7C934388 C2 0800 retn 8 7C93438B 90 nop 7C93438C 90 nop 7C93438D 90 nop 7C93438E 90 nop 7C93438F 90 nop 7C934390 FFFF ??? ; 未知命令 7C934392 FFFF ??? ; 未知命令 7C934394 D4 C7 aam 0C7 7C934396 95 xchg eax, ebp 7C934397 ^ 7C DD jl short 7C934376 7C934399 C7 ??? ; 未知命令 7C93439A 95 xchg eax, ebp 7C93439B ^ 7C 90 jl short 7C93432D 7C93439D 90 nop 7C93439E 90 nop 7C93439F 90 nop 7C9343A0 90 nop 7C9343A1 > 6A 34 push 34 7C9343A3 68 8844937C push 7C934488 7C9343A8 E8 15AAFFFF call 7C92EDC2 7C9343AD C645 E7 00 mov byte ptr [ebp-19], 0 7C9343B1 C745 E0 000100C>mov dword ptr [ebp-20], C0000100 7C9343B8 64:A1 18000000 mov eax, fs:[18] 7C9343BE 8B58 30 mov ebx, [eax+30] 7C9343C1 895D D4 mov [ebp-2C], ebx 7C9343C4 33FF xor edi, edi 7C9343C6 897D FC mov [ebp-4], edi 7C9343C9 8B75 08 mov esi, [ebp+8] 7C9343CC 3BF7 cmp esi, edi 7C9343CE 0F85 5CCF0000 jnz 7C941330 7C9343D4 E8 44C5FFFF call RtlAcquirePebLock 7C9343D9 C645 E7 01 mov byte ptr [ebp-19], 1 7C9343DD 8B43 10 mov eax, [ebx+10] 7C9343E0 8B70 48 mov esi, [eax+48] 7C9343E3 8975 DC mov [ebp-24], esi ; ntdll.ZwTerminateProcess 7C9343E6 803D 54C1997C 0>cmp byte ptr [7C99C154], 0 7C9343ED 0F84 1C020000 je 7C93460F 7C9343F3 8B43 10 mov eax, [ebx+10] 7C9343F6 3B70 48 cmp esi, [eax+48] 7C9343F9 0F85 10020000 jnz 7C93460F 7C9343FF 6A 01 push 1 7C934401 68 58C1997C push 7C99C158 7C934406 FF75 0C push dword ptr [ebp+C] ; RPCRT4.77E8F3B0 7C934409 E8 C0EFFFFF call RtlEqualUnicodeString 7C93440E 84C0 test al, al 7C934410 0F84 F9010000 je 7C93460F 7C934416 8B45 10 mov eax, [ebp+10] 7C934419 66:8B0D 60C1997>mov cx, [7C99C160] 7C934420 66:8908 mov [eax], cx 7C934423 8B0D 60C1997C mov ecx, [7C99C160] ; t40kit32.003C003A 7C934429 66:3948 02 cmp [eax+2], cx 7C93442D 0F82 89030000 jb 7C9347BC 7C934433 0FB7C9 movzx ecx, cx 7C934436 8B35 64C1997C mov esi, [7C99C164] 7C93443C 8B78 04 mov edi, [eax+4] 7C93443F 8BD1 mov edx, ecx 7C934441 C1E9 02 shr ecx, 2 7C934444 F3:A5 rep movs dword ptr es:[edi], dword p> 7C934446 8BCA mov ecx, edx ; msvcrt.77C31AE8 7C934448 83E1 03 and ecx, 3 7C93444B F3:A4 rep movs byte ptr es:[edi], byte ptr> 7C93444D 8B0D 60C1997C mov ecx, [7C99C160] ; t40kit32.003C003A 7C934453 66:3948 02 cmp [eax+2], cx 7C934457 76 0D jbe short 7C934466 7C934459 0FB7C9 movzx ecx, cx 7C93445C D1E9 shr ecx, 1 7C93445E 8B40 04 mov eax, [eax+4] 7C934461 66:832448 00 and word ptr [eax+ecx2], 0 7C934466 8365 E0 00 and dword ptr [ebp-20], 0 7C93446A 834D FC FF or dword ptr [ebp-4], FFFFFFFF 7C93446E 807D E7 00 cmp byte ptr [ebp-19], 0 7C934472 74 05 je short 7C934479 7C934474 E8 E8C4FFFF call RtlReleasePebLock 7C934479 8B45 E0 mov eax, [ebp-20] 7C93447C E8 81A9FFFF call 7C92EE02 7C934481 C2 0C00 retn 0C 7C934484 90 nop 7C934485 90 nop 7C934486 90 nop 7C934487 90 nop 7C934488 FFFF ??? ; 未知命令 7C93448A FFFF ??? ; 未知命令 7C93448C ^ 7E CE jle short 7C93445C 7C93448E 96 xchg eax, esi ; ntdll.ZwTerminateProcess 7C93448F ^ 7C 87 jl short 7C934418 7C934491 CE into 7C934492 96 xchg eax, esi ; ntdll.ZwTerminateProcess 7C934493 ^ 7C 90 jl short 7C934425 7C934495 90 nop 7C934496 90 nop 7C934497 90 nop 7C934498 90 nop 7C934499 > 8BFF mov edi, edi 7C93449B 55 push ebp 7C93449C 8BEC mov ebp, esp 7C93449E 8B45 08 mov eax, [ebp+8] 7C9344A1 8BD0 mov edx, eax 7C9344A3 66:8B08 mov cx, [eax] 7C9344A6 40 inc eax 7C9344A7 40 inc eax 7C9344A8 66:85C9 test cx, cx 7C9344AB ^ 75 F6 jnz short 7C9344A3 7C9344AD 66:8B4D 0C mov cx, [ebp+C] 7C9344B1 48 dec eax 7C9344B2 48 dec eax 7C9344B3 3BC2 cmp eax, edx ; msvcrt.77C31AE8 7C9344B5 74 05 je short 7C9344BC 7C9344B7 66:3908 cmp [eax], cx 7C9344BA ^ 75 F5 jnz short 7C9344B1 7C9344BC 66:8B10 mov dx, [eax] 7C9344BF 66:2BD1 sub dx, cx 7C9344C2 66:F7DA neg dx 7C9344C5 1BD2 sbb edx, edx ; msvcrt.77C31AE8 7C9344C7 F7D2 not edx ; msvcrt.77C31AE8 7C9344C9 23C2 and eax, edx ; msvcrt.77C31AE8 7C9344CB 5D pop ebp ; ntdll.7C92E89A 7C9344CC C3 retn 7C9344CD 90 nop 7C9344CE 90 nop 7C9344CF 90 nop 7C9344D0 90 nop 7C9344D1 90 nop 7C9344D2 > 8BFF mov edi, edi 7C9344D4 55 push ebp 7C9344D5 8BEC mov ebp, esp 7C9344D7 83EC 20 sub esp, 20 7C9344DA 8B45 0C mov eax, [ebp+C] ; RPCRT4.77E8F3B0 7C9344DD 53 push ebx 7C9344DE 0FB718 movzx ebx, word ptr [eax] 7C9344E1 56 push esi ; ntdll.ZwTerminateProcess 7C9344E2 8B70 04 mov esi, [eax+4] 7C9344E5 8B45 10 mov eax, [ebp+10] 7C9344E8 8B48 04 mov ecx, [eax+4] 7C9344EB 0FB740 02 movzx eax, word ptr [eax+2] 7C9344EF 33D2 xor edx, edx ; msvcrt.77C31AE8 7C9344F1 83FB 02 cmp ebx, 2 7C9344F4 894D FC mov [ebp-4], ecx 7C9344F7 8945 0C mov [ebp+C], eax 7C9344FA 8955 F8 mov [ebp-8], edx ; msvcrt.77C31AE8 7C9344FD 8955 F4 mov [ebp-C], edx ; msvcrt.77C31AE8 7C934500 72 3D jb short 7C93453F 7C934502 57 push edi 7C934503 66:833E 25 cmp word ptr [esi], 25 7C934507 74 69 je short 7C934572 7C934509 837D F8 00 cmp dword ptr [ebp-8], 0 7C93450D 7C 1B jl short 7C93452A 7C93450F 837D 0C 02 cmp dword ptr [ebp+C], 2 7C934513 0F86 38490200 jbe 7C958E51 7C934519 8B4D FC mov ecx, [ebp-4] 7C93451C 66:8B06 mov ax, [esi] 7C93451F 836D 0C 02 sub dword ptr [ebp+C], 2 7C934523 8345 FC 02 add dword ptr [ebp-4], 2 7C934527 66:8901 mov [ecx], ax 7C93452A 8345 F4 02 add dword ptr [ebp-C], 2 7C93452E 4B dec ebx 7C93452F 4B dec ebx 7C934530 46 inc esi ; ntdll.ZwTerminateProcess 7C934531 46 inc esi ; ntdll.ZwTerminateProcess 7C934532 33D2 xor edx, edx ; msvcrt.77C31AE8 7C934534 83FB 02 cmp ebx, 2 7C934537 ^ 73 CA jnb short 7C934503 7C934539 3955 F8 cmp [ebp-8], edx ; msvcrt.77C31AE8 7C93453C 5F pop edi ; ntdll.7C92E89A 7C93453D 7C 0F jl short 7C93454E 7C93453F 3955 0C cmp [ebp+C], edx ; msvcrt.77C31AE8 7C934542 0F84 15490200 je 7C958E5D 7C934548 8B45 FC mov eax, [ebp-4] 7C93454B 66:8910 mov [eax], dx 7C93454E 8B4D F4 mov ecx, [ebp-C] ; kernel32.7C8399F3 7C934551 8B45 14 mov eax, [ebp+14] 7C934554 41 inc ecx 7C934555 41 inc ecx 7C934556 3BC2 cmp eax, edx ; msvcrt.77C31AE8 7C934558 5E pop esi ; ntdll.7C92E89A 7C934559 5B pop ebx ; ntdll.7C92E89A 7C93455A 74 02 je short 7C93455E 7C93455C 8908 mov [eax], ecx 7C93455E 8B45 F8 mov eax, [ebp-8] ; kernel32.7C81CA78 7C934561 3BC2 cmp eax, edx ; msvcrt.77C31AE8 7C934563 7C 09 jl short 7C93456E 7C934565 8B55 10 mov edx, [ebp+10] 7C934568 83C1 FE add ecx, -2 7C93456B 66:890A mov [edx], cx 7C93456E C9 leave 7C93456F C2 1000 retn 10 7C934572 33C0 xor eax, eax 7C934574 8D4B FE lea ecx, [ebx-2] 7C934577 3BCA cmp ecx, edx ; msvcrt.77C31AE8 7C934579 8D7E 02 lea edi, [esi+2] 7C93457C 8945 F0 mov [ebp-10], eax 7C93457F 66:8955 E8 mov [ebp-18], dx 7C934583 897D EC mov [ebp-14], edi 7C934586 ^ 76 81 jbe short 7C934509 7C934588 66:833F 25 cmp word ptr [edi], 25 7C93458C 74 11 je short 7C93459F 7C93458E 47 inc edi 7C93458F 47 inc edi 7C934590 40 inc eax 7C934591 40 inc eax 7C934592 3BC1 cmp eax, ecx 7C934594 8945 F0 mov [ebp-10], eax 7C934597 ^ 0F83 6CFFFFFF jnb 7C934509 7C93459D ^ EB E9 jmp short 7C934588 7C93459F 3BC2 cmp eax, edx ; msvcrt.77C31AE8 7C9345A1 ^ 0F84 62FFFFFF je 7C934509 7C9345A7 66:3BC2 cmp ax, dx 7C9345AA 66:8945 E8 mov [ebp-18], ax 7C9345AE 66:8945 EA mov [ebp-16], ax 7C9345B2 ^ 0F84 51FFFFFF je 7C934509 7C9345B8 8B45 FC mov eax, [ebp-4] 7C9345BB 8945 E4 mov [ebp-1C], eax 7C9345BE 66:8B45 0C mov ax, [ebp+C] 7C9345C2 66:8945 E2 mov [ebp-1E], ax 7C9345C6 8D45 E0 lea eax, [ebp-20] 7C9345C9 50 push eax 7C9345CA 8D45 E8 lea eax, [ebp-18] 7C9345CD 50 push eax 7C9345CE FF75 08 push dword ptr [ebp+8] 7C9345D1 66:8955 E0 mov [ebp-20], dx 7C9345D5 E8 C7FDFFFF call RtlQueryEnvironmentVariable_U 7C9345DA 85C0 test eax, eax 7C9345DC 0F8C 2A3B0100 jl 7C94810C 7C9345E2 0FB74D E0 movzx ecx, word ptr [ebp-20] 7C9345E6 014D F4 add [ebp-C], ecx 7C9345E9 6A FC push -4 7C9345EB 5A pop edx ; ntdll.7C92E89A 7C9345EC 2B55 F0 sub edx, [ebp-10] 7C9345EF 8D77 02 lea esi, [edi+2] 7C9345F2 03DA add ebx, edx ; msvcrt.77C31AE8 7C9345F4 85C0 test eax, eax 7C9345F6 0F8C 203B0100 jl 7C94811C 7C9345FC 294D 0C sub [ebp+C], ecx 7C9345FF 8B45 FC mov eax, [ebp-4] 7C934602 D1E9 shr ecx, 1 7C934604 8D0448 lea eax, [eax+ecx2] 7C934607 8945 FC mov [ebp-4], eax 7C93460A ^ E9 23FFFFFF jmp 7C934532 7C93460F 3BF7 cmp esi, edi 7C934611 0F84 9D5D0000 je 7C93A3B4 7C934617 6A 02 push 2 7C934619 5B pop ebx ; ntdll.7C92E89A 7C93461A E9 A8000000 jmp 7C9346C7 7C93461F 817D E0 000100C>cmp dword ptr [ebp-20], C0000100 7C934626 ^ 0F85 3EFEFFFF jnz 7C93446A 7C93462C 6A 01 push 1 7C93462E 68 6846937C push 7C934668 7C934633 FF75 0C push dword ptr [ebp+C] ; RPCRT4.77E8F3B0 7C934636 E8 93EDFFFF call RtlEqualUnicodeString 7C93463B 84C0 test al, al 7C93463D 0F85 58870300 jnz 7C96CD9B 7C934643 6A 01 push 1 7C934645 68 7046937C push 7C934670 7C93464A FF75 0C push dword ptr [ebp+C] ; RPCRT4.77E8F3B0 7C93464D E8 7CEDFFFF call RtlEqualUnicodeString 7C934652 84C0 test al, al 7C934654 0F85 6D870300 jnz 7C96CDC7 7C93465A 397D E0 cmp [ebp-20], edi 7C93465D ^ 0F8C 07FEFFFF jl 7C93446A 7C934663 E9 C9870300 jmp 7C96CE31 7C934668 0C 00 or al, 0 7C93466A 0E push cs 7C93466B 0088 A3937C14 add [eax+147C93A3], cl 7C934671 0016 add [esi], dl 7C934673 0098 A3937C66 add [eax+667C93A3], bl 7C934679 393E cmp [esi], edi 7C93467B 74 07 je short 7C934684 7C93467D 03F3 add esi, ebx 7C93467F 8975 DC mov [ebp-24], esi ; ntdll.ZwTerminateProcess 7C934682 ^ EB F4 jmp short 7C934678 7C934684 8BC6 mov eax, esi ; ntdll.ZwTerminateProcess 7C934686 2B45 C8 sub eax, [ebp-38] 7C934689 D1F8 sar eax, 1 7C93468B D1E0 shl eax, 1 7C93468D 66:8945 C4 mov [ebp-3C], ax 7C934691 8B45 C4 mov eax, [ebp-3C] ; ntdll.7C92F0AA 7C934694 83C0 02 add eax, 2 7C934697 66:8945 C6 mov [ebp-3A], ax 7C93469B EB 13 jmp short 7C9346B0 7C93469D 66:3D 3D00 cmp ax, 3D 7C9346A1 74 3A je short 7C9346DD 7C9346A3 03F3 add esi, ebx 7C9346A5 8975 DC mov [ebp-24], esi ; ntdll.ZwTerminateProcess 7C9346A8 66:8B06 mov ax, [esi] 7C9346AB 66:3BC7 cmp ax, di 7C9346AE ^ 75 ED jnz short 7C93469D 7C9346B0 03F3 add esi, ebx 7C9346B2 8975 DC mov [ebp-24], esi ; ntdll.ZwTerminateProcess 7C9346B5 6A 01 push 1 7C9346B7 8D45 BC lea eax, [ebp-44] 7C9346BA 50 push eax 7C9346BB FF75 0C push dword ptr [ebp+C] ; RPCRT4.77E8F3B0 7C9346BE E8 0BEDFFFF call RtlEqualUnicodeString 7C9346C3 84C0 test al, al 7C9346C5 75 3F jnz short 7C934706 7C9346C7 66:393E cmp [esi], di 7C9346CA 0F84 E45C0000 je 7C93A3B4 7C9346D0 8975 C0 mov [ebp-40], esi ; ntdll.ZwTerminateProcess 7C9346D3 66:897D BC mov [ebp-44], di 7C9346D7 66:897D BE mov [ebp-42], di 7C9346DB ^ EB CB jmp short 7C9346A8 7C9346DD 3B75 C0 cmp esi, [ebp-40] 7C9346E0 ^ 74 C1 je short 7C9346A3 7C9346E2 8BC6 mov eax, esi ; ntdll.ZwTerminateProcess 7C9346E4 2B45 C0 sub eax, [ebp-40] 7C9346E7 D1F8 sar eax, 1 7C9346E9 D1E0 shl eax, 1 7C9346EB 66:8945 BC mov [ebp-44], ax 7C9346EF 8B45 BC mov eax, [ebp-44] 7C9346F2 83C0 02 add eax, 2 7C9346F5 66:8945 BE mov [ebp-42], ax 7C9346F9 03F3 add esi, ebx 7C9346FB 8975 DC mov [ebp-24], esi ; ntdll.ZwTerminateProcess 7C9346FE 8975 C8 mov [ebp-38], esi ; ntdll.ZwTerminateProcess 7C934701 ^ E9 72FFFFFF jmp 7C934678 7C934706 66:8B45 C4 mov ax, [ebp-3C] 7C93470A 8B5D 10 mov ebx, [ebp+10] 7C93470D 66:8903 mov [ebx], ax 7C934710 66:3943 02 cmp [ebx+2], ax 7C934714 0F82 96000000 jb 7C9347B0 7C93471A 0FB7C8 movzx ecx, ax 7C93471D 8B75 C8 mov esi, [ebp-38] 7C934720 8B7B 04 mov edi, [ebx+4] 7C934723 8BC1 mov eax, ecx 7C934725 C1E9 02 shr ecx, 2 7C934728 F3:A5 rep movs dword ptr es:[edi], dword p> 7C93472A 8BC8 mov ecx, eax 7C93472C 83E1 03 and ecx, 3 7C93472F F3:A4 rep movs byte ptr es:[edi], byte ptr> 7C934731 66:8B45 C4 mov ax, [ebp-3C] 7C934735 66:3943 02 cmp [ebx+2], ax 7C934739 76 0D jbe short 7C934748 7C93473B 0FB7C0 movzx eax, ax 7C93473E D1E8 shr eax, 1 7C934740 8B4B 04 mov ecx, [ebx+4] 7C934743 66:832441 00 and word ptr [ecx+eax2], 0 7C934748 8B45 08 mov eax, [ebp+8] 7C93474B 85C0 test eax, eax 7C93474D 0F85 EECB0000 jnz 7C941341 7C934753 C605 54C1997C 0>mov byte ptr [7C99C154], 1 7C93475A 8B45 BC mov eax, [ebp-44] 7C93475D A3 58C1997C mov [7C99C158], eax 7C934762 8B45 C0 mov eax, [ebp-40] 7C934765 A3 5CC1997C mov [7C99C15C], eax 7C93476A 8B45 C4 mov eax, [ebp-3C] ; ntdll.7C92F0AA 7C93476D A3 60C1997C mov [7C99C160], eax 7C934772 8B45 C8 mov eax, [ebp-38] 7C934775 A3 64C1997C mov [7C99C164], eax 7C93477A 8365 E0 00 and dword ptr [ebp-20], 0 7C93477E 33FF xor edi, edi 7C934780 ^ E9 9AFEFFFF jmp 7C93461F 7C934785 90 nop 7C934786 90 nop 7C934787 90 nop 7C934788 90 nop 7C934789 90 nop 7C93478A > 8BFF mov edi, edi 7C93478C 55 push ebp 7C93478D 8BEC mov ebp, esp 7C93478F 8B45 08 mov eax, [ebp+8] 7C934792 66:8B55 0C mov dx, [ebp+C] 7C934796 66:8B08 mov cx, [eax] 7C934799 66:85C9 test cx, cx 7C93479C 74 09 je short 7C9347A7 7C93479E 66:3BCA cmp cx, dx 7C9347A1 74 0B je short 7C9347AE 7C9347A3 40 inc eax 7C9347A4 40 inc eax 7C9347A5 ^ EB EF jmp short 7C934796 7C9347A7 66:3BCA cmp cx, dx 7C9347AA 74 02 je short 7C9347AE 7C9347AC 33C0 xor eax, eax 7C9347AE 5D pop ebp ; ntdll.7C92E89A 7C9347AF C3 retn 7C9347B0 C745 E0 230000C>mov dword ptr [ebp-20], C0000023 7C9347B7 ^ E9 63FEFFFF jmp 7C93461F 7C9347BC C745 E0 230000C>mov dword ptr [ebp-20], C0000023 7C9347C3 ^ E9 A2FCFFFF jmp 7C93446A 7C9347C8 66:8B46 02 mov ax, [esi+2] 7C9347CC 66:3BC8 cmp cx, ax 7C9347CF 0F83 287D0200 jnb 7C95C4FD 7C9347D5 ^ E9 43E9FFFF jmp 7C93311D 7C9347DA 90 nop 7C9347DB 90 nop 7C9347DC 90 nop 7C9347DD 90 nop 7C9347DE 90 nop 7C9347DF > B8 15010000 mov eax, 115 7C9347E4 C3 retn 7C9347E5 90 nop 7C9347E6 90 nop 7C9347E7 90 nop 7C9347E8 90 nop 7C9347E9 90 nop 7C9347EA 8BFF mov edi, edi 7C9347EC 55 push ebp 7C9347ED 8BEC mov ebp, esp 7C9347EF 8B4D 08 mov ecx, [ebp+8] 7C9347F2 8B41 04 mov eax, [ecx+4] 7C9347F5 66:8B09 mov cx, [ecx] 7C9347F8 66:83F9 02 cmp cx, 2 7C9347FC 72 17 jb short 7C934815 7C9347FE 66:8B10 mov dx, [eax] 7C934801 66:83FA 5C cmp dx, 5C 7C934805 0F84 6C430200 je 7C958B77 7C93480B 66:83FA 2F cmp dx, 2F 7C93480F 0F84 62430200 je 7C958B77 7C934815 66:83F9 04 cmp cx, 4 7C934819 72 11 jb short 7C93482C 7C93481B 66:8338 00 cmp word ptr [eax], 0 7C93481F 74 0B je short 7C93482C 7C934821 66:8378 02 3A cmp word ptr [eax+2], 3A 7C934826 0F84 BC240000 je 7C936CE8 7C93482C 6A 05 push 5 7C93482E 58 pop eax ; ntdll.7C92E89A 7C93482F 5D pop ebp ; ntdll.7C92E89A 7C934830 C2 0400 retn 4 7C934833 B8 010015C0 mov eax, C0150001 7C934838 E9 47090000 jmp 7C935184 7C93483D 8BC6 mov eax, esi ; ntdll.ZwTerminateProcess 7C93483F E9 26080000 jmp 7C93506A 7C934844 8955 FC mov [ebp-4], edx ; msvcrt.77C31AE8 7C934847 68 D8C0997C push 7C99C0D8 7C93484C 3BC2 cmp eax, edx ; msvcrt.77C31AE8 7C93484E 0F85 3D890200 jnz 7C95D191 7C934854 E8 ACC7FEFF call RtlEnterCriticalSection 7C934859 85F6 test esi, esi ; ntdll.ZwTerminateProcess 7C93485B 0F85 54890200 jnz 7C95D1B5 7C934861 64:A1 18000000 mov eax, fs:[18] 7C934867 8945 DC mov [ebp-24], eax 7C93486A B9 44C0997C mov ecx, 7C99C044 7C93486F F0:0FC119 lock xadd [ecx], ebx 7C934873 43 inc ebx 7C934874 8B40 24 mov eax, [eax+24] 7C934877 25 FF0F0000 and eax, 0FFF 7C93487C 81E3 FFFF0000 and ebx, 0FFFF 7C934882 C1E0 10 shl eax, 10 7C934885 0BD8 or ebx, eax 7C934887 891F mov [edi], ebx 7C934889 834D FC FF or dword ptr [ebp-4], FFFFFFFF 7C93488D ^ E9 77E9FFFF jmp 7C933209 7C934892 C745 CC 8A0000C>mov dword ptr [ebp-34], C000008A 7C934899 ^ E9 80E0FFFF jmp 7C93291E 7C93489E 6A 05 push 5 7C9348A0 ^ E9 3EF1FFFF jmp 7C9339E3 7C9348A5 C745 CC 8B0000C>mov dword ptr [ebp-34], C000008B 7C9348AC ^ E9 6DE0FFFF jmp 7C93291E 7C9348B1 90 nop 7C9348B2 90 nop 7C9348B3 90 nop 7C9348B4 0000 add [eax], al 7C9348B6 1F pop ds 7C9348B7 003B add [ebx], bh 7C9348B9 005A 00 add [edx], bl 7C9348BC 78 00 js short 7C9348BE 7C9348BE 97 xchg eax, edi 7C9348BF 00B5 00D400F3 add [ebp+F300D400], dh 7C9348C5 0011 add [ecx], dl 7C9348C7 0130 add [eax], esi ; ntdll.ZwTerminateProcess 7C9348C9 014E 01 add [esi+1], ecx 7C9348CC 6D ins dword ptr es:[edi], dx 7C9348CD 0100 add [eax], eax 7C9348CF 000F add [edi], cl 7C9348D1 B6 87 mov dh, 87 7C9348D3 E8 48937C89 call 060FDC20 7C9348D8 45 inc ebp 7C9348D9 080F or [edi], cl 7C9348DB BF 0445B448 mov edi, 48B44504 7C9348E0 93 xchg eax, ebx 7C9348E1 ^ 7C E9 jl short 7C9348CC 7C9348E3 C2 DBFF retn 0FFDB 7C9348E6 FF90 00000000 call [eax] 7C9348EC 0000 add [eax], al 7C9348EE 0000 add [eax], al 7C9348F0 0000 add [eax], al 7C9348F2 0000 add [eax], al 7C9348F4 0000 add [eax], al 7C9348F6 0000 add [eax], al 7C9348F8 0000 add [eax], al 7C9348FA 0000 add [eax], al 7C9348FC 0000 add [eax], al 7C9348FE 0000 add [eax], al 7C934900 0000 add [eax], al 7C934902 0000 add [eax], al 7C934904 0000 add [eax], al 7C934906 0001 add [ecx], al 7C934908 0101 add [ecx], eax 7C93490A 0101 add [ecx], eax 7C93490C 0101 add [ecx], eax 7C93490E 0101 add [ecx], eax 7C934910 0101 add [ecx], eax 7C934912 0101 add [ecx], eax 7C934914 0101 add [ecx], eax 7C934916 0101 add [ecx], eax 7C934918 0101 add [ecx], eax 7C93491A 0101 add [ecx], eax 7C93491C 0101 add [ecx], eax 7C93491E 0101 add [ecx], eax 7C934920 0101 add [ecx], eax 7C934922 0102 add [edx], eax 7C934924 0202 add al, [edx] 7C934926 0202 add al, [edx] 7C934928 0202 add al, [edx] 7C93492A 0202 add al, [edx] 7C93492C 0202 add al, [edx] 7C93492E 0202 add al, [edx] 7C934930 0202 add al, [edx] 7C934932 0202 add al, [edx] 7C934934 0202 add al, [edx] 7C934936 0202 add al, [edx] 7C934938 0202 add al, [edx] 7C93493A 0202 add al, [edx] 7C93493C 0202 add al, [edx] 7C93493E 0202 add al, [edx] 7C934940 0202 add al, [edx] 7C934942 0303 add eax, [ebx] 7C934944 0303 add eax, [ebx] 7C934946 0303 add eax, [ebx] 7C934948 0303 add eax, [ebx] 7C93494A 0303 add eax, [ebx] 7C93494C 0303 add eax, [ebx] 7C93494E 0303 add eax, [ebx] 7C934950 0303 add eax, [ebx] 7C934952 0303 add eax, [ebx] 7C934954 0303 add eax, [ebx] 7C934956 0303 add eax, [ebx] 7C934958 0303 add eax, [ebx] 7C93495A 0303 add eax, [ebx] 7C93495C 0303 add eax, [ebx] 7C93495E 0303 add eax, [ebx] 7C934960 04 04 add al, 4 7C934962 04 04 add al, 4 7C934964 04 04 add al, 4 7C934966 04 04 add al, 4 7C934968 04 04 add al, 4 7C93496A 04 04 add al, 4 7C93496C 04 04 add al, 4 7C93496E 04 04 add al, 4 7C934970 04 04 add al, 4 7C934972 04 04 add al, 4 7C934974 04 04 add al, 4 7C934976 04 04 add al, 4 7C934978 04 04 add al, 4 7C93497A 04 04 add al, 4 7C93497C 04 04 add al, 4 7C93497E 04 05 add al, 5 7C934980 05 05050505 add eax, 5050505 7C934985 05 05050505 add eax, 5050505 7C93498A 05 05050505 add eax, 5050505 7C93498F 05 05050505 add eax, 5050505 7C934994 05 05050505 add eax, 5050505 7C934999 05 05050506 add eax, 6050505 7C93499E 06 push es 7C93499F 06 push es 7C9349A0 06 push es 7C9349A1 06 push es 7C9349A2 06 push es 7C9349A3 06 push es 7C9349A4 06 push es 7C9349A5 06 push es 7C9349A6 06 push es 7C9349A7 06 push es 7C9349A8 06 push es 7C9349A9 06 push es 7C9349AA 06 push es 7C9349AB 06 push es 7C9349AC 06 push es 7C9349AD 06 push es 7C9349AE 06 push es 7C9349AF 06 push es 7C9349B0 06 push es 7C9349B1 06 push es 7C9349B2 06 push es 7C9349B3 06 push es 7C9349B4 06 push es 7C9349B5 06 push es 7C9349B6 06 push es 7C9349B7 06 push es 7C9349B8 06 push es 7C9349B9 06 push es 7C9349BA 06 push es 7C9349BB 06 push es 7C9349BC 07 pop es 7C9349BD 07 pop es 7C9349BE 07 pop es 7C9349BF 07 pop es 7C9349C0 07 pop es 7C9349C1 07 pop es 7C9349C2 07 pop es 7C9349C3 07 pop es 7C9349C4 07 pop es 7C9349C5 07 pop es 7C9349C6 07 pop es 7C9349C7 07 pop es 7C9349C8 07 pop es 7C9349C9 07 pop es 7C9349CA 07 pop es 7C9349CB 07 pop es 7C9349CC 07 pop es 7C9349CD 07 pop es 7C9349CE 07 pop es 7C9349CF 07 pop es 7C9349D0 07 pop es 7C9349D1 07 pop es 7C9349D2 07 pop es 7C9349D3 07 pop es 7C9349D4 07 pop es 7C9349D5 07 pop es 7C9349D6 07 pop es 7C9349D7 07 pop es 7C9349D8 07 pop es 7C9349D9 07 pop es 7C9349DA 07 pop es 7C9349DB 0808 or [eax], cl 7C9349DD 0808 or [eax], cl 7C9349DF 0808 or [eax], cl 7C9349E1 0808 or [eax], cl 7C9349E3 0808 or [eax], cl 7C9349E5 0808 or [eax], cl 7C9349E7 0808 or [eax], cl 7C9349E9 0808 or [eax], cl 7C9349EB 0808 or [eax], cl 7C9349ED 0808 or [eax], cl 7C9349EF 0808 or [eax], cl 7C9349F1 0808 or [eax], cl 7C9349F3 0808 or [eax], cl 7C9349F5 0808 or [eax], cl 7C9349F7 0808 or [eax], cl 7C9349F9 0909 or [ecx], ecx 7C9349FB 0909 or [ecx], ecx 7C9349FD 0909 or [ecx], ecx 7C9349FF 0909 or [ecx], ecx 7C934A01 0909 or [ecx], ecx 7C934A03 0909 or [ecx], ecx 7C934A05 0909 or [ecx], ecx 7C934A07 0909 or [ecx], ecx 7C934A09 0909 or [ecx], ecx 7C934A0B 0909 or [ecx], ecx 7C934A0D 0909 or [ecx], ecx 7C934A0F 0909 or [ecx], ecx 7C934A11 0909 or [ecx], ecx 7C934A13 0909 or [ecx], ecx 7C934A15 0909 or [ecx], ecx 7C934A17 090A or [edx], ecx 7C934A19 0A0A or cl, [edx] 7C934A1B 0A0A or cl, [edx] 7C934A1D 0A0A or cl, [edx] 7C934A1F 0A0A or cl, [edx] 7C934A21 0A0A or cl, [edx] 7C934A23 0A0A or cl, [edx] 7C934A25 0A0A or cl, [edx] 7C934A27 0A0A or cl, [edx] 7C934A29 0A0A or cl, [edx] 7C934A2B 0A0A or cl, [edx] 7C934A2D 0A0A or cl, [edx] 7C934A2F 0A0A or cl, [edx] 7C934A31 0A0A or cl, [edx] 7C934A33 0A0A or cl, [edx] 7C934A35 0A0B or cl, [ebx] 7C934A37 0B0B or ecx, [ebx] 7C934A39 0B0B or ecx, [ebx] 7C934A3B 0B0B or ecx, [ebx] 7C934A3D 0B0B or ecx, [ebx] 7C934A3F 0B0B or ecx, [ebx] 7C934A41 0B0B or ecx, [ebx] 7C934A43 0B0B or ecx, [ebx] 7C934A45 0B0B or ecx, [ebx] 7C934A47 0B0B or ecx, [ebx] 7C934A49 0B0B or ecx, [ebx] 7C934A4B 0B0B or ecx, [ebx] 7C934A4D 0B0B or ecx, [ebx] 7C934A4F 0B0B or ecx, [ebx] 7C934A51 0B0B or ecx, [ebx] 7C934A53 0B0B or ecx, [ebx] 7C934A55 0000 add [eax], al 7C934A57 0090 90909090 add [eax+90909090], dl 7C934A5D > 8BFF mov edi, edi 7C934A5F 55 push ebp 7C934A60 8BEC mov ebp, esp 7C934A62 81EC 18020000 sub esp, 218 7C934A68 A1 34C0997C mov eax, [7C99C034] 7C934A6D 56 push esi ; ntdll.ZwTerminateProcess 7C934A6E 8B75 0C mov esi, [ebp+C] ; RPCRT4.77E8F3B0 7C934A71 8945 FC mov [ebp-4], eax 7C934A74 8B45 08 mov eax, [ebp+8] 7C934A77 56 push esi ; ntdll.ZwTerminateProcess 7C934A78 8985 F8FDFFFF mov [ebp-208], eax 7C934A7E E8 14EAFFFF call RtlValidSid 7C934A83 3C 01 cmp al, 1 7C934A85 0F85 783B0300 jnz 7C968603 7C934A8B 3806 cmp [esi], al 7C934A8D 0F85 703B0300 jnz 7C968603 7C934A93 57 push edi 7C934A94 8D85 FCFDFFFF lea eax, [ebp-204] 7C934A9A 68 124B937C push 7C934B12 ; UNICODE "S-1-" 7C934A9F 50 push eax 7C934AA0 E8 CEE9FFFF call wcscpy 7C934AA5 8A46 02 mov al, [esi+2] 7C934AA8 84C0 test al, al 7C934AAA 59 pop ecx ; ntdll.7C92E89A 7C934AAB 59 pop ecx ; ntdll.7C92E89A 7C934AAC 8DBD 04FEFFFF lea edi, [ebp-1FC] 7C934AB2 0F85 553B0300 jnz 7C96860D 7C934AB8 3846 03 cmp [esi+3], al 7C934ABB 0F85 4C3B0300 jnz 7C96860D 7C934AC1 0FB646 04 movzx eax, byte ptr [esi+4] 7C934AC5 0FB64E 05 movzx ecx, byte ptr [esi+5] 7C934AC9 C1E0 08 shl eax, 8 7C934ACC 03C1 add eax, ecx 7C934ACE 0FB64E 06 movzx ecx, byte ptr [esi+6] 7C934AD2 C1E0 08 shl eax, 8 7C934AD5 03C1 add eax, ecx 7C934AD7 0FB64E 07 movzx ecx, byte ptr [esi+7] 7C934ADB C1E0 08 shl eax, 8 7C934ADE 03C1 add eax, ecx 7C934AE0 8BCF mov ecx, edi 7C934AE2 51 push ecx 7C934AE3 68 FC000000 push 0FC 7C934AE8 6A 0A push 0A 7C934AEA 50 push eax 7C934AEB E8 E0000000 call 7C934BD0 7C934AF0 85C0 test eax, eax 7C934AF2 0F8C C5000000 jl 7C934BBD 7C934AF8 53 push ebx 7C934AF9 32DB xor bl, bl 7C934AFB 385E 01 cmp [esi+1], bl 7C934AFE 76 57 jbe short 7C934B57 7C934B00 66:833F 00 cmp word ptr [edi], 0 7C934B04 74 1C je short 7C934B22 7C934B06 8D45 FA lea eax, [ebp-6] 7C934B09 3BF8 cmp edi, eax 7C934B0B 73 15 jnb short 7C934B22 7C934B0D 47 inc edi 7C934B0E 47 inc edi 7C934B0F ^ EB EF jmp short 7C934B00 7C934B11 90 nop 7C934B12 53 push ebx 7C934B13 002D 0031002D add [2D003100], ch 7C934B19 0000 add [eax], al 7C934B1B 00CC add ah, cl 7C934B1D CC int3 7C934B1E CC int3 7C934B1F CC int3 7C934B20 CC int3 7C934B21 CC int3 7C934B22 66:C707 2D00 mov word ptr [edi], 2D 7C934B27 47 inc edi 7C934B28 47 inc edi 7C934B29 8D8D FCFDFFFF lea ecx, [ebp-204] 7C934B2F 8BC7 mov eax, edi 7C934B31 2BC1 sub eax, ecx 7C934B33 D1F8 sar eax, 1 7C934B35 57 push edi 7C934B36 B9 00010000 mov ecx, 100 7C934B3B 2BC8 sub ecx, eax 7C934B3D 51 push ecx 7C934B3E 0FB6C3 movzx eax, bl 7C934B41 6A 0A push 0A 7C934B43 FF7486 08 push dword ptr [esi+eax4+8] 7C934B47 E8 84000000 call 7C934BD0 7C934B4C 85C0 test eax, eax 7C934B4E 7C 6C jl short 7C934BBC 7C934B50 FEC3 inc bl 7C934B52 3A5E 01 cmp bl, [esi+1] 7C934B55 ^ 72 A9 jb short 7C934B00 7C934B57 807D 10 00 cmp byte ptr [ebp+10], 0 7C934B5B 0F85 61360100 jnz 7C9481C2 7C934B61 66:833F 00 cmp word ptr [edi], 0 7C934B65 74 0B je short 7C934B72 7C934B67 8D45 FA lea eax, [ebp-6] 7C934B6A 3BF8 cmp edi, eax 7C934B6C 73 04 jnb short 7C934B72 7C934B6E 47 inc edi 7C934B6F 47 inc edi 7C934B70 ^ EB EF jmp short 7C934B61 7C934B72 8D85 FCFDFFFF lea eax, [ebp-204] 7C934B78 2BF8 sub edi, eax 7C934B7A 8B85 F8FDFFFF mov eax, [ebp-208] 7C934B80 0FB748 02 movzx ecx, word ptr [eax+2] 7C934B84 D1FF sar edi, 1 7C934B86 D1E7 shl edi, 1 7C934B88 3BF9 cmp edi, ecx 7C934B8A 0F83 57360100 jnb 7C9481E7 7C934B90 8D8D FCFDFFFF lea ecx, [ebp-204] 7C934B96 898D F4FDFFFF mov [ebp-20C], ecx 7C934B9C 8D8D F0FDFFFF lea ecx, [ebp-210] 7C934BA2 66:89BD F0FDFFF>mov [ebp-210], di 7C934BA9 51 push ecx 7C934BAA 83C7 02 add edi, 2 7C934BAD 50 push eax 7C934BAE 66:89BD F2FDFFF>mov [ebp-20E], di 7C934BB5 E8 27010000 call RtlCopyUnicodeString 7C934BBA 33C0 xor eax, eax 7C934BBC 5B pop ebx ; ntdll.7C92E89A 7C934BBD 5F pop edi ; ntdll.7C92E89A 7C934BBE 8B4D FC mov ecx, [ebp-4] 7C934BC1 5E pop esi ; ntdll.7C92E89A 7C934BC2 E8 C0B7FFFF call 7C930387 7C934BC7 C9 leave 7C934BC8 C2 0C00 retn 0C 7C934BCB 90 nop 7C934BCC 90 nop 7C934BCD 90 nop 7C934BCE 90 nop 7C934BCF 90 nop 7C934BD0 6A 5C push 5C 7C934BD2 68 B04C937C push 7C934CB0 7C934BD7 E8 E6A1FFFF call 7C92EDC2 7C934BDC A1 34C0997C mov eax, [7C99C034] 7C934BE1 8945 E4 mov [ebp-1C], eax 7C934BE4 8B45 14 mov eax, [ebp+14] 7C934BE7 8945 9C mov [ebp-64], eax 7C934BEA 8B45 0C mov eax, [ebp+C] ; RPCRT4.77E8F3B0 7C934BED 83E8 00 sub eax, 0 7C934BF0 0F84 AE000000 je 7C934CA4 7C934BF6 48 dec eax 7C934BF7 48 dec eax 7C934BF8 0F84 9E000000 je 7C934C9C 7C934BFE 83E8 06 sub eax, 6 7C934C01 0F84 D9690300 je 7C96B5E0 7C934C07 48 dec eax 7C934C08 48 dec eax 7C934C09 0F85 BE690300 jnz 7C96B5CD 7C934C0F 33FF xor edi, edi 7C934C11 85FF test edi, edi 7C934C13 0F85 CF690300 jnz 7C96B5E8 7C934C19 8B5D 94 mov ebx, [ebp-6C] ; trscd.004B027C 7C934C1C 8D75 E0 lea esi, [ebp-20] 7C934C1F 66:8365 E0 00 and word ptr [ebp-20], 0 7C934C24 8B45 08 mov eax, [ebp+8] 7C934C27 85FF test edi, edi 7C934C29 0F85 C8690300 jnz 7C96B5F7 7C934C2F 33D2 xor edx, edx ; msvcrt.77C31AE8 7C934C31 F775 0C div dword ptr [ebp+C] ; RPCRT4.77E8F3B0 7C934C34 4E dec esi ; ntdll.ZwTerminateProcess 7C934C35 4E dec esi ; ntdll.ZwTerminateProcess 7C934C36 66:8B0C55 BC4C9>mov cx, [edx2+7C934CBC] 7C934C3E 66:890E mov [esi], cx 7C934C41 85C0 test eax, eax 7C934C43 ^ 75 E2 jnz short 7C934C27 7C934C45 8D45 E0 lea eax, [ebp-20] 7C934C48 2BC6 sub eax, esi ; ntdll.ZwTerminateProcess 7C934C4A D1F8 sar eax, 1 7C934C4C 837D 10 00 cmp dword ptr [ebp+10], 0 7C934C50 0F8C AE690300 jl 7C96B604 7C934C56 3B45 10 cmp eax, [ebp+10] 7C934C59 0F8F C7690300 jg 7C96B626 7C934C5F 8365 FC 00 and dword ptr [ebp-4], 0 7C934C63 8D1400 lea edx, [eax+eax] 7C934C66 8BCA mov ecx, edx ; msvcrt.77C31AE8 7C934C68 8B7D 9C mov edi, [ebp-64] 7C934C6B 8BD9 mov ebx, ecx 7C934C6D C1E9 02 shr ecx, 2 7C934C70 F3:A5 rep movs dword ptr es:[edi], dword p> 7C934C72 8BCB mov ecx, ebx 7C934C74 83E1 03 and ecx, 3 7C934C77 F3:A4 rep movs byte ptr es:[edi], byte ptr> 7C934C79 3B45 10 cmp eax, [ebp+10] 7C934C7C 7D 08 jge short 7C934C86 7C934C7E 8B45 9C mov eax, [ebp-64] 7C934C81 66:832402 00 and word ptr [edx+eax], 0 7C934C86 834D FC FF or dword ptr [ebp-4], FFFFFFFF 7C934C8A 33C0 xor eax, eax 7C934C8C 8B4D E4 mov ecx, [ebp-1C] 7C934C8F E8 F3B6FFFF call 7C930387 7C934C94 E8 69A1FFFF call 7C92EE02 7C934C99 C2 1000 retn 10 7C934C9C 33FF xor edi, edi 7C934C9E 47 inc edi 7C934C9F ^ E9 6DFFFFFF jmp 7C934C11 7C934CA4 C745 0C 0A00000>mov dword ptr [ebp+C], 0A 7C934CAB ^ E9 5FFFFFFF jmp 7C934C0F 7C934CB0 FFFF ??? ; 未知命令 7C934CB2 FFFF ??? ; 未知命令 7C934CB4 35 B6967C48 xor eax, 487C96B6 7C934CB9 B6 96 mov dh, 96 7C934CBB 7C 30 jl short 7C934CED 7C934CBD 0031 add [ecx], dh 7C934CBF 0032 add [edx], dh 7C934CC1 0033 add [ebx], dh 7C934CC3 003400 add [eax+eax], dh 7C934CC6 35 00360037 xor eax, 37003600 7C934CCB 0038 add [eax], bh 7C934CCD 0039 add [ecx], bh 7C934CCF 0041 00 add [ecx], al 7C934CD2 42 inc edx ; msvcrt.77C31AE8 7C934CD3 0043 00 add [ebx], al 7C934CD6 44 inc esp 7C934CD7 0045 00 add [ebp], al 7C934CDA 46 inc esi ; ntdll.ZwTerminateProcess 7C934CDB 0090 90909090 add [eax+90909090], dl 7C934CE1 > 8BFF mov edi, edi 7C934CE3 55 push ebp 7C934CE4 8BEC mov ebp, esp 7C934CE6 8B45 0C mov eax, [ebp+C] ; RPCRT4.77E8F3B0 7C934CE9 85C0 test eax, eax 7C934CEB 0F84 5EFC0000 je 7C94494F 7C934CF1 8B55 08 mov edx, [ebp+8] 7C934CF4 66:8B4A 02 mov cx, [edx+2] 7C934CF8 53 push ebx 7C934CF9 56 push esi ; ntdll.ZwTerminateProcess 7C934CFA 8B70 04 mov esi, [eax+4] 7C934CFD 0FB700 movzx eax, word ptr [eax] 7C934D00 66:3BC1 cmp ax, cx 7C934D03 57 push edi 7C934D04 8B7A 04 mov edi, [edx+4] 7C934D07 897D 08 mov [ebp+8], edi 7C934D0A 0F87 37FC0000 ja 7C944947 7C934D10 8BC8 mov ecx, eax 7C934D12 8BD9 mov ebx, ecx 7C934D14 C1E9 02 shr ecx, 2 7C934D17 66:8902 mov [edx], ax 7C934D1A F3:A5 rep movs dword ptr es:[edi], dword p> 7C934D1C 8BCB mov ecx, ebx 7C934D1E 83E1 03 and ecx, 3 7C934D21 F3:A4 rep movs byte ptr es:[edi], byte ptr> 7C934D23 66:8B0A mov cx, [edx] 7C934D26 66:3B4A 02 cmp cx, [edx+2] 7C934D2A 5F pop edi ; ntdll.7C92E89A 7C934D2B 5E pop esi ; ntdll.7C92E89A 7C934D2C 5B pop ebx ; ntdll.7C92E89A 7C934D2D 73 0A jnb short 7C934D39 7C934D2F 8B4D 08 mov ecx, [ebp+8] 7C934D32 D1E8 shr eax, 1 7C934D34 66:832441 00 and word ptr [ecx+eax2], 0 7C934D39 5D pop ebp ; ntdll.7C92E89A 7C934D3A C2 0800 retn 8 7C934D3D 90 nop 7C934D3E 90 nop 7C934D3F 90 nop 7C934D40 90 nop 7C934D41 90 nop 7C934D42 > 8BFF mov edi, edi 7C934D44 55 push ebp 7C934D45 8BEC mov ebp, esp 7C934D47 83EC 0C sub esp, 0C 7C934D4A 837D 0C 00 cmp dword ptr [ebp+C], 0 7C934D4E 56 push esi ; ntdll.ZwTerminateProcess 7C934D4F 57 push edi 7C934D50 74 58 je short 7C934DAA 7C934D52 FF75 0C push dword ptr [ebp+C] ; RPCRT4.77E8F3B0 7C934D55 8D45 F4 lea eax, [ebp-C] 7C934D58 50 push eax 7C934D59 E8 78C5FEFF call RtlInitUnicodeString 7C934D5E 8B4D F4 mov ecx, [ebp-C] ; kernel32.7C8399F3 7C934D61 8B75 08 mov esi, [ebp+8] 7C934D64 0FB706 movzx eax, word ptr [esi] 7C934D67 0FB756 02 movzx edx, word ptr [esi+2] 7C934D6B 0FB7F9 movzx edi, cx 7C934D6E 894D FC mov [ebp-4], ecx 7C934D71 8D0C07 lea ecx, [edi+eax] 7C934D74 3BCA cmp ecx, edx ; msvcrt.77C31AE8 7C934D76 0F8F 275D0300 jg 7C96AAA3 7C934D7C 8B4E 04 mov ecx, [esi+4] 7C934D7F 53 push ebx 7C934D80 57 push edi 7C934D81 FF75 0C push dword ptr [ebp+C] ; RPCRT4.77E8F3B0 7C934D84 D1E8 shr eax, 1 7C934D86 8D1C41 lea ebx, [ecx+eax2] 7C934D89 53 push ebx 7C934D8A E8 ABD7FEFF call memmove 7C934D8F 66:8B45 FC mov ax, [ebp-4] 7C934D93 66:0106 add [esi], ax 7C934D96 66:8B06 mov ax, [esi] 7C934D99 83C4 0C add esp, 0C 7C934D9C 66:3B46 02 cmp ax, [esi+2] 7C934DA0 73 07 jnb short 7C934DA9 7C934DA2 D1EF shr edi, 1 7C934DA4 66:83247B 00 and word ptr [ebx+edi2], 0 7C934DA9 5B pop ebx ; ntdll.7C92E89A 7C934DAA 33C0 xor eax, eax 7C934DAC 5F pop edi ; ntdll.7C92E89A 7C934DAD 5E pop esi ; ntdll.7C92E89A 7C934DAE C9 leave 7C934DAF C2 0800 retn 8 7C934DB2 90 nop 7C934DB3 90 nop 7C934DB4 90 nop 7C934DB5 90 nop 7C934DB6 90 nop 7C934DB7 > 8BFF mov edi, edi 7C934DB9 55 push ebp 7C934DBA 8BEC mov ebp, esp 7C934DBC 8B4D 0C mov ecx, [ebp+C] ; RPCRT4.77E8F3B0 7C934DBF 33D2 xor edx, edx ; msvcrt.77C31AE8 7C934DC1 66:8B11 mov dx, [ecx] 7C934DC4 66:85D2 test dx, dx 7C934DC7 53 push ebx 7C934DC8 56 push esi ; ntdll.ZwTerminateProcess 7C934DC9 57 push edi 7C934DCA 8955 0C mov [ebp+C], edx ; msvcrt.77C31AE8 7C934DCD 74 44 je short 7C934E13 7C934DCF 8B75 08 mov esi, [ebp+8] 7C934DD2 0FB706 movzx eax, word ptr [esi] 7C934DD5 0FB75E 02 movzx ebx, word ptr [esi+2] 7C934DD9 0FB7FA movzx edi, dx 7C934DDC 8D1438 lea edx, [eax+edi] 7C934DDF 3BD3 cmp edx, ebx 7C934DE1 0F8F C65C0300 jg 7C96AAAD 7C934DE7 8B56 04 mov edx, [esi+4] 7C934DEA 57 push edi 7C934DEB FF71 04 push dword ptr [ecx+4] 7C934DEE D1E8 shr eax, 1 7C934DF0 8D1C42 lea ebx, [edx+eax2] 7C934DF3 53 push ebx 7C934DF4 E8 41D7FEFF call memmove 7C934DF9 66:8B45 0C mov ax, [ebp+C] 7C934DFD 66:0106 add [esi], ax 7C934E00 66:8B06 mov ax, [esi] 7C934E03 83C4 0C add esp, 0C 7C934E06 66:3B46 02 cmp ax, [esi+2] 7C934E0A 73 07 jnb short 7C934E13 7C934E0C D1EF shr edi, 1 7C934E0E 66:83247B 00 and word ptr [ebx+edi2], 0 7C934E13 33C0 xor eax, eax 7C934E15 5F pop edi ; ntdll.7C92E89A 7C934E16 5E pop esi ; ntdll.7C92E89A 7C934E17 5B pop ebx ; ntdll.7C92E89A 7C934E18 5D pop ebp ; ntdll.7C92E89A 7C934E19 C2 0800 retn 8 7C934E1C 90 nop 7C934E1D 90 nop 7C934E1E 90 nop 7C934E1F 90 nop 7C934E20 90 nop 7C934E21 > 8BFF mov edi, edi 7C934E23 55 push ebp 7C934E24 8BEC mov ebp, esp 7C934E26 83EC 68 sub esp, 68 7C934E29 A1 34C0997C mov eax, [7C99C034] 7C934E2E 53 push ebx 7C934E2F 56 push esi ; ntdll.ZwTerminateProcess 7C934E30 8B75 08 mov esi, [ebp+8] 7C934E33 57 push edi 7C934E34 8945 FC mov [ebp-4], eax 7C934E37 8D45 A8 lea eax, [ebp-58] 7C934E3A 50 push eax 7C934E3B BB 00020000 mov ebx, 200 7C934E40 53 push ebx 7C934E41 6A 01 push 1 7C934E43 BF 08000200 mov edi, 20008 7C934E48 57 push edi 7C934E49 6A FE push -2 7C934E4B E8 D38FFFFF call ZwOpenThreadTokenEx 7C934E50 85C0 test eax, eax 7C934E52 7D 20 jge short 7C934E74 7C934E54 3D 7C0000C0 cmp eax, C000007C 7C934E59 0F85 B0000000 jnz 7C934F0F 7C934E5F 8D45 A8 lea eax, [ebp-58] 7C934E62 50 push eax 7C934E63 53 push ebx 7C934E64 57 push edi 7C934E65 6A FF push -1 7C934E67 E8 398FFFFF call ZwOpenProcessTokenEx 7C934E6C 85C0 test eax, eax 7C934E6E 0F8C 9B000000 jl 7C934F0F 7C934E74 8D45 98 lea eax, [ebp-68] 7C934E77 50 push eax 7C934E78 6A 50 push 50 7C934E7A 8D45 AC lea eax, [ebp-54] 7C934E7D 50 push eax 7C934E7E 6A 01 push 1 7C934E80 FF75 A8 push dword ptr [ebp-58] ; ntdll.7C92EE18 7C934E83 E8 BD91FFFF call ZwQueryInformationToken 7C934E88 FF75 A8 push dword ptr [ebp-58] ; ntdll.7C92EE18 7C934E8B 8BD8 mov ebx, eax 7C934E8D E8 F486FFFF call ZwClose 7C934E92 33FF xor edi, edi 7C934E94 3BDF cmp ebx, edi 7C934E96 7C 75 jl short 7C934F0D 7C934E98 8D45 A4 lea eax, [ebp-5C] 7C934E9B 50 push eax 7C934E9C FF75 AC push dword ptr [ebp-54] 7C934E9F E8 A5000000 call 7C934F49 7C934EA4 3BC7 cmp eax, edi 7C934EA6 7C 67 jl short 7C934F0F 7C934EA8 8B45 A4 mov eax, [ebp-5C] 7C934EAB 83C0 22 add eax, 22 7C934EAE 66:8946 02 mov [esi+2], ax 7C934EB2 0FB7C0 movzx eax, ax 7C934EB5 50 push eax 7C934EB6 66:893E mov [esi], di 7C934EB9 FF15 C009937C call [7C9309C0] ; ntdll.7C9309C9 7C934EBF 3BC7 cmp eax, edi 7C934EC1 8946 04 mov [esi+4], eax 7C934EC4 0F84 40680300 je 7C96B70A 7C934ECA 68 1E4F937C push 7C934F1E ; UNICODE "\REGISTRY\USER\" 7C934ECF 56 push esi ; ntdll.ZwTerminateProcess 7C934ED0 E8 6DFEFFFF call RtlAppendUnicodeToString 7C934ED5 66:8B45 A4 mov ax, [ebp-5C] 7C934ED9 8B4E 04 mov ecx, [esi+4] 7C934EDC 66:8945 9E mov [ebp-62], ax 7C934EE0 0FB706 movzx eax, word ptr [esi] 7C934EE3 D1E8 shr eax, 1 7C934EE5 8D0441 lea eax, [ecx+eax*2] 7C934EE8 57 push edi 7C934EE9 FF75 AC push dword ptr [ebp-54] 7C934EEC 8945 A0 mov [ebp-60], eax 7C934EEF 8D45 9C lea eax, [ebp-64] 7C934EF2 50 push eax 7C934EF3 66:897D 9C mov [ebp-64], di 7C934EF7 E8 61FBFFFF call RtlConvertSidToUnicodeString 7C934EFC 8BD8 mov ebx, eax 7C934EFE 3BDF cmp ebx, edi 7C934F00 0F8C 0E680300 jl 7C96B714 7C934F06 66:8B45 9C mov ax, [ebp-64] 7C934F0A 66:0106 add [esi], ax 7C934F0D 8BC3 mov eax, ebx 7C934F0F 8B4D FC mov ecx, [ebp-4] 7C934F12 5F pop edi ; ntdll.7C92E89A 7C934F13 5E pop esi ; ntdll.7C92E89A 7C934F14 5B pop ebx ; ntdll.7C92E89A 7C934F15 E8 6DB4FFFF call 7C930387 7C934F1A C9 leave 7C934F1B C2 0400 retn 4 7C934F1E 5C pop esp ; ntdll.7C92E89A 2006-1-19 16:06 0
hyueling 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 29 粉丝 0 关注私信	hyueling 28 楼 7C934F1F 0052 00 add [edx], dl 7C934F22 45 inc ebp 7C934F23 0047 00 add [edi], al 7C934F26 49 dec ecx 7C934F27 0053 00 add [ebx], dl 7C934F2A 54 push esp 7C934F2B 0052 00 add [edx], dl 7C934F2E 59 pop ecx ; ntdll.7C92E89A 7C934F2F 005C00 55 add [eax+eax+55], bl 7C934F33 0053 00 add [ebx], dl 7C934F36 45 inc ebp 7C934F37 0052 00 add [edx], dl 7C934F3A 5C pop esp ; ntdll.7C92E89A 7C934F3B 0000 add [eax], al 7C934F3D 00CC add ah, cl 7C934F3F CC int3 7C934F40 CC int3 7C934F41 CC int3 7C934F42 CC int3 7C934F43 CC int3 7C934F44 90 nop 7C934F45 90 nop 7C934F46 90 nop 7C934F47 90 nop 7C934F48 90 nop 7C934F49 8BFF mov edi, edi 7C934F4B 55 push ebp 7C934F4C 8BEC mov ebp, esp 7C934F4E 56 push esi ; ntdll.ZwTerminateProcess 7C934F4F 8B75 08 mov esi, [ebp+8] 7C934F52 56 push esi ; ntdll.ZwTerminateProcess 7C934F53 E8 3FE5FFFF call RtlValidSid 7C934F58 3C 01 cmp al, 1 7C934F5A 0F85 99360300 jnz 7C9685F9 7C934F60 807E 02 00 cmp byte ptr [esi+2], 0 7C934F64 75 22 jnz short 7C934F88 7C934F66 807E 03 00 cmp byte ptr [esi+3], 0 7C934F6A 75 1C jnz short 7C934F88 7C934F6C 6A 0A push 0A 7C934F6E 0FB64E 01 movzx ecx, byte ptr [esi+1] 7C934F72 6BC9 0B imul ecx, ecx, 0B 7C934F75 58 pop eax ; ntdll.7C92E89A 7C934F76 03C8 add ecx, eax 7C934F78 8D4409 08 lea eax, [ecx+ecx+8] 7C934F7C 8B4D 0C mov ecx, [ebp+C] ; RPCRT4.77E8F3B0 7C934F7F 8901 mov [ecx], eax 7C934F81 33C0 xor eax, eax 7C934F83 5E pop esi ; ntdll.7C92E89A 7C934F84 5D pop ebp ; ntdll.7C92E89A 7C934F85 C2 0800 retn 8 7C934F88 6A 0E push 0E 7C934F8A ^ EB E2 jmp short 7C934F6E 7C934F8C 90 nop 7C934F8D 90 nop 7C934F8E 90 nop 7C934F8F 90 nop 7C934F90 90 nop 7C934F91 8BFF mov edi, edi 7C934F93 55 push ebp 7C934F94 8BEC mov ebp, esp 7C934F96 33D2 xor edx, edx ; msvcrt.77C31AE8 7C934F98 3955 14 cmp [ebp+14], edx ; msvcrt.77C31AE8 7C934F9B 56 push esi ; ntdll.ZwTerminateProcess 7C934F9C 0F84 7F5B0100 je 7C94AB21 7C934FA2 8B4D 08 mov ecx, [ebp+8] 7C934FA5 F7C1 F8FFFFFF test ecx, FFFFFFF8 7C934FAB 0F85 705B0100 jnz 7C94AB21 7C934FB1 F6C1 07 test cl, 7 7C934FB4 8B45 18 mov eax, [ebp+18] ; trscd.00454965 7C934FB7 74 08 je short 7C934FC1 7C934FB9 3BC2 cmp eax, edx ; msvcrt.77C31AE8 7C934FBB 0F84 605B0100 je 7C94AB21 7C934FC1 3BC2 cmp eax, edx ; msvcrt.77C31AE8 7C934FC3 74 09 je short 7C934FCE 7C934FC5 8338 24 cmp dword ptr [eax], 24 7C934FC8 0F82 535B0100 jb 7C94AB21 7C934FCE F6C1 02 test cl, 2 7C934FD1 74 11 je short 7C934FE4 7C934FD3 8B30 mov esi, [eax] 7C934FD5 57 push edi 7C934FD6 8D78 2C lea edi, [eax+2C] 7C934FD9 03F0 add esi, eax 7C934FDB 3BFE cmp edi, esi ; ntdll.ZwTerminateProcess 7C934FDD 5F pop edi ; ntdll.7C92E89A 7C934FDE 0F87 E3E70200 ja 7C9637C7 7C934FE4 F6C1 04 test cl, 4 7C934FE7 0F85 205B0100 jnz 7C94AB0D 7C934FED 33F6 xor esi, esi ; ntdll.ZwTerminateProcess 7C934FEF 8BC6 mov eax, esi ; ntdll.ZwTerminateProcess 7C934FF1 5E pop esi ; ntdll.7C92E89A 7C934FF2 5D pop ebp ; ntdll.7C92E89A 7C934FF3 C2 1400 retn 14 7C934FF6 90 nop 7C934FF7 90 nop 7C934FF8 90 nop 7C934FF9 90 nop 7C934FFA 90 nop 7C934FFB > 8BFF mov edi, edi 7C934FFD 55 push ebp 7C934FFE 8BEC mov ebp, esp 7C935000 8B45 10 mov eax, [ebp+10] 7C935003 8B4D 0C mov ecx, [ebp+C] ; RPCRT4.77E8F3B0 7C935006 53 push ebx 7C935007 56 push esi ; ntdll.ZwTerminateProcess 7C935008 57 push edi 7C935009 8D78 FF lea edi, [eax-1] 7C93500C 0FAF7D 14 imul edi, [ebp+14] 7C935010 03F9 add edi, ecx 7C935012 3BCF cmp ecx, edi 7C935014 894D 0C mov [ebp+C], ecx 7C935017 77 4F ja short 7C935068 7C935019 8BD8 mov ebx, eax 7C93501B D1EB shr ebx, 1 7C93501D 0F84 A2020000 je 7C9352C5 7C935023 8945 10 mov [ebp+10], eax 7C935026 8365 10 01 and dword ptr [ebp+10], 1 7C93502A 8BC3 mov eax, ebx 7C93502C 75 03 jnz short 7C935031 7C93502E 8D43 FF lea eax, [ebx-1] 7C935031 0FAF45 14 imul eax, [ebp+14] 7C935035 0345 0C add eax, [ebp+C] ; RPCRT4.77E8F3B0 7C935038 8BF0 mov esi, eax 7C93503A 56 push esi ; ntdll.ZwTerminateProcess 7C93503B FF75 08 push dword ptr [ebp+8] 7C93503E FF55 18 call [ebp+18] ; trscd.00454965 7C935041 85C0 test eax, eax 7C935043 59 pop ecx ; ntdll.7C92E89A 7C935044 59 pop ecx ; ntdll.7C92E89A 7C935045 ^ 0F84 F2F7FFFF je 7C93483D 7C93504B 0F8D 65020000 jge 7C9352B6 7C935051 2B75 14 sub esi, [ebp+14] 7C935054 837D 10 00 cmp dword ptr [ebp+10], 0 7C935058 8BFE mov edi, esi ; ntdll.ZwTerminateProcess 7C93505A 0F85 5E020000 jnz 7C9352BE 7C935060 8D43 FF lea eax, [ebx-1] 7C935063 397D 0C cmp [ebp+C], edi 7C935066 ^ 76 B1 jbe short 7C935019 7C935068 33C0 xor eax, eax 7C93506A 5F pop edi ; ntdll.7C92E89A 7C93506B 5E pop esi ; ntdll.7C92E89A 7C93506C 5B pop ebx ; ntdll.7C92E89A 7C93506D 5D pop ebp ; ntdll.7C92E89A 7C93506E C3 retn 7C93506F 90 nop 7C935070 90 nop 7C935071 90 nop 7C935072 90 nop 7C935073 90 nop 7C935074 8BFF mov edi, edi 7C935076 55 push ebp 7C935077 8BEC mov ebp, esp 7C935079 8B4D 14 mov ecx, [ebp+14] 7C93507C 85C9 test ecx, ecx 7C93507E 74 03 je short 7C935083 7C935080 8321 00 and dword ptr [ecx], 0 7C935083 8B45 08 mov eax, [ebp+8] 7C935086 85C0 test eax, eax 7C935088 74 35 je short 7C9350BF 7C93508A 8338 18 cmp dword ptr [eax], 18 7C93508D 72 30 jb short 7C9350BF 7C93508F F740 04 FCFFFFF>test dword ptr [eax+4], FFFFFFFC 7C935096 75 27 jnz short 7C9350BF 7C935098 837D 0C 00 cmp dword ptr [ebp+C], 0 7C93509C 74 21 je short 7C9350BF 7C93509E 837D 10 00 cmp dword ptr [ebp+10], 0 7C9350A2 74 1B je short 7C9350BF 7C9350A4 8360 10 00 and dword ptr [eax+10], 0 7C9350A8 51 push ecx 7C9350A9 FF75 10 push dword ptr [ebp+10] 7C9350AC FF75 0C push dword ptr [ebp+C] ; RPCRT4.77E8F3B0 7C9350AF 50 push eax 7C9350B0 E8 16000000 call 7C9350CB 7C9350B5 85C0 test eax, eax 7C9350B7 7C 02 jl short 7C9350BB 7C9350B9 33C0 xor eax, eax 7C9350BB 5D pop ebp ; ntdll.7C92E89A 7C9350BC C2 1000 retn 10 7C9350BF B8 0D0000C0 mov eax, C000000D 7C9350C4 ^ EB F5 jmp short 7C9350BB 7C9350C6 90 nop 7C9350C7 90 nop 7C9350C8 90 nop 7C9350C9 90 nop 7C9350CA 90 nop 7C9350CB 8BFF mov edi, edi 7C9350CD 55 push ebp 7C9350CE 8BEC mov ebp, esp 7C9350D0 51 push ecx 7C9350D1 51 push ecx 7C9350D2 53 push ebx 7C9350D3 56 push esi ; ntdll.ZwTerminateProcess 7C9350D4 57 push edi 7C9350D5 33DB xor ebx, ebx 7C9350D7 33FF xor edi, edi 7C9350D9 64:A1 18000000 mov eax, fs:[18] 7C9350DF 8BD0 mov edx, eax 7C9350E1 8B45 14 mov eax, [ebp+14] 7C9350E4 3BC3 cmp eax, ebx 7C9350E6 8B4A 30 mov ecx, [edx+30] ; ntdll.7C99C920 7C9350E9 8955 FC mov [ebp-4], edx ; msvcrt.77C31AE8 7C9350EC 894D F8 mov [ebp-8], ecx 7C9350EF 74 02 je short 7C9350F3 7C9350F1 8918 mov [eax], ebx 7C9350F3 8B75 08 mov esi, [ebp+8] 7C9350F6 8B46 10 mov eax, [esi+10] 7C9350F9 83E8 00 sub eax, 0 7C9350FC 0F85 97010000 jnz 7C935299 7C935102 8B82 B0010000 mov eax, [edx+1B0] 7C935108 85C0 test eax, eax 7C93510A 0F85 DD010000 jnz 7C9352ED 7C935110 8BB9 F8010000 mov edi, [ecx+1F8] 7C935116 33DB xor ebx, ebx 7C935118 85FF test edi, edi 7C93511A 0F85 9F360200 jnz 7C9587BF 7C935120 8BB9 00020000 mov edi, [ecx+200] 7C935126 85FF test edi, edi 7C935128 6A FC push -4 7C93512A 5B pop ebx ; ntdll.7C92E89A 7C93512B 0F84 76010000 je 7C9352A7 7C935131 C746 10 0300000>mov dword ptr [esi+10], 3 7C935138 85FF test edi, edi 7C93513A ^ 0F84 F3F6FFFF je 7C934833 7C935140 FF75 10 push dword ptr [ebp+10] 7C935143 FF75 0C push dword ptr [ebp+C] ; RPCRT4.77E8F3B0 7C935146 FF76 0C push dword ptr [esi+C] 7C935149 FF76 08 push dword ptr [esi+8] 7C93514C 57 push edi 7C93514D E8 3E000000 call 7C935190 7C935152 85C0 test eax, eax 7C935154 0F8C C2020000 jl 7C93541C 7C93515A 83FB FC cmp ebx, -4 7C93515D 0F85 83010000 jnz 7C9352E6 7C935163 6A 02 push 2 7C935165 58 pop eax ; ntdll.7C92E89A 7C935166 33C9 xor ecx, ecx 7C935168 85DB test ebx, ebx 7C93516A 0F94C1 sete cl 7C93516D 0BC8 or ecx, eax 7C93516F 8B45 14 mov eax, [ebp+14] 7C935172 85C0 test eax, eax 7C935174 894E 14 mov [esi+14], ecx 7C935177 74 09 je short 7C935182 7C935179 83FB FC cmp ebx, -4 7C93517C 75 02 jnz short 7C935180 7C93517E 33DB xor ebx, ebx 7C935180 8918 mov [eax], ebx 7C935182 33C0 xor eax, eax 7C935184 5F pop edi ; ntdll.7C92E89A 7C935185 5E pop esi ; ntdll.7C92E89A 7C935186 5B pop ebx ; ntdll.7C92E89A 7C935187 C9 leave 7C935188 C2 1000 retn 10 7C93518B 90 nop 7C93518C 90 nop 7C93518D 90 nop 7C93518E 90 nop 7C93518F 90 nop 7C935190 8BFF mov edi, edi 7C935192 55 push ebp 7C935193 8BEC mov ebp, esp 7C935195 83EC 18 sub esp, 18 7C935198 53 push ebx 7C935199 8B5D 08 mov ebx, [ebp+8] 7C93519C 56 push esi ; ntdll.ZwTerminateProcess 7C93519D 8B73 0C mov esi, [ebx+C] 7C9351A0 83FE 20 cmp esi, 20 7C9351A3 57 push edi 7C9351A4 0F82 38E30200 jb 7C9634E2 7C9351AA 837B 04 20 cmp dword ptr [ebx+4], 20 7C9351AE 0F82 2EE30200 jb 7C9634E2 7C9351B4 837D 0C 00 cmp dword ptr [ebp+C], 0 7C9351B8 0F85 0AE20200 jnz 7C9633C8 7C9351BE 8B43 10 mov eax, [ebx+10] 7C9351C1 85C0 test eax, eax 7C9351C3 0F84 49020000 je 7C935412 7C9351C9 03C3 add eax, ebx 7C9351CB 85C0 test eax, eax 7C9351CD 0F84 3F020000 je 7C935412 7C9351D3 8B78 04 mov edi, [eax+4] 7C9351D6 85FF test edi, edi 7C9351D8 0F84 34020000 je 7C935412 7C9351DE 8B48 08 mov ecx, [eax+8] 7C9351E1 8B53 0C mov edx, [ebx+C] 7C9351E4 3BCA cmp ecx, edx ; msvcrt.77C31AE8 7C9351E6 0F83 DEE20200 jnb 7C9634CA 7C9351EC 8BF7 mov esi, edi 7C9351EE C1E6 04 shl esi, 4 7C9351F1 03F1 add esi, ecx 7C9351F3 3BF2 cmp esi, edx ; msvcrt.77C31AE8 7C9351F5 0F87 CFE20200 ja 7C9634CA 7C9351FB 8B40 0C mov eax, [eax+C] 7C9351FE A8 02 test al, 2 7C935200 8D3419 lea esi, [ecx+ebx] 7C935203 0F84 8BE20200 je 7C963494 7C935209 8B16 mov edx, [esi] 7C93520B 8B4D 10 mov ecx, [ebp+10] 7C93520E 3BCA cmp ecx, edx ; msvcrt.77C31AE8 7C935210 0F82 FC010000 jb 7C935412 7C935216 A8 01 test al, 1 7C935218 0F85 60E20200 jnz 7C96347E 7C93521E 68 7C52937C push 7C93527C 7C935223 6A 10 push 10 7C935225 57 push edi 7C935226 8D45 E8 lea eax, [ebp-18] 7C935229 56 push esi ; ntdll.ZwTerminateProcess 7C93522A 50 push eax 7C93522B 894D E8 mov [ebp-18], ecx 7C93522E E8 C8FDFFFF call bsearch 7C935233 83C4 14 add esp, 14 7C935236 85C0 test eax, eax 7C935238 0F84 D4010000 je 7C935412 7C93523E 8B48 04 mov ecx, [eax+4] 7C935241 85C9 test ecx, ecx 7C935243 0F84 C9010000 je 7C935412 7C935249 8B53 0C mov edx, [ebx+C] 7C93524C 3BCA cmp ecx, edx ; msvcrt.77C31AE8 7C93524E 0F83 6AE20200 jnb 7C9634BE 7C935254 8D71 04 lea esi, [ecx+4] 7C935257 3BF2 cmp esi, edx ; msvcrt.77C31AE8 7C935259 0F87 5FE20200 ja 7C9634BE 7C93525F 8B55 14 mov edx, [ebp+14] 7C935262 03CB add ecx, ebx 7C935264 890A mov [edx], ecx 7C935266 8B40 08 mov eax, [eax+8] 7C935269 8B4D 18 mov ecx, [ebp+18] ; trscd.00454965 7C93526C 8901 mov [ecx], eax 7C93526E 33C0 xor eax, eax 7C935270 5F pop edi ; ntdll.7C92E89A 7C935271 5E pop esi ; ntdll.7C92E89A 7C935272 5B pop ebx ; ntdll.7C92E89A 7C935273 C9 leave 7C935274 C2 1400 retn 14 7C935277 90 nop 7C935278 90 nop 7C935279 90 nop 7C93527A 90 nop 7C93527B 90 nop 7C93527C 8BFF mov edi, edi 7C93527E 55 push ebp 7C93527F 8BEC mov ebp, esp 7C935281 8B45 08 mov eax, [ebp+8] 7C935284 8B4D 0C mov ecx, [ebp+C] ; RPCRT4.77E8F3B0 7C935287 8B00 mov eax, [eax] 7C935289 8B09 mov ecx, [ecx] 7C93528B 3BC8 cmp ecx, eax 7C93528D 0F87 7A010000 ja 7C93540D 7C935293 1BC0 sbb eax, eax 7C935295 F7D8 neg eax 7C935297 5D pop ebp ; ntdll.7C92E89A 7C935298 C3 retn 7C935299 48 dec eax 7C93529A ^ 0F84 70FEFFFF je 7C935110 7C9352A0 48 dec eax 7C9352A1 ^ 0F84 79FEFFFF je 7C935120 7C9352A7 837E 10 03 cmp dword ptr [esi+10], 3 7C9352AB 0F87 1A350200 ja 7C9587CB 7C9352B1 ^ E9 82FEFFFF jmp 7C935138 7C9352B6 8B45 14 mov eax, [ebp+14] 7C9352B9 03F0 add esi, eax 7C9352BB 8975 0C mov [ebp+C], esi ; ntdll.ZwTerminateProcess 7C9352BE 8BC3 mov eax, ebx 7C9352C0 ^ E9 9EFDFFFF jmp 7C935063 7C9352C5 85C0 test eax, eax 7C9352C7 ^ 0F84 9BFDFFFF je 7C935068 7C9352CD FF75 0C push dword ptr [ebp+C] ; RPCRT4.77E8F3B0 7C9352D0 FF75 08 push dword ptr [ebp+8] 7C9352D3 FF55 18 call [ebp+18] ; trscd.00454965 7C9352D6 F7D8 neg eax 7C9352D8 1BC0 sbb eax, eax 7C9352DA 59 pop ecx ; ntdll.7C92E89A 7C9352DB F7D0 not eax 7C9352DD 2345 0C and eax, [ebp+C] ; RPCRT4.77E8F3B0 7C9352E0 59 pop ecx ; ntdll.7C92E89A 7C9352E1 ^ E9 84FDFFFF jmp 7C93506A 7C9352E6 33C0 xor eax, eax 7C9352E8 ^ E9 79FEFFFF jmp 7C935166 7C9352ED 8B58 04 mov ebx, [eax+4] 7C9352F0 85DB test ebx, ebx 7C9352F2 74 0C je short 7C935300 7C9352F4 83FB FC cmp ebx, -4 7C9352F7 0F84 BFE40200 je 7C9637BC 7C9352FD 8B7B 08 mov edi, [ebx+8] 7C935300 85FF test edi, edi 7C935302 ^ 0F84 08FEFFFF je 7C935110 7C935308 C746 10 0100000>mov dword ptr [esi+10], 1 7C93530F ^ E9 24FEFFFF jmp 7C935138 7C935314 90 nop 7C935315 90 nop 7C935316 90 nop 7C935317 90 nop 7C935318 90 nop 7C935319 > 8BFF mov edi, edi 7C93531B 55 push ebp 7C93531C 8BEC mov ebp, esp 7C93531E 83EC 28 sub esp, 28 7C935321 53 push ebx 7C935322 64:A1 18000000 mov eax, fs:[18] 7C935328 8B48 30 mov ecx, [eax+30] 7C93532B 33DB xor ebx, ebx 7C93532D 3999 F8010000 cmp [ecx+1F8], ebx 7C935333 75 0C jnz short 7C935341 7C935335 3999 00020000 cmp [ecx+200], ebx 7C93533B 0F84 36580100 je 7C94AB77 7C935341 834D F0 FF or dword ptr [ebp-10], FFFFFFFF 7C935345 56 push esi ; ntdll.ZwTerminateProcess 7C935346 8B75 10 mov esi, [ebp+10] 7C935349 57 push edi 7C93534A FF75 18 push dword ptr [ebp+18] ; trscd.00454965 7C93534D 8B7D 0C mov edi, [ebp+C] ; RPCRT4.77E8F3B0 7C935350 FF75 14 push dword ptr [ebp+14] 7C935353 895D FC mov [ebp-4], ebx 7C935356 56 push esi ; ntdll.ZwTerminateProcess 7C935357 57 push edi 7C935358 FF75 08 push dword ptr [ebp+8] 7C93535B 895D F8 mov [ebp-8], ebx 7C93535E 895D F4 mov [ebp-C], ebx 7C935361 E8 2BFCFFFF call 7C934F91 7C935366 3BC3 cmp eax, ebx 7C935368 0F8C 98000000 jl 7C935406 7C93536E 8B45 08 mov eax, [ebp+8] 7C935371 8945 DC mov [ebp-24], eax 7C935374 8D45 F4 lea eax, [ebp-C] 7C935377 50 push eax 7C935378 8D45 FC lea eax, [ebp-4] 7C93537B 50 push eax 7C93537C 8D45 10 lea eax, [ebp+10] 7C93537F 50 push eax 7C935380 8D45 D8 lea eax, [ebp-28] 7C935383 50 push eax 7C935384 C745 D8 1800000>mov dword ptr [ebp-28], 18 7C93538B 895D EC mov [ebp-14], ebx 7C93538E 897D E0 mov [ebp-20], edi 7C935391 8975 E4 mov [ebp-1C], esi ; ntdll.ZwTerminateProcess 7C935394 E8 DBFCFFFF call 7C935074 7C935399 3BC3 cmp eax, ebx 7C93539B 7C 69 jl short 7C935406 7C93539D 837D FC 2C cmp dword ptr [ebp-4], 2C 7C9353A1 0F82 38EA0200 jb 7C963DDF 7C9353A7 BE 080015C0 mov esi, C0150008 7C9353AC 8B7D 10 mov edi, [ebp+10] 7C9353AF 813F 53734864 cmp dword ptr [edi], 64487353 7C9353B5 0F85 27EA0200 jnz 7C963DE2 7C9353BB 53 push ebx 7C9353BC 53 push ebx 7C9353BD 8D45 F8 lea eax, [ebp-8] 7C9353C0 50 push eax 7C9353C1 8D45 F0 lea eax, [ebp-10] 7C9353C4 50 push eax 7C9353C5 FF75 18 push dword ptr [ebp+18] ; trscd.00454965 7C9353C8 FF75 14 push dword ptr [ebp+14] 7C9353CB FF75 FC push dword ptr [ebp-4] 7C9353CE 57 push edi 7C9353CF E8 88010000 call 7C93555C 7C9353D4 3BC3 cmp eax, ebx 7C9353D6 0F8D 1C250000 jge 7C9378F8 7C9353DC 3BC6 cmp eax, esi ; ntdll.ZwTerminateProcess 7C9353DE 75 26 jnz short 7C935406 7C9353E0 8D45 F4 lea eax, [ebp-C] 7C9353E3 50 push eax 7C9353E4 8D45 FC lea eax, [ebp-4] 7C9353E7 50 push eax 7C9353E8 8D45 10 lea eax, [ebp+10] 7C9353EB 50 push eax 7C9353EC 8D45 D8 lea eax, [ebp-28] 7C9353EF 50 push eax 7C9353F0 E8 FB000000 call 7C9354F0 7C9353F5 3BC3 cmp eax, ebx 7C9353F7 0F8D 980B0000 jge 7C935F95 7C9353FD 3D 010015C0 cmp eax, C0150001 7C935402 75 02 jnz short 7C935406 7C935404 8BC6 mov eax, esi ; ntdll.ZwTerminateProcess 7C935406 5F pop edi ; ntdll.7C92E89A 7C935407 5E pop esi ; ntdll.7C92E89A 7C935408 5B pop ebx ; ntdll.7C92E89A 7C935409 C9 leave 7C93540A C2 1400 retn 14 7C93540D 83C8 FF or eax, FFFFFFFF 7C935410 5D pop ebp ; ntdll.7C92E89A 7C935411 C3 retn 7C935412 B8 010015C0 mov eax, C0150001 7C935417 ^ E9 54FEFFFF jmp 7C935270 7C93541C 3D 010015C0 cmp eax, C0150001 7C935421 ^ 0F85 5DFDFFFF jnz 7C935184 7C935427 837E 10 03 cmp dword ptr [esi+10], 3 7C93542B ^ 0F84 53FDFFFF je 7C935184 7C935431 8B55 FC mov edx, [ebp-4] 7C935434 8B4D F8 mov ecx, [ebp-8] ; kernel32.7C81CA78 7C935437 ^ E9 BAFCFFFF jmp 7C9350F6 7C93543C 8D48 FF lea ecx, [eax-1] 7C93543F 83C9 07 or ecx, 7 7C935442 83F9 FF cmp ecx, -1 7C935445 ^ 0F84 A7ACFFFF je 7C9300F2 7C93544B 8338 FF cmp dword ptr [eax], -1 7C93544E ^ 0F84 9EACFFFF je 7C9300F2 7C935454 33C9 xor ecx, ecx 7C935456 41 inc ecx 7C935457 F0:0FC108 lock xadd [eax], ecx 7C93545B ^ E9 92ACFFFF jmp 7C9300F2 7C935460 90 nop 7C935461 90 nop 7C935462 90 nop 7C935463 90 nop 7C935464 90 nop 7C935465 > 8BFF mov edi, edi 7C935467 55 push ebp 7C935468 8BEC mov ebp, esp 7C93546A 51 push ecx 7C93546B 8B45 08 mov eax, [ebp+8] 7C93546E 33C9 xor ecx, ecx 7C935470 3BC1 cmp eax, ecx 7C935472 56 push esi ; ntdll.ZwTerminateProcess 7C935473 57 push edi 7C935474 894D FC mov [ebp-4], ecx 7C935477 0F84 13680100 je 7C94BC90 7C93547D 8B7D 14 mov edi, [ebp+14] 7C935480 3BF9 cmp edi, ecx 7C935482 0F84 08680100 je 7C94BC90 7C935488 8B70 04 mov esi, [eax+4] 7C93548B 890F mov [edi], ecx 7C93548D 0FB700 movzx eax, word ptr [eax] 7C935490 D1E8 shr eax, 1 7C935492 837D 10 01 cmp dword ptr [ebp+10], 1 7C935496 0F87 F4670100 ja 7C94BC90 7C93549C 384D 0C cmp [ebp+C], cl 7C93549F 0F84 21AF0000 je 7C9403C6 7C9354A5 3BC1 cmp eax, ecx 7C9354A7 74 38 je short 7C9354E1 7C9354A9 8945 0C mov [ebp+C], eax 7C9354AC A1 4CC0997C mov eax, [7C99C04C] 7C9354B1 53 push ebx 7C9354B2 66:8B16 mov dx, [esi] 7C9354B5 46 inc esi ; ntdll.ZwTerminateProcess 7C9354B6 46 inc esi ; ntdll.ZwTerminateProcess 7C9354B7 66:83FA 61 cmp dx, 61 7C9354BB 0FB7CA movzx ecx, dx 7C9354BE 72 0D jb short 7C9354CD 7C9354C0 66:83FA 7A cmp dx, 7A 7C9354C4 0F87 98670100 ja 7C94BC62 7C9354CA 83E9 20 sub ecx, 20 7C9354CD 8B55 FC mov edx, [ebp-4] 7C9354D0 69D2 3F000100 imul edx, edx, 1003F ; msvcrt.77C31AE8 7C9354D6 03CA add ecx, edx ; msvcrt.77C31AE8 7C9354D8 FF4D 0C dec dword ptr [ebp+C] ; RPCRT4.77E8F3B0 7C9354DB 894D FC mov [ebp-4], ecx 7C9354DE ^ 75 D2 jnz short 7C9354B2 7C9354E0 5B pop ebx ; ntdll.7C92E89A 7C9354E1 890F mov [edi], ecx 7C9354E3 33C0 xor eax, eax 7C9354E5 5F pop edi ; ntdll.7C92E89A 7C9354E6 5E pop esi ; ntdll.7C92E89A 7C9354E7 C9 leave 7C9354E8 C2 1000 retn 10 7C9354EB 90 nop 7C9354EC 90 nop 7C9354ED 90 nop 7C9354EE 90 nop 7C9354EF 90 nop 7C9354F0 8BFF mov edi, edi 7C9354F2 55 push ebp 7C9354F3 8BEC mov ebp, esp 7C9354F5 51 push ecx 7C9354F6 8365 FC 00 and dword ptr [ebp-4], 0 7C9354FA 57 push edi 7C9354FB 8B7D 14 mov edi, [ebp+14] 7C9354FE 85FF test edi, edi 7C935500 74 03 je short 7C935505 7C935502 8327 00 and dword ptr [edi], 0 7C935505 8B45 08 mov eax, [ebp+8] 7C935508 85C0 test eax, eax 7C93550A 0F84 7B0A0000 je 7C935F8B 7C935510 8338 18 cmp dword ptr [eax], 18 7C935513 0F82 720A0000 jb 7C935F8B 7C935519 F740 04 FCFFFFF>test dword ptr [eax+4], FFFFFFFC 7C935520 0F85 650A0000 jnz 7C935F8B 7C935526 837D 0C 00 cmp dword ptr [ebp+C], 0 7C93552A 0F84 5B0A0000 je 7C935F8B 7C935530 837D 10 00 cmp dword ptr [ebp+10], 0 7C935534 0F84 510A0000 je 7C935F8B 7C93553A 8D4D FC lea ecx, [ebp-4] 7C93553D 51 push ecx 7C93553E FF75 10 push dword ptr [ebp+10] 7C935541 FF75 0C push dword ptr [ebp+C] ; RPCRT4.77E8F3B0 7C935544 50 push eax 7C935545 E8 81FBFFFF call 7C9350CB 7C93554A 85C0 test eax, eax 7C93554C 0F8D 210A0000 jge 7C935F73 7C935552 5F pop edi ; ntdll.7C92E89A 7C935553 C9 leave 7C935554 C2 1000 retn 10 7C935557 90 nop 7C935558 90 nop 7C935559 90 nop 7C93555A 90 nop 7C93555B 90 nop 7C93555C 8BFF mov edi, edi 7C93555E 55 push ebp 7C93555F 8BEC mov ebp, esp 7C935561 83EC 2C sub esp, 2C 7C935564 53 push ebx 7C935565 56 push esi ; ntdll.ZwTerminateProcess 7C935566 8B75 08 mov esi, [ebp+8] 7C935569 8A46 10 mov al, [esi+10] 7C93556C 24 01 and al, 1 7C93556E 8845 08 mov [ebp+8], al 7C935571 8B45 20 mov eax, [ebp+20] ; trscd.00454AA4 7C935574 33DB xor ebx, ebx 7C935576 3BC3 cmp eax, ebx 7C935578 C645 FF 01 mov byte ptr [ebp-1], 1 7C93557C C645 FE 01 mov byte ptr [ebp-2], 1 7C935580 0F85 C4E30200 jnz 7C96394A 7C935586 8B45 24 mov eax, [ebp+24] 7C935589 3BC3 cmp eax, ebx 7C93558B 0F85 C0E30200 jnz 7C963951 7C935591 813E 53734864 cmp dword ptr [esi], 64487353 7C935597 0F85 BBE30200 jnz 7C963958 7C93559D 395E 14 cmp [esi+14], ebx 7C9355A0 0F84 BCE30200 je 7C963962 7C9355A6 8B46 1C mov eax, [esi+1C] 7C9355A9 83F8 FF cmp eax, -1 7C9355AC 57 push edi 7C9355AD 0F84 B9E30200 je 7C96396C 7C9355B3 8B7D 18 mov edi, [ebp+18] ; trscd.00454965 7C9355B6 3907 cmp [edi], eax 7C9355B8 74 1C je short 7C9355D6 7C9355BA FF75 1C push dword ptr [ebp+1C] 7C9355BD 50 push eax 7C9355BE FF75 08 push dword ptr [ebp+8] 7C9355C1 FF75 10 push dword ptr [ebp+10] 7C9355C4 E8 9CFEFFFF call RtlHashUnicodeString 7C9355C9 3BC3 cmp eax, ebx 7C9355CB 0F8C A8E30200 jl 7C963979 7C9355D1 8B46 1C mov eax, [esi+1C] 7C9355D4 8907 mov [edi], eax 7C9355D6 837E 08 01 cmp dword ptr [esi+8], 1 7C9355DA 0F85 D4E30200 jnz 7C9639B4 7C9355E0 8B4E 20 mov ecx, [esi+20] 7C9355E3 3BCB cmp ecx, ebx 7C9355E5 0F84 C2080000 je 7C935EAD 7C9355EB 807D FF 00 cmp byte ptr [ebp-1], 0 7C9355EF 0F84 D6080000 je 7C935ECB 7C9355F5 8B45 1C mov eax, [ebp+1C] 7C9355F8 8B00 mov eax, [eax] 7C9355FA 03CE add ecx, esi ; ntdll.ZwTerminateProcess 7C9355FC 33D2 xor edx, edx ; msvcrt.77C31AE8 7C9355FE F731 div dword ptr [ecx] 7C935600 8B41 04 mov eax, [ecx+4] 7C935603 33C9 xor ecx, ecx 7C935605 894D 18 mov [ebp+18], ecx 7C935608 8D3CD0 lea edi, [eax+edx8] 7C93560B 03FE add edi, esi ; ntdll.ZwTerminateProcess 7C93560D 8B5F 04 mov ebx, [edi+4] 7C935610 03DE add ebx, esi ; ntdll.ZwTerminateProcess 7C935612 390F cmp [edi], ecx 7C935614 8955 F8 mov [ebp-8], edx ; msvcrt.77C31AE8 7C935617 76 33 jbe short 7C93564C 7C935619 8B048B mov eax, [ebx+ecx4] 7C93561C 3B45 0C cmp eax, [ebp+C] ; RPCRT4.77E8F3B0 7C93561F 0F87 98E30200 ja 7C9639BD 7C935625 03C6 add eax, esi ; ntdll.ZwTerminateProcess 7C935627 807D FE 00 cmp byte ptr [ebp-2], 0 7C93562B 8945 F4 mov [ebp-C], eax 7C93562E 0F84 85230000 je 7C9379B9 7C935634 8B08 mov ecx, [eax] 7C935636 8B55 1C mov edx, [ebp+1C] 7C935639 3B0A cmp ecx, [edx] ; ntdll.7C99C8E0 7C93563B 0F84 78230000 je 7C9379B9 7C935641 8B4D 18 mov ecx, [ebp+18] ; trscd.00454965 7C935644 41 inc ecx 7C935645 3B0F cmp ecx, [edi] 7C935647 894D 18 mov [ebp+18], ecx 7C93564A ^ 72 CD jb short 7C935619 7C93564C B8 080015C0 mov eax, C0150008 7C935651 5F pop edi ; ntdll.7C92E89A 7C935652 5E pop esi ; ntdll.7C92E89A 7C935653 5B pop ebx ; ntdll.7C92E89A 7C935654 C9 leave 7C935655 C2 2000 retn 20 7C935658 90 nop 7C935659 90 nop 7C93565A 90 nop 7C93565B 90 nop 7C93565C 90 nop 7C93565D 8BFF mov edi, edi 7C93565F 55 push ebp 7C935660 8BEC mov ebp, esp 7C935662 85FF test edi, edi 7C935664 56 push esi ; ntdll.ZwTerminateProcess 7C935665 0F84 12640100 je 7C94BA7D 7C93566B 0FB74F 02 movzx ecx, word ptr [edi+2] 7C93566F 8B57 04 mov edx, [edi+4] 7C935672 83E1 FE and ecx, FFFFFFFE 7C935675 BE FEFF0000 mov esi, 0FFFE 7C93567A 3BCE cmp ecx, esi ; ntdll.ZwTerminateProcess 7C93567C 0F87 380D0300 ja 7C9663BA 7C935682 6A 02 push 2 7C935684 5E pop esi ; ntdll.7C92E89A 7C935685 3BCE cmp ecx, esi ; ntdll.ZwTerminateProcess 7C935687 0F82 340D0300 jb 7C9663C1 7C93568D 85D2 test edx, edx ; msvcrt.77C31AE8 7C93568F 8950 08 mov [eax+8], edx ; msvcrt.77C31AE8 7C935692 8948 10 mov [eax+10], ecx 7C935695 8950 0C mov [eax+C], edx ; msvcrt.77C31AE8 7C935698 8948 14 mov [eax+14], ecx 7C93569B 8950 04 mov [eax+4], edx ; msvcrt.77C31AE8 7C93569E 74 04 je short 7C9356A4 7C9356A0 66:8322 00 and word ptr [edx], 0 7C9356A4 66:8948 02 mov [eax+2], cx 7C9356A8 8B4D 08 mov ecx, [ebp+8] 7C9356AB 66:8320 00 and word ptr [eax], 0 7C9356AF 8948 28 mov [eax+28], ecx 7C9356B2 8B4D 0C mov ecx, [ebp+C] ; RPCRT4.77E8F3B0 7C9356B5 8978 24 mov [eax+24], edi 7C9356B8 8948 2C mov [eax+2C], ecx 7C9356BB C640 30 01 mov byte ptr [eax+30], 1 7C9356BF 5E pop esi ; ntdll.7C92E89A 7C9356C0 5D pop ebp ; ntdll.7C92E89A 7C9356C1 C2 0800 retn 8 7C9356C4 90 nop 7C9356C5 90 nop 7C9356C6 90 nop 7C9356C7 90 nop 7C9356C8 90 nop 7C9356C9 8BFF mov edi, edi 7C9356CB 55 push ebp 7C9356CC 8BEC mov ebp, esp 7C9356CE 83EC 18 sub esp, 18 7C9356D1 8B45 0C mov eax, [ebp+C] ; RPCRT4.77E8F3B0 7C9356D4 53 push ebx 7C9356D5 33DB xor ebx, ebx 7C9356D7 3BF3 cmp esi, ebx 7C9356D9 8818 mov [eax], bl 7C9356DB 0F84 F9100000 je 7C9367DA 7C9356E1 395D 08 cmp [ebp+8], ebx 7C9356E4 0F84 F0100000 je 7C9367DA 7C9356EA 3BFB cmp edi, ebx 7C9356EC 74 34 je short 7C935722 7C9356EE 66:391F cmp [edi], bx 7C9356F1 74 2F je short 7C935722 7C9356F3 8D45 F8 lea eax, [ebp-8] 7C9356F6 50 push eax 7C9356F7 68 2C57937C push 7C93572C 7C9356FC 56 push esi ; ntdll.ZwTerminateProcess 7C9356FD 6A 01 push 1 7C9356FF 885D FF mov [ebp-1], bl 7C935702 E8 62040000 call RtlFindCharInUnicodeString 7C935707 3BC3 cmp eax, ebx 7C935709 0F8C BB100000 jl 7C9367CA 7C93570F C645 FF 01 mov byte ptr [ebp-1], 1 7C935713 33C0 xor eax, eax 7C935715 3BC3 cmp eax, ebx 7C935717 7C 0B jl short 7C935724 7C935719 385D FF cmp [ebp-1], bl 7C93571C 0F84 C2100000 je 7C9367E4 7C935722 33C0 xor eax, eax 7C935724 5B pop ebx ; ntdll.7C92E89A 7C935725 C9 leave 7C935726 C2 0800 retn 8 7C935729 90 nop 7C93572A 90 nop 7C93572B 90 nop 7C93572C 0200 add al, [eax] 7C93572E 04 00 add al, 0 7C935730 60 pushad 7C935731 5B pop ebx ; ntdll.7C92E89A 7C935732 93 xchg eax, ebx 7C935733 ^ 7C 90 jl short 7C9356C5 7C935735 90 nop 7C935736 90 nop 7C935737 90 nop 7C935738 90 nop 7C935739 8BFF mov edi, edi 7C93573B 55 push ebp 7C93573C 8BEC mov ebp, esp 7C93573E 83EC 14 sub esp, 14 7C935741 53 push ebx 7C935742 33DB xor ebx, ebx 7C935744 3BF3 cmp esi, ebx 7C935746 57 push edi 7C935747 895D F8 mov [ebp-8], ebx 7C93574A 885D FF mov [ebp-1], bl 7C93574D 0F84 A90F0300 je 7C9666FC 7C935753 8B7D 0C mov edi, [ebp+C] ; RPCRT4.77E8F3B0 7C935756 3BFB cmp edi, ebx 7C935758 74 09 je short 7C935763 7C93575A 395F 04 cmp [edi+4], ebx 7C93575D 0F85 990F0300 jnz 7C9666FC 7C935763 56 push esi ; ntdll.ZwTerminateProcess 7C935764 E8 81F0FFFF call 7C9347EA 7C935769 83F8 06 cmp eax, 6 7C93576C 8945 F4 mov [ebp-C], eax 7C93576F 0F84 BA190000 je 7C93712F 7C935775 83F8 02 cmp eax, 2 7C935778 0F84 B1190000 je 7C93712F 7C93577E 83F8 01 cmp eax, 1 7C935781 0F84 A8190000 je 7C93712F 7C935787 33FF xor edi, edi 7C935789 385D FF cmp [ebp-1], bl 7C93578C 75 08 jnz short 7C935796 7C93578E FF75 0C push dword ptr [ebp+C] ; RPCRT4.77E8F3B0 7C935791 E8 E0B1FFFF call RtlFreeUnicodeString 7C935796 8BC7 mov eax, edi 7C935798 5F pop edi ; ntdll.7C92E89A 7C935799 5B pop ebx ; ntdll.7C92E89A 7C93579A C9 leave 7C93579B C2 0800 retn 8 7C93579E 90 nop 7C93579F 90 nop 7C9357A0 90 nop 7C9357A1 90 nop 7C9357A2 90 nop 7C9357A3 > 8BFF mov edi, edi 7C9357A5 55 push ebp 7C9357A6 8BEC mov ebp, esp 7C9357A8 81EC 48010000 sub esp, 148 7C9357AE A1 34C0997C mov eax, [7C99C034] 7C9357B3 8B55 24 mov edx, [ebp+24] 7C9357B6 8B4D 28 mov ecx, [ebp+28] 7C9357B9 8945 FC mov [ebp-4], eax 7C9357BC 8B45 0C mov eax, [ebp+C] ; RPCRT4.77E8F3B0 7C9357BF 8985 C8FEFFFF mov [ebp-138], eax 7C9357C5 8B45 10 mov eax, [ebp+10] 7C9357C8 8985 BCFEFFFF mov [ebp-144], eax 7C9357CE 8B45 14 mov eax, [ebp+14] 7C9357D1 53 push ebx 7C9357D2 33DB xor ebx, ebx 7C9357D4 8985 DCFEFFFF mov [ebp-124], eax 7C9357DA 8B45 1C mov eax, [ebp+1C] 7C9357DD 56 push esi ; ntdll.ZwTerminateProcess 7C9357DE 8B75 18 mov esi, [ebp+18] ; trscd.00454965 7C9357E1 8985 D4FEFFFF mov [ebp-12C], eax 7C9357E7 8B45 20 mov eax, [ebp+20] ; trscd.00454AA4 7C9357EA 3BC3 cmp eax, ebx 7C9357EC 57 push edi 7C9357ED 8DBD 5CFFFFFF lea edi, [ebp-A4] 7C9357F3 89B5 CCFEFFFF mov [ebp-134], esi ; ntdll.ZwTerminateProcess 7C9357F9 8985 D8FEFFFF mov [ebp-128], eax 7C9357FF 8995 D0FEFFFF mov [ebp-130], edx ; msvcrt.77C31AE8 7C935805 66:899D ECFEFFF>mov [ebp-114], bx 7C93580C 66:899D EEFEFFF>mov [ebp-112], bx 7C935813 899D F0FEFFFF mov [ebp-110], ebx 7C935819 66:899D E0FEFFF>mov [ebp-120], bx 7C935820 66:C785 E2FEFFF>mov word ptr [ebp-11E], 80 7C935829 89BD E4FEFFFF mov [ebp-11C], edi 7C93582F 899D C4FEFFFF mov [ebp-13C], ebx 7C935835 899D FCFEFFFF mov [ebp-104], ebx 7C93583B 899D E8FEFFFF mov [ebp-118], ebx 7C935841 0F85 0F130300 jnz 7C966B56 7C935847 3BD3 cmp edx, ebx 7C935849 0F85 68610100 jnz 7C94B9B7 7C93584F 3BCB cmp ecx, ebx 7C935851 0F85 67610100 jnz 7C94B9BE 7C935857 3BF3 cmp esi, ebx 7C935859 74 0A je short 7C935865 7C93585B 895E 04 mov [esi+4], ebx 7C93585E 66:891E mov [esi], bx 7C935861 66:895E 02 mov [esi+2], bx 7C935865 8BBD DCFEFFFF mov edi, [ebp-124] ; ntdll.7C92E3ED 7C93586B 6A 20 push 20 7C93586D 8D45 DC lea eax, [ebp-24] 7C935870 8985 40FFFFFF mov [ebp-C0], eax 7C935876 58 pop eax ; ntdll.7C92E89A 7C935877 FFB5 D4FEFFFF push dword ptr [ebp-12C] ; ntdll.7C93094E 7C93587D 8D4D DC lea ecx, [ebp-24] 7C935880 8985 48FFFFFF mov [ebp-B8], eax 7C935886 8985 4CFFFFFF mov [ebp-B4], eax 7C93588C 66:8985 3AFFFFF>mov [ebp-C6], ax 7C935893 56 push esi ; ntdll.ZwTerminateProcess 7C935894 8D85 04FFFFFF lea eax, [ebp-FC] 7C93589A 898D 44FFFFFF mov [ebp-BC], ecx 7C9358A0 898D 3CFFFFFF mov [ebp-C4], ecx 7C9358A6 66:895D DC mov [ebp-24], bx 7C9358AA 66:899D 38FFFFF>mov [ebp-C8], bx 7C9358B1 E8 A7FDFFFF call 7C93565D 7C9358B6 F745 08 FEFFFFF>test dword ptr [ebp+8], FFFFFFFE 7C9358BD 0F85 D7120300 jnz 7C966B9A 7C9358C3 8B85 C8FEFFFF mov eax, [ebp-138] ; ntdll.7C9468AD 7C9358C9 3BC3 cmp eax, ebx 7C9358CB 0F84 C9120300 je 7C966B9A 7C9358D1 3BFB cmp edi, ebx 7C9358D3 0F84 CA610100 je 7C94BAA3 7C9358D9 3BF3 cmp esi, ebx 7C9358DB 74 0C je short 7C9358E9 7C9358DD 399D D4FEFFFF cmp [ebp-12C], ebx 7C9358E3 0F84 B1120300 je 7C966B9A 7C9358E9 8B08 mov ecx, [eax] 7C9358EB 8B40 04 mov eax, [eax+4] 7C9358EE 8BBD BCFEFFFF mov edi, [ebp-144] 7C9358F4 8985 F8FEFFFF mov [ebp-108], eax 7C9358FA 8D85 03FFFFFF lea eax, [ebp-FD] 7C935900 50 push eax 7C935901 8D85 38FFFFFF lea eax, [ebp-C8] 7C935907 50 push eax 7C935908 8DB5 F4FEFFFF lea esi, [ebp-10C] 7C93590E 898D F4FEFFFF mov [ebp-10C], ecx 7C935914 E8 B0FDFFFF call 7C9356C9 7C935919 8BF0 mov esi, eax 7C93591B 3BF3 cmp esi, ebx 7C93591D 0F8C 99000000 jl 7C9359BC 7C935923 389D 03FFFFFF cmp [ebp-FD], bl 7C935929 0F85 F00E0000 jnz 7C93681F 7C93592F 8D85 ECFEFFFF lea eax, [ebp-114] 7C935935 50 push eax 7C935936 8D85 E0FEFFFF lea eax, [ebp-120] 7C93593C 50 push eax 7C93593D 8DB5 F4FEFFFF lea esi, [ebp-10C] 7C935943 E8 F1FDFFFF call 7C935739 7C935948 8BF0 mov esi, eax 7C93594A 3BF3 cmp esi, ebx 7C93594C 7C 6E jl short 7C9359BC 7C93594E F645 08 01 test byte ptr [ebp+8], 1 7C935952 74 24 je short 7C935978 7C935954 64:A1 18000000 mov eax, fs:[18] 7C93595A 8B40 30 mov eax, [eax+30] 7C93595D 3958 10 cmp [eax+10], ebx 7C935960 74 16 je short 7C935978 7C935962 64:A1 18000000 mov eax, fs:[18] 7C935968 8B40 30 mov eax, [eax+30] 7C93596B 8B40 10 mov eax, [eax+10] 7C93596E F640 09 10 test byte ptr [eax+9], 10 7C935972 0F85 F2110300 jnz 7C966B6A 7C935978 F685 E8FEFFFF 0>test byte ptr [ebp-118], 1 7C93597F 0F85 E9990000 jnz 7C93F36E 7C935985 399D DCFEFFFF cmp [ebp-124], ebx 7C93598B 0F84 1F610100 je 7C94BAB0 7C935991 33C0 xor eax, eax 7C935993 FFB5 D8FEFFFF push dword ptr [ebp-128] 7C935999 8D8D C4FEFFFF lea ecx, [ebp-13C] 7C93599F 51 push ecx 7C9359A0 50 push eax 7C9359A1 8DB5 04FFFFFF lea esi, [ebp-FC] 7C9359A7 8D95 F4FEFFFF lea edx, [ebp-10C] 7C9359AD E8 BC000000 call 7C935A6E 7C9359B2 8BF0 mov esi, eax 7C9359B4 3BF3 cmp esi, ebx 7C9359B6 0F8D B2990000 jge 7C93F36E 7C9359BC 389D 34FFFFFF cmp [ebp-CC], bl 7C9359C2 74 23 je short 7C9359E7 7C9359C4 8B85 0CFFFFFF mov eax, [ebp-F4] 7C9359CA 3BC3 cmp eax, ebx 7C9359CC 74 0C je short 7C9359DA 7C9359CE 3B85 10FFFFFF cmp eax, [ebp-F0] 7C9359D4 0F85 33120300 jnz 7C966C0D 7C9359DA 8B85 10FFFFFF mov eax, [ebp-F0] 7C9359E0 3BC3 cmp eax, ebx 7C9359E2 74 03 je short 7C9359E7 7C9359E4 66:8918 mov [eax], bx 7C9359E7 6A 0D push 0D 7C9359E9 59 pop ecx ; ntdll.7C92E89A 7C9359EA 33C0 xor eax, eax 7C9359EC 8DBD 04FFFFFF lea edi, [ebp-FC] 7C9359F2 F3:AB rep stos dword ptr es:[edi] 7C9359F4 8D85 ECFEFFFF lea eax, [ebp-114] 7C9359FA 50 push eax 7C9359FB E8 76AFFFFF call RtlFreeUnicodeString 7C935A00 8B8D 40FFFFFF mov ecx, [ebp-C0] 7C935A06 3BCB cmp ecx, ebx 7C935A08 8B85 44FFFFFF mov eax, [ebp-BC] 7C935A0E 74 1A je short 7C935A2A 7C935A10 3BC8 cmp ecx, eax 7C935A12 0F85 15160200 jnz 7C95702D 7C935A18 8B8D 4CFFFFFF mov ecx, [ebp-B4] 7C935A1E 8985 40FFFFFF mov [ebp-C0], eax 7C935A24 898D 48FFFFFF mov [ebp-B8], ecx 7C935A2A 3BC3 cmp eax, ebx 7C935A2C 8985 3CFFFFFF mov [ebp-C4], eax 7C935A32 74 03 je short 7C935A37 7C935A34 66:8918 mov [eax], bx 7C935A37 81FE 010015C0 cmp esi, C0150001 7C935A3D 66:8B85 4CFFFFF>mov ax, [ebp-B4] 7C935A44 66:899D 38FFFFF>mov [ebp-C8], bx 7C935A4B 66:8985 3AFFFFF>mov [ebp-C6], ax 7C935A52 0F84 CC110300 je 7C966C24 7C935A58 8B4D FC mov ecx, [ebp-4] 7C935A5B 5F pop edi ; ntdll.7C92E89A 7C935A5C 8BC6 mov eax, esi ; ntdll.ZwTerminateProcess 7C935A5E 5E pop esi ; ntdll.7C92E89A 7C935A5F 5B pop ebx ; ntdll.7C92E89A 7C935A60 E8 22A9FFFF call 7C930387 7C935A65 C9 leave 7C935A66 C2 2400 retn 24 7C935A69 90 nop 7C935A6A 90 nop 7C935A6B 90 nop 7C935A6C 90 nop 7C935A6D 90 nop 7C935A6E 8BFF mov edi, edi 7C935A70 55 push ebp 7C935A71 8BEC mov ebp, esp 7C935A73 81EC A0000000 sub esp, 0A0 7C935A79 A1 34C0997C mov eax, [7C99C034] 7C935A7E 53 push ebx 7C935A7F 57 push edi 7C935A80 8945 FC mov [ebp-4], eax 7C935A83 8B45 0C mov eax, [ebp+C] ; RPCRT4.77E8F3B0 7C935A86 8945 BC mov [ebp-44], eax 7C935A89 8B45 10 mov eax, [ebp+10] 7C935A8C 6A 0F push 0F 7C935A8E 59 pop ecx ; ntdll.7C92E89A 7C935A8F 8945 A8 mov [ebp-58], eax 7C935A92 33C0 xor eax, eax 7C935A94 C785 60FFFFFF 4>mov dword ptr [ebp-A0], 40 7C935A9E 8DBD 64FFFFFF lea edi, [ebp-9C] 7C935AA4 F3:AB rep stos dword ptr es:[edi] 7C935AA6 8B02 mov eax, [edx] ; ntdll.7C99C8E0 7C935AA8 8945 C4 mov [ebp-3C], eax 7C935AAB 8B42 04 mov eax, [edx+4] 7C935AAE 6A 02 push 2 7C935AB0 8945 C8 mov [ebp-38], eax 7C935AB3 8D55 F8 lea edx, [ebp-8] 7C935AB6 8D45 F8 lea eax, [ebp-8] 7C935AB9 8955 E4 mov [ebp-1C], edx ; msvcrt.77C31AE8 7C935ABC 8955 DC mov [ebp-24], edx ; msvcrt.77C31AE8 7C935ABF 8945 E0 mov [ebp-20], eax 7C935AC2 58 pop eax ; ntdll.7C92E89A 7C935AC3 8D95 60FFFFFF lea edx, [ebp-A0] 7C935AC9 52 push edx ; msvcrt.77C31AE8 7C935ACA 33C9 xor ecx, ecx 7C935ACC 8D55 C4 lea edx, [ebp-3C] 7C935ACF 52 push edx ; msvcrt.77C31AE8 7C935AD0 50 push eax 7C935AD1 51 push ecx 7C935AD2 6A 03 push 3 7C935AD4 894D C0 mov [ebp-40], ecx 7C935AD7 894D D0 mov [ebp-30], ecx 7C935ADA 8945 E8 mov [ebp-18], eax 7C935ADD 8945 EC mov [ebp-14], eax 7C935AE0 66:894D F8 mov [ebp-8], cx 7C935AE4 66:894D D8 mov [ebp-28], cx 7C935AE8 66:8945 DA mov [ebp-26], ax 7C935AEC E8 28F8FFFF call RtlFindActivationContextSectionS> 7C935AF1 8BD8 mov ebx, eax 7C935AF3 85DB test ebx, ebx 7C935AF5 0F8D 8C910000 jge 7C93EC87 7C935AFB 81FB 010015C0 cmp ebx, C0150001 7C935B01 0F84 86500100 je 7C94AB8D 7C935B07 8B4D E0 mov ecx, [ebp-20] 7C935B0A 85C9 test ecx, ecx 7C935B0C 8B45 E4 mov eax, [ebp-1C] 7C935B0F 74 11 je short 7C935B22 7C935B11 3BC8 cmp ecx, eax 7C935B13 0F85 600C0300 jnz 7C966779 7C935B19 8B4D EC mov ecx, [ebp-14] 7C935B1C 8945 E0 mov [ebp-20], eax 7C935B1F 894D E8 mov [ebp-18], ecx 7C935B22 33C9 xor ecx, ecx 7C935B24 3BC1 cmp eax, ecx 7C935B26 8945 DC mov [ebp-24], eax 7C935B29 74 03 je short 7C935B2E 7C935B2B 66:8908 mov [eax], cx 7C935B2E 394D C0 cmp [ebp-40], ecx 7C935B31 66:8B45 EC mov ax, [ebp-14] 7C935B35 66:894D D8 mov [ebp-28], cx 7C935B39 66:8945 DA mov [ebp-26], ax 7C935B3D 0F85 8BA90000 jnz 7C9404CE 7C935B43 8B4D FC mov ecx, [ebp-4] 7C935B46 5F pop edi ; ntdll.7C92E89A 7C935B47 8BC3 mov eax, ebx 7C935B49 5B pop ebx ; ntdll.7C92E89A 7C935B4A E8 38A8FFFF call 7C930387 7C935B4F C9 leave 7C935B50 C2 0C00 retn 0C 7C935B53 90 nop 7C935B54 2E:004400 4C add cs:[eax+eax+4C], al 7C935B59 004C00 00 add [eax+eax], cl 7C935B5D 0090 902E0000 add [eax+2E90], dl 7C935B63 0090 90909090 add [eax+90909090], dl 7C935B69 > 8BFF mov edi, edi 7C935B6B 55 push ebp 7C935B6C 8BEC mov ebp, esp 7C935B6E 83EC 64 sub esp, 64 7C935B71 A1 34C0997C mov eax, [7C99C034] 7C935B76 53 push ebx 7C935B77 8B5D 0C mov ebx, [ebp+C] ; RPCRT4.77E8F3B0 7C935B7A 56 push esi ; ntdll.ZwTerminateProcess 7C935B7B 8B75 10 mov esi, [ebp+10] 7C935B7E 8945 FC mov [ebp-4], eax 7C935B81 8B45 14 mov eax, [ebp+14] 7C935B84 57 push edi 7C935B85 33FF xor edi, edi 7C935B87 3BC7 cmp eax, edi 7C935B89 8945 A4 mov [ebp-5C], eax 7C935B8C 74 03 je short 7C935B91 7C935B8E 66:8938 mov [eax], di 7C935B91 F745 08 F8FFFFF>test dword ptr [ebp+8], FFFFFFF8 7C935B98 0F85 B60C0000 jnz 7C936854 7C935B9E 3BC7 cmp eax, edi 7C935BA0 0F84 AE0C0000 je 7C936854 7C935BA6 53 push ebx 7C935BA7 57 push edi 7C935BA8 E8 C5000000 call RtlValidateUnicodeString 7C935BAD 3BC7 cmp eax, edi 7C935BAF 0F8C A9000000 jl 7C935C5E 7C935BB5 56 push esi ; ntdll.ZwTerminateProcess 7C935BB6 57 push edi 7C935BB7 E8 B6000000 call RtlValidateUnicodeString 7C935BBC 3BC7 cmp eax, edi 7C935BBE 0F8C 9A000000 jl 7C935C5E 7C935BC4 66:8B3E mov di, [esi] 7C935BC7 8B56 04 mov edx, [esi+4] 7C935BCA 8B4D 08 mov ecx, [ebp+8] 7C935BCD 33C0 xor eax, eax 7C935BCF 66:8B03 mov ax, [ebx] 7C935BD2 33F6 xor esi, esi ; ntdll.ZwTerminateProcess 7C935BD4 46 inc esi ; ntdll.ZwTerminateProcess 7C935BD5 66:D1EF shr di, 1 7C935BD8 8955 AC mov [ebp-54], edx ; msvcrt.77C31AE8 7C935BDB 8945 A0 mov [ebp-60], eax 7C935BDE 66:D1E8 shr ax, 1 7C935BE1 23CE and ecx, esi ; ntdll.ZwTerminateProcess 7C935BE3 894D 9C mov [ebp-64], ecx 7C935BE6 8945 B8 mov [ebp-48], eax 7C935BE9 0F84 570C0000 je 7C936846 7C935BEF 8B5B 04 mov ebx, [ebx+4] 7C935BF2 0FB7F0 movzx esi, ax 7C935BF5 83C9 FF or ecx, FFFFFFFF 7C935BF8 894D B0 mov [ebp-50], ecx 7C935BFB 8D7473 FE lea esi, [ebx+esi2-2] 7C935BFF 8B5D 08 mov ebx, [ebp+8] 7C935C02 F6C3 04 test bl, 4 7C935C05 0F85 AF4F0300 jnz 7C96ABBA 7C935C0B 66:83FF 01 cmp di, 1 7C935C0F 0F85 7F730000 jnz 7C93CF94 7C935C15 F6C3 02 test bl, 2 7C935C18 66:8B3A mov di, [edx] 7C935C1B 0F85 D9500300 jnz 7C96ACFA 7C935C21 66:85C0 test ax, ax 7C935C24 0F84 120C0000 je 7C93683C 7C935C2A 66:393E cmp [esi], di 7C935C2D 74 0D je short 7C935C3C 7C935C2F 05 FFFF0000 add eax, 0FFFF 7C935C34 66:85C0 test ax, ax 7C935C37 8D344E lea esi, [esi+ecx2] 7C935C3A ^ 75 EE jnz short 7C935C2A 7C935C3C 66:85C0 test ax, ax 7C935C3F 0F84 F70B0000 je 7C93683C 7C935C45 05 FFFF0000 add eax, 0FFFF 7C935C4A 03C0 add eax, eax 7C935C4C 837D 9C 00 cmp dword ptr [ebp-64], 0 7C935C50 0F84 EF500300 je 7C96AD45 7C935C56 8B4D A4 mov ecx, [ebp-5C] 7C935C59 66:8901 mov [ecx], ax 7C935C5C 33C0 xor eax, eax 7C935C5E 8B4D FC mov ecx, [ebp-4] 7C935C61 5F pop edi ; ntdll.7C92E89A 7C935C62 5E pop esi ; ntdll.7C92E89A 7C935C63 5B pop ebx ; ntdll.7C92E89A 2006-1-19 16:09 0
Ivanov 雪币： 1334 活跃值： (15) 能力值： ( LV2，RANK：10 ) 在线值：发帖 226 回帖 1054 粉丝 2 关注私信	Ivanov 29 楼支持看雪，删前留念，哈哈 2006-1-19 16:09 0
inr 雪币： 106 活跃值： (15) 能力值： ( LV2，RANK：10 ) 在线值：发帖 11 回帖 46 粉丝 0 关注私信	inr 30 楼这个是在系统空间中，谁能帮？ 2006-1-19 18:02 0
波导终结者雪币： 176 活跃值： (100) 能力值： ( LV9，RANK：180 ) 在线值：发帖 15 回帖 125 粉丝 0 关注私信	波导终结者 4 31 楼目前为止，我在看雪论坛看到过的最牛的贴子，楼主，您真牛！ 2006-1-19 18:20 0
skyege 雪币： 229 活跃值： (70) 能力值： ( LV6，RANK：90 ) 在线值：发帖 10 回帖 555 粉丝 0 关注私信	skyege 2 32 楼晕 ~~~ 2006-1-19 23:28 0
Pr0Zel 雪币： 288 活跃值： (415) 能力值： ( LV9，RANK：290 ) 在线值：发帖 37 回帖 384 粉丝 0 关注私信	Pr0Zel 7 33 楼 LZ在系统DLL里面转.... 特牛啊 2006-1-19 23:37 0
playx 雪币： 146 活跃值： (72) 能力值： ( LV4，RANK：50 ) 在线值：发帖 25 回帖 445 粉丝 0 关注私信	playx 1 34 楼呵呵，不知所云！ 2006-1-20 00:02 0
波导终结者雪币： 176 活跃值： (100) 能力值： ( LV9，RANK：180 ) 在线值：发帖 15 回帖 125 粉丝 0 关注私信	波导终结者 4 35 楼前两页已经保存，作永久纪念 2006-1-20 00:09 0
快雪时晴雪币： 370 活跃值： (15) 能力值： ( LV9，RANK：170 ) 在线值：发帖 34 回帖 2272 粉丝 1 关注私信	快雪时晴 4 36 楼简直如同灌水贴 2006-1-20 00:49 0
fnp902003 雪币： 206 活跃值： (15) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 146 粉丝 0 关注私信	fnp902003 37 楼楼主我看真是外行人～门都没入，这个都看不出来～唉～可怜了我们这些新人们～ 2006-1-20 08:04 0
hyueling 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 29 粉丝 0 关注私信	hyueling 38 楼才贴了不到1/10强,但是也应该可以分析出些什么来了!后面的太麻烦了,不想贴了,免得人家说我发洪水! 2006-1-20 11:04 0
Ivanov 雪币： 1334 活跃值： (15) 能力值： ( LV2，RANK：10 ) 在线值：发帖 226 回帖 1054 粉丝 2 关注私信	Ivanov 39 楼就这垃圾贴贴出来干什么？什么叫应该可以分析出些什么？叫谁给你分析？你自己一点不动，打开调试器就是粘代码，这不是变相求解么？系统内存和程序内存你都不懂区分，在这乱贴代码有什么用？ 2006-1-20 12:22 0
小虾雪币： 2384 活跃值： (766) 能力值： (RANK：410 ) 在线值：发帖 36 回帖 2248 粉丝 7 关注私信	小虾 10 40 楼系统DLL里的代码，这样的代码贴了也。。。－－＞＞＞无用。 2006-1-20 12:58 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

hyueling

雪币： 200

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

1

回帖

29

粉丝

0

关注

私信

hyueling: 26 楼

7C93238E 897E 38       mov    [esi+38], edi
7C932391 897E 28       mov    [esi+28], edi
7C932394 897E 2C       mov    [esi+2C], edi
7C932397  ^ E9 51F2FFFF    jmp    7C9315ED
7C93239C 90             nop
7C93239D 90             nop
7C93239E 90             nop
7C93239F 90             nop
7C9323A0 90             nop
7C9323A1 8BFF          mov    edi, edi
7C9323A3 55             push ebp
7C9323A4 8BEC          mov    ebp, esp
7C9323A6 51             push ecx
7C9323A7 51             push ecx
7C9323A8 56             push esi                            ; ntdll.ZwTerminateProcess
7C9323A9 6A 0D          push 0D
7C9323AB FF35 FC23937C push dword ptr [7C9323FC]
7C9323B1 FF35 F823937C push dword ptr [7C9323F8]
7C9323B7 FF70 04       push dword ptr [eax+4]
7C9323BA FF30          push dword ptr [eax]
7C9323BC E8 C611FFFF    call RtlExtendedMagicDivide
7C9323C1 6A 1A          push 1A
7C9323C3 FF35 0424937C push dword ptr [7C932404]
7C9323C9 8BF0          mov    esi, eax
7C9323CB FF35 0024937C push dword ptr [7C932400]
7C9323D1 52             push edx                            ; msvcrt.77C31AE8
7C9323D2 56             push esi                            ; ntdll.ZwTerminateProcess
7C9323D3 E8 AF11FFFF    call RtlExtendedMagicDivide
7C9323D8 8B4D 08       mov    ecx, [ebp+8]
7C9323DB 8901          mov    [ecx], eax
7C9323DD 69C0 005C2605 imul eax, eax, 5265C00
7C9323E3 2BF0          sub    esi, eax
7C9323E5 8B45 0C       mov    eax, [ebp+C]                   ; RPCRT4.77E8F3B0
7C9323E8 8930          mov    [eax], esi                      ; ntdll.ZwTerminateProcess
7C9323EA 8955 FC       mov    [ebp-4], edx                   ; msvcrt.77C31AE8
7C9323ED 5E             pop    esi                            ; ntdll.7C92E89A
7C9323EE C9             leave
7C9323EF C2 0800       retn 8
7C9323F2 90             nop
7C9323F3 90             nop
7C9323F4 90             nop
7C9323F5 90             nop
7C9323F6 90             nop
7C9323F7 90             nop
7C9323F8 2C 65          sub    al, 65
7C9323FA 19E2          sbb    edx, esp
7C9323FC 58             pop    eax                            ; ntdll.7C92E89A
7C9323FD 17             pop    ss
7C9323FE B7 D1          mov    bh, 0D1
7C932400 0E             push cs
7C932401 B9 67FAEB50    mov    ecx, 50EBFA67
7C932406 D7             xlat byte ptr [ebx+al]
7C932407 C6             ???                                     ; 未知命令
7C932408 90             nop
7C932409 90             nop
7C93240A 90             nop
7C93240B 90             nop
7C93240C 90             nop
7C93240D >  8BFF          mov    edi, edi
7C93240F 55             push ebp
7C932410 8BEC          mov    ebp, esp
7C932412 51             push ecx
7C932413 53             push ebx
7C932414 56             push esi                            ; ntdll.ZwTerminateProcess
7C932415 57             push edi
7C932416 8D45 FC       lea    eax, [ebp-4]
7C932419 50             push eax
7C93241A 8D45 08       lea    eax, [ebp+8]
7C93241D 50             push eax
7C93241E 8B45 08       mov    eax, [ebp+8]
7C932421 E8 7BFFFFFF    call 7C9323A1
7C932426 8B4D 08       mov    ecx, [ebp+8]
7C932429 6A 07          push 7
7C93242B 5E             pop    esi                            ; ntdll.7C92E89A
7C93242C 8D41 01       lea    eax, [ecx+1]
7C93242F 33D2          xor    edx, edx                      ; msvcrt.77C31AE8
7C932431 F7F6          div    esi                            ; ntdll.ZwTerminateProcess
7C932433 8B75 0C       mov    esi, [ebp+C]                   ; RPCRT4.77E8F3B0
7C932436 51             push ecx
7C932437 66:8956 0E    mov    [esi+E], dx
7C93243B E8 35020000    call 7C932675
7C932440 8BC8          mov    ecx, eax
7C932442 33D2          xor    edx, edx                      ; msvcrt.77C31AE8
7C932444 BF 90010000    mov    edi, 190
7C932449 F7F7          div    edi
7C93244B 8BF9          mov    edi, ecx
7C93244D 69FF 93FEFFFF imul edi, edi, -16D
7C932453 33D2          xor    edx, edx                      ; msvcrt.77C31AE8
7C932455 6A 64          push 64
7C932457 5B             pop    ebx                            ; ntdll.7C92E89A
7C932458 2BF8          sub    edi, eax
7C93245A 8BC1          mov    eax, ecx
7C93245C C1E8 02       shr    eax, 2
7C93245F 2BF8          sub    edi, eax
7C932461 8BC1          mov    eax, ecx
7C932463 F7F3          div    ebx
7C932465 33D2          xor    edx, edx                      ; msvcrt.77C31AE8
7C932467 BB 90010000    mov    ebx, 190
7C93246C 0345 08       add    eax, [ebp+8]
7C93246F 03F8          add    edi, eax
7C932471 8D41 01       lea    eax, [ecx+1]
7C932474 F7F3          div    ebx
7C932476 85D2          test edx, edx                      ; msvcrt.77C31AE8
7C932478 74 1D          je    short 7C932497
7C93247A 6A 64          push 64
7C93247C 33D2          xor    edx, edx                      ; msvcrt.77C31AE8
7C93247E 8D41 01       lea    eax, [ecx+1]
7C932481 5B             pop    ebx                            ; ntdll.7C92E89A
7C932482 F7F3          div    ebx
7C932484 85D2          test edx, edx                      ; msvcrt.77C31AE8
7C932486 0F84 44240000 je    7C9348D0
7C93248C 8D41 01       lea    eax, [ecx+1]
7C93248F A8 03          test al, 3
7C932491 0F85 39240000 jnz    7C9348D0
7C932497 0FB687 0025937C movzx eax, byte ptr [edi+7C932500]
7C93249E 8945 08       mov    [ebp+8], eax
7C9324A1 0FBF0445 F02693>movsx eax, word ptr [eax*2+7C9326F0]
7C9324A9 2BF8          sub    edi, eax
7C9324AB 8B45 FC       mov    eax, [ebp-4]
7C9324AE 33D2          xor    edx, edx                      ; msvcrt.77C31AE8
7C9324B0 BB E8030000    mov    ebx, 3E8
7C9324B5 F7F3          div    ebx
7C9324B7 6A 3C          push 3C
7C9324B9 5B             pop    ebx                            ; ntdll.7C92E89A
7C9324BA 81C1 41060000 add    ecx, 641
7C9324C0 66:890E       mov    [esi], cx
7C9324C3 8B4D 08       mov    ecx, [ebp+8]
7C9324C6 6A 3C          push 3C
7C9324C8 8955 0C       mov    [ebp+C], edx                   ; msvcrt.77C31AE8
7C9324CB 33D2          xor    edx, edx                      ; msvcrt.77C31AE8
7C9324CD F7F3          div    ebx
7C9324CF 41             inc    ecx
7C9324D0 66:894E 02    mov    [esi+2], cx
7C9324D4 59             pop    ecx                            ; ntdll.7C92E89A
7C9324D5 47             inc    edi
7C9324D6 66:897E 04    mov    [esi+4], di
7C9324DA 5F             pop    edi                            ; ntdll.7C92E89A
7C9324DB 8BDA          mov    ebx, edx                      ; msvcrt.77C31AE8
7C9324DD 33D2          xor    edx, edx                      ; msvcrt.77C31AE8
7C9324DF F7F1          div    ecx
7C9324E1 66:895E 0A    mov    [esi+A], bx
7C9324E5 66:8946 06    mov    [esi+6], ax
7C9324E9 66:8B45 0C    mov    ax, [ebp+C]
7C9324ED 66:8956 08    mov    [esi+8], dx
7C9324F1 66:8946 0C    mov    [esi+C], ax
7C9324F5 5E             pop    esi                            ; ntdll.7C92E89A
7C9324F6 5B             pop    ebx                            ; ntdll.7C92E89A
7C9324F7 C9             leave
7C9324F8 C2 0800       retn 8
7C9324FB 90             nop
7C9324FC 90             nop
7C9324FD 90             nop
7C9324FE 90             nop
7C9324FF 90             nop
7C932500 0000          add    [eax], al
7C932502 0000          add    [eax], al
7C932504 0000          add    [eax], al
7C932506 0000          add    [eax], al
7C932508 0000          add    [eax], al
7C93250A 0000          add    [eax], al
7C93250C 0000          add    [eax], al
7C93250E 0000          add    [eax], al
7C932510 0000          add    [eax], al
7C932512 0000          add    [eax], al
7C932514 0000          add    [eax], al
7C932516 0000          add    [eax], al
7C932518 0000          add    [eax], al
7C93251A 0000          add    [eax], al
7C93251C 0000          add    [eax], al
7C93251E 0001          add    [ecx], al
7C932520 0101          add    [ecx], eax
7C932522 0101          add    [ecx], eax
7C932524 0101          add    [ecx], eax
7C932526 0101          add    [ecx], eax
7C932528 0101          add    [ecx], eax
7C93252A 0101          add    [ecx], eax
7C93252C 0101          add    [ecx], eax
7C93252E 0101          add    [ecx], eax
7C932530 0101          add    [ecx], eax
7C932532 0101          add    [ecx], eax
7C932534 0101          add    [ecx], eax
7C932536 0101          add    [ecx], eax
7C932538 0101          add    [ecx], eax
7C93253A 0101          add    [ecx], eax
7C93253C 0202          add    al, [edx]
7C93253E 0202          add    al, [edx]
7C932540 0202          add    al, [edx]
7C932542 0202          add    al, [edx]
7C932544 0202          add    al, [edx]
7C932546 0202          add    al, [edx]
7C932548 0202          add    al, [edx]
7C93254A 0202          add    al, [edx]
7C93254C 0202          add    al, [edx]
7C93254E 0202          add    al, [edx]
7C932550 0202          add    al, [edx]
7C932552 0202          add    al, [edx]
7C932554 0202          add    al, [edx]
7C932556 0202          add    al, [edx]
7C932558 0202          add    al, [edx]
7C93255A 0203          add    al, [ebx]
7C93255C 0303          add    eax, [ebx]
7C93255E 0303          add    eax, [ebx]
7C932560 0303          add    eax, [ebx]
7C932562 0303          add    eax, [ebx]
7C932564 0303          add    eax, [ebx]
7C932566 0303          add    eax, [ebx]
7C932568 0303          add    eax, [ebx]
7C93256A 0303          add    eax, [ebx]
7C93256C 0303          add    eax, [ebx]
7C93256E 0303          add    eax, [ebx]
7C932570 0303          add    eax, [ebx]
7C932572 0303          add    eax, [ebx]
7C932574 0303          add    eax, [ebx]
7C932576 0303          add    eax, [ebx]
7C932578 030404       add    eax, [esp+eax]
7C93257B 04 04          add    al, 4
7C93257D 04 04          add    al, 4
7C93257F 04 04          add    al, 4
7C932581 04 04          add    al, 4
7C932583 04 04          add    al, 4
7C932585 04 04          add    al, 4
7C932587 04 04          add    al, 4
7C932589 04 04          add    al, 4
7C93258B 04 04          add    al, 4
7C93258D 04 04          add    al, 4
7C93258F 04 04          add    al, 4
7C932591 04 04          add    al, 4
7C932593 04 04          add    al, 4
7C932595 04 04          add    al, 4
7C932597 04 05          add    al, 5
7C932599 05 05050505    add    eax, 5050505
7C93259E 05 05050505    add    eax, 5050505
7C9325A3 05 05050505    add    eax, 5050505
7C9325A8 05 05050505    add    eax, 5050505
7C9325AD 05 05050505    add    eax, 5050505
7C9325B2 05 05050506    add    eax, 6050505
7C9325B7 06             push es
7C9325B8 06             push es
7C9325B9 06             push es
7C9325BA 06             push es
7C9325BB 06             push es
7C9325BC 06             push es
7C9325BD 06             push es
7C9325BE 06             push es
7C9325BF 06             push es
7C9325C0 06             push es
7C9325C1 06             push es
7C9325C2 06             push es
7C9325C3 06             push es
7C9325C4 06             push es
7C9325C5 06             push es
7C9325C6 06             push es
7C9325C7 06             push es
7C9325C8 06             push es
7C9325C9 06             push es
7C9325CA 06             push es
7C9325CB 06             push es
7C9325CC 06             push es
7C9325CD 06             push es
7C9325CE 06             push es
7C9325CF 06             push es
7C9325D0 06             push es
7C9325D1 06             push es
7C9325D2 06             push es
7C9325D3 06             push es
7C9325D4 06             push es
7C9325D5 07             pop    es
7C9325D6 07             pop    es
7C9325D7 07             pop    es
7C9325D8 07             pop    es
7C9325D9 07             pop    es
7C9325DA 07             pop    es
7C9325DB 07             pop    es
7C9325DC 07             pop    es
7C9325DD 07             pop    es
7C9325DE 07             pop    es
7C9325DF 07             pop    es
7C9325E0 07             pop    es
7C9325E1 07             pop    es
7C9325E2 07             pop    es
7C9325E3 07             pop    es
7C9325E4 07             pop    es
7C9325E5 07             pop    es
7C9325E6 07             pop    es
7C9325E7 07             pop    es
7C9325E8 07             pop    es
7C9325E9 07             pop    es
7C9325EA 07             pop    es
7C9325EB 07             pop    es
7C9325EC 07             pop    es
7C9325ED 07             pop    es
7C9325EE 07             pop    es
7C9325EF 07             pop    es
7C9325F0 07             pop    es
7C9325F1 07             pop    es
7C9325F2 07             pop    es
7C9325F3 07             pop    es
7C9325F4 0808          or    [eax], cl
7C9325F6 0808          or    [eax], cl
7C9325F8 0808          or    [eax], cl
7C9325FA 0808          or    [eax], cl
7C9325FC 0808          or    [eax], cl
7C9325FE 0808          or    [eax], cl
7C932600 0808          or    [eax], cl
7C932602 0808          or    [eax], cl
7C932604 0808          or    [eax], cl
7C932606 0808          or    [eax], cl
7C932608 0808          or    [eax], cl
7C93260A 0808          or    [eax], cl
7C93260C 0808          or    [eax], cl
7C93260E 0808          or    [eax], cl
7C932610 0808          or    [eax], cl
7C932612 0909          or    [ecx], ecx
7C932614 0909          or    [ecx], ecx
7C932616 0909          or    [ecx], ecx
7C932618 0909          or    [ecx], ecx
7C93261A 0909          or    [ecx], ecx
7C93261C 0909          or    [ecx], ecx
7C93261E 0909          or    [ecx], ecx
7C932620 0909          or    [ecx], ecx
7C932622 0909          or    [ecx], ecx
7C932624 0909          or    [ecx], ecx
7C932626 0909          or    [ecx], ecx
7C932628 0909          or    [ecx], ecx
7C93262A 0909          or    [ecx], ecx
7C93262C 0909          or    [ecx], ecx
7C93262E 0909          or    [ecx], ecx
7C932630 090A          or    [edx], ecx
7C932632 0A0A          or    cl, [edx]
7C932634 0A0A          or    cl, [edx]
7C932636 0A0A          or    cl, [edx]
7C932638 0A0A          or    cl, [edx]
7C93263A 0A0A          or    cl, [edx]
7C93263C 0A0A          or    cl, [edx]
7C93263E 0A0A          or    cl, [edx]
7C932640 0A0A          or    cl, [edx]
7C932642 0A0A          or    cl, [edx]
7C932644 0A0A          or    cl, [edx]
7C932646 0A0A          or    cl, [edx]
7C932648 0A0A          or    cl, [edx]
7C93264A 0A0A          or    cl, [edx]
7C93264C 0A0A          or    cl, [edx]
7C93264E 0A0B          or    cl, [ebx]
7C932650 0B0B          or    ecx, [ebx]
7C932652 0B0B          or    ecx, [ebx]
7C932654 0B0B          or    ecx, [ebx]
7C932656 0B0B          or    ecx, [ebx]
7C932658 0B0B          or    ecx, [ebx]
7C93265A 0B0B          or    ecx, [ebx]
7C93265C 0B0B          or    ecx, [ebx]
7C93265E 0B0B          or    ecx, [ebx]
7C932660 0B0B          or    ecx, [ebx]
7C932662 0B0B          or    ecx, [ebx]
7C932664 0B0B          or    ecx, [ebx]
7C932666 0B0B          or    ecx, [ebx]
7C932668 0B0B          or    ecx, [ebx]
7C93266A 0B0B          or    ecx, [ebx]
7C93266C 0B0B          or    ecx, [ebx]
7C93266E 0000          add    [eax], al
7C932670 90             nop
7C932671 90             nop
7C932672 90             nop
7C932673 90             nop
7C932674 90             nop
7C932675 8BFF          mov    edi, edi
7C932677 55             push ebp
7C932678 8BEC          mov    ebp, esp
7C93267A 8B4D 08       mov    ecx, [ebp+8]
7C93267D 53             push ebx
7C93267E 33D2          xor    edx, edx                      ; msvcrt.77C31AE8
7C932680 56             push esi                            ; ntdll.ZwTerminateProcess
7C932681 8BC1          mov    eax, ecx
7C932683 BE B13A0200    mov    esi, 23AB1
7C932688 F7F6          div    esi                            ; ntdll.ZwTerminateProcess
7C93268A 33D2          xor    edx, edx                      ; msvcrt.77C31AE8
7C93268C 57             push edi
7C93268D BF 49BB3700    mov    edi, 37BB49
7C932692 BB B5050000    mov    ebx, 5B5
7C932697 8BF0          mov    esi, eax
7C932699 69C0 4FC5FDFF imul eax, eax, FFFDC54F
7C93269F 03C8          add    ecx, eax
7C9326A1 8BC1          mov    eax, ecx
7C9326A3 6BC0 64       imul eax, eax, 64
7C9326A6 83C0 4B       add    eax, 4B
7C9326A9 F7F7          div    edi
7C9326AB 33D2          xor    edx, edx                      ; msvcrt.77C31AE8
7C9326AD 8BF8          mov    edi, eax
7C9326AF 69C0 5471FFFF imul eax, eax, FFFF7154
7C9326B5 03C8          add    ecx, eax
7C9326B7 8BC1          mov    eax, ecx
7C9326B9 F7F3          div    ebx
7C9326BB 8BD8          mov    ebx, eax
7C9326BD 8BD3          mov    edx, ebx
7C9326BF 69D2 B5050000 imul edx, edx, 5B5                   ; msvcrt.77C31AE8
7C9326C5 8BC1          mov    eax, ecx
7C9326C7 2BC2          sub    eax, edx                      ; msvcrt.77C31AE8
7C9326C9 6BC0 64       imul eax, eax, 64
7C9326CC 83C0 4B       add    eax, 4B
7C9326CF 33D2          xor    edx, edx                      ; msvcrt.77C31AE8
7C9326D1 B9 AD8E0000    mov    ecx, 8EAD
7C9326D6 F7F1          div    ecx
7C9326D8 8D0CB7       lea    ecx, [edi+esi*4]
7C9326DB 6BC9 19       imul ecx, ecx, 19
7C9326DE 5F             pop    edi                            ; ntdll.7C92E89A
7C9326DF 03CB          add    ecx, ebx
7C9326E1 5E             pop    esi                            ; ntdll.7C92E89A
7C9326E2 5B             pop    ebx                            ; ntdll.7C92E89A
7C9326E3 8D0488       lea    eax, [eax+ecx*4]
7C9326E6 5D             pop    ebp                            ; ntdll.7C92E89A
7C9326E7 C2 0400       retn 4
7C9326EA 90             nop
7C9326EB 90             nop
7C9326EC 90             nop
7C9326ED 90             nop
7C9326EE 90             nop
7C9326EF 90             nop
7C9326F0 0000          add    [eax], al
7C9326F2 1F             pop    ds
7C9326F3 003C00       add    [eax+eax], bh
7C9326F6 5B             pop    ebx                            ; ntdll.7C92E89A
7C9326F7 0079 00       add    [ecx], bh
7C9326FA 98             cwde
7C9326FB 00B6 00D500F4 add    [esi+F400D500], dh
7C932701 0012          add    [edx], dl
7C932703 0131          add    [ecx], esi                      ; ntdll.ZwTerminateProcess
7C932705 014F 01       add    [edi+1], ecx
7C932708 6E             outs dx, byte ptr es:[edi]
7C932709 0100          add    [eax], eax
7C93270B 0090 90909090 add    [eax+90909090], dl
7C932711 8BFF          mov    edi, edi
7C932713 55             push ebp
7C932714 8BEC          mov    ebp, esp
7C932716 8B45 10       mov    eax, [ebp+10]
7C932719 53             push ebx
7C93271A 8B5D 08       mov    ebx, [ebp+8]
7C93271D F7C3 0000FFFF test ebx, FFFF0000
7C932723 56             push esi                            ; ntdll.ZwTerminateProcess
7C932724 57             push edi
7C932725 0F85 E78A0100 jnz    7C94B212
7C93272B 8B08          mov    ecx, [eax]
7C93272D 85C9          test ecx, ecx
7C93272F 0F88 1D8B0100 js    7C94B252
7C932735 8BC3          mov    eax, ebx
7C932737 2BC1          sub    eax, ecx
7C932739 5F             pop    edi                            ; ntdll.7C92E89A
7C93273A 5E             pop    esi                            ; ntdll.7C92E89A
7C93273B 5B             pop    ebx                            ; ntdll.7C92E89A
7C93273C 5D             pop    ebp                            ; ntdll.7C92E89A
7C93273D C2 0C00       retn 0C
7C932740 66:85DB       test bx, bx
7C932743 74 2C          je    short 7C932771
7C932745 56             push esi                            ; ntdll.ZwTerminateProcess
7C932746 8B5D AC       mov    ebx, [ebp-54]
7C932749 53             push ebx
7C93274A 8B45 0C       mov    eax, [ebp+C]                   ; RPCRT4.77E8F3B0
7C93274D FF30          push dword ptr [eax]
7C93274F E8 BDFFFFFF    call 7C932711
7C932754 8945 84       mov    [ebp-7C], eax
7C932757 85C0          test eax, eax
7C932759 75 16          jnz    short 7C932771
7C93275B 8B76 04       mov    esi, [esi+4]
7C93275E 85F6          test esi, esi                      ; ntdll.ZwTerminateProcess
7C932760 0F89 8A030000 jns    7C932AF0
7C932766 81E6 FFFFFF7F and    esi, 7FFFFFFF
7C93276C 03F3          add    esi, ebx
7C93276E 8975 B4       mov    [ebp-4C], esi                   ; ntdll.ZwTerminateProcess
7C932771 8345 0C 04    add    dword ptr [ebp+C], 4
7C932775 8B75 A4       mov    esi, [ebp-5C]
7C932778 8B45 B4       mov    eax, [ebp-4C]
7C93277B 8A5D D3       mov    bl, [ebp-2D]
7C93277E 8B4D E4       mov    ecx, [ebp-1C]
7C932781 EB 5D          jmp    short 7C9327E0
7C932783 90             nop
7C932784 90             nop
7C932785 90             nop
7C932786 90             nop
7C932787 90             nop
7C932788 68 A0000000    push 0A0
7C93278D 68 C028937C    push 7C9328C0
7C932792 E8 2BC6FFFF    call 7C92EDC2
7C932797 8B7D 0C       mov    edi, [ebp+C]                   ; RPCRT4.77E8F3B0
7C93279A 897D 9C       mov    [ebp-64], edi
7C93279D 8B45 10       mov    eax, [ebp+10]
7C9327A0 8945 94       mov    [ebp-6C], eax
7C9327A3 32DB          xor    bl, bl
7C9327A5 885D D3       mov    [ebp-2D], bl
7C9327A8 8365 FC 00    and    dword ptr [ebp-4], 0
7C9327AC 8D45 D4       lea    eax, [ebp-2C]
7C9327AF 50             push eax
7C9327B0 6A 02          push 2
7C9327B2 6A 01          push 1
7C9327B4 FF75 08       push dword ptr [ebp+8]
7C9327B7 E8 9AE0FFFF    call RtlImageDirectoryEntryToData
7C9327BC 8945 AC       mov    [ebp-54], eax
7C9327BF 85C0          test eax, eax
7C9327C1 0F84 198A0100 je    7C94B1E0
7C9327C7 8B45 AC       mov    eax, [ebp-54]
7C9327CA 8945 B4       mov    [ebp-4C], eax
7C9327CD B9 FFFF0000    mov    ecx, 0FFFF
7C9327D2 894D E4       mov    [ebp-1C], ecx
7C9327D5 33F6          xor    esi, esi                      ; ntdll.ZwTerminateProcess
7C9327D7 8975 C4       mov    [ebp-3C], esi                   ; ntdll.ZwTerminateProcess
7C9327DA 8975 A4       mov    [ebp-5C], esi                   ; ntdll.ZwTerminateProcess
7C9327DD 2175 A8       and    [ebp-58], esi                   ; ntdll.ZwTerminateProcess
7C9327E0 85C0          test eax, eax
7C9327E2 0F84 04010000 je    7C9328EC
7C9327E8 8B55 10       mov    edx, [ebp+10]
7C9327EB FF4D 10       dec    dword ptr [ebp+10]
7C9327EE 85D2          test edx, edx                      ; msvcrt.77C31AE8
7C9327F0 0F84 8B810100 je    7C94A981
7C9327F6 837D 10 00    cmp    dword ptr [ebp+10], 0
7C9327FA 0F84 3A010000 je    7C93293A
7C932800 837D A8 00    cmp    dword ptr [ebp-58], 0
7C932804 0F85 F0020000 jnz    7C932AFA
7C93280A 8A5D D3       mov    bl, [ebp-2D]
7C93280D 66:8B50 0C    mov    dx, [eax+C]
7C932811 66:8955 B0    mov    [ebp-50], dx
7C932815 8D70 10       lea    esi, [eax+10]
7C932818 8975 90       mov    [ebp-70], esi                   ; ntdll.ZwTerminateProcess
7C93281B 8B55 0C       mov    edx, [ebp+C]                   ; RPCRT4.77E8F3B0
7C93281E 66:F742 02 FFFF test word ptr [edx+2], 0FFFF
7C932824 75 11          jnz    short 7C932837
7C932826 0FB755 B0    movzx edx, word ptr [ebp-50]
7C93282A 8D34D6       lea    esi, [esi+edx*8]
7C93282D 8975 90       mov    [ebp-70], esi                   ; ntdll.ZwTerminateProcess
7C932830 0FB740 0E    movzx eax, word ptr [eax+E]
7C932834 8945 B0       mov    [ebp-50], eax
7C932837 33C0          xor    eax, eax
7C932839 66:3945 B0    cmp    [ebp-50], ax
7C93283D 0F84 D3920100 je    7C94BB16
7C932843 3945 A8       cmp    [ebp-58], eax
7C932846 0F85 80000000 jnz    7C9328CC
7C93284C 8945 B4       mov    [ebp-4C], eax
7C93284F 8B5D B0       mov    ebx, [ebp-50]                   ; ntdll.7C92EE18
7C932852 0FB7C3       movzx eax, bx
7C932855 8D44C6 F8    lea    eax, [esi+eax*8-8]
7C932859 8945 8C       mov    [ebp-74], eax
7C93285C 3B75 8C       cmp    esi, [ebp-74]
7C93285F  ^ 0F87 0CFFFFFF ja    7C932771
7C932865 0FB7C3       movzx eax, bx
7C932868 D1E8          shr    eax, 1
7C93286A 8945 98       mov    [ebp-68], eax
7C93286D 66:85C0       test ax, ax
7C932870  ^ 0F84 CAFEFFFF je    7C932740
7C932876 8975 88       mov    [ebp-78], esi                   ; ntdll.ZwTerminateProcess
7C932879 885D CB       mov    [ebp-35], bl
7C93287C 0FB7D8       movzx ebx, ax
7C93287F 8065 CB 01    and    byte ptr [ebp-35], 1
7C932883 8D3CDE       lea    edi, [esi+ebx*8]
7C932886 75 04          jnz    short 7C93288C
7C932888 8D7CDE F8    lea    edi, [esi+ebx*8-8]
7C93288C 897D 88       mov    [ebp-78], edi
7C93288F 57             push edi
7C932890 FF75 AC       push dword ptr [ebp-54]
7C932893 8B45 0C       mov    eax, [ebp+C]                   ; RPCRT4.77E8F3B0
7C932896 FF30          push dword ptr [eax]
7C932898 E8 74FEFFFF    call 7C932711
7C93289D 8945 84       mov    [ebp-7C], eax
7C9328A0 85C0          test eax, eax
7C9328A2 0F84 B6030000 je    7C932C5E
7C9328A8 0F8C 0C040000 jl    7C932CBA
7C9328AE 8D77 08       lea    esi, [edi+8]
7C9328B1 8975 90       mov    [ebp-70], esi                   ; ntdll.ZwTerminateProcess
7C9328B4 8B5D 98       mov    ebx, [ebp-68]
7C9328B7 895D B0       mov    [ebp-50], ebx
7C9328BA 8B7D 9C       mov    edi, [ebp-64]
7C9328BD  ^ EB 9D          jmp    short 7C93285C
7C9328BF 90             nop
7C9328C0 FFFF          ???                                     ; 未知命令
7C9328C2 FFFF          ???                                     ; 未知命令
7C9328C4 8E2A          mov    gs, [edx]
7C9328C6 93             xchg eax, ebx
7C9328C7  ^ 7C A1          jl    short 7C93286A
7C9328C9 2A93 7C8B4D0C sub    dl, [ebx+C4D8B7C]
7C9328CF 8139 FFFF0000 cmp    dword ptr [ecx], 0FFFF
7C9328D5  ^ 0F85 71FFFFFF jnz    7C93284C
7C9328DB 8945 B4       mov    [ebp-4C], eax
7C9328DE 8B0E          mov    ecx, [esi]
7C9328E0 894D E4       mov    [ebp-1C], ecx
7C9328E3 8B76 04       mov    esi, [esi+4]
7C9328E6 0375 AC       add    esi, [ebp-54]
7C9328E9 8975 A4       mov    [ebp-5C], esi                   ; ntdll.ZwTerminateProcess
7C9328EC 85F6          test esi, esi                      ; ntdll.ZwTerminateProcess
7C9328EE 0F85 67020000 jnz    7C932B5B
7C9328F4 85C0          test eax, eax
7C9328F6 0F85 8D800100 jnz    7C94A989
7C9328FC 8B45 94       mov    eax, [ebp-6C]                   ; trscd.004B027C
7C9328FF 2B45 10       sub    eax, [ebp+10]
7C932902 48             dec    eax
7C932903 0F84 891F0000 je    7C934892
7C932909 48             dec    eax
7C93290A 0F84 951F0000 je    7C9348A5
7C932910 48             dec    eax
7C932911 0F85 B5000000 jnz    7C9329CC
7C932917 C745 CC 040200C>mov    dword ptr [ebp-34], C0000204
7C93291E 817D CC 040200C>cmp    dword ptr [ebp-34], C0000204
7C932925 0F84 48020000 je    7C932B73
7C93292B 834D FC FF    or    dword ptr [ebp-4], FFFFFFFF
7C93292F 8B45 CC       mov    eax, [ebp-34]
7C932932 E8 CBC4FFFF    call 7C92EE02
7C932937 C2 1400       retn 14
7C93293A 837D 94 03    cmp    dword ptr [ebp-6C], 3
7C93293E  ^ 0F85 BCFEFFFF jnz    7C932800
7C932944 8945 A8       mov    [ebp-58], eax
7C932947  ^ E9 B4FEFFFF    jmp    7C932800
7C93294C 90             nop
7C93294D 90             nop
7C93294E 90             nop
7C93294F 90             nop
7C932950 90             nop
7C932951 6A 2C          push 2C
7C932953 68 C029937C    push 7C9329C0
7C932958 E8 65C4FFFF    call 7C92EDC2
7C93295D 8365 D8 00    and    dword ptr [ebp-28], 0
7C932961 8365 FC 00    and    dword ptr [ebp-4], 0
7C932965 8D45 C8       lea    eax, [ebp-38]
7C932968 50             push eax
7C932969 6A 02          push 2
7C93296B 6A 01          push 1
7C93296D FF75 08       push dword ptr [ebp+8]
7C932970 E8 E1DEFFFF    call RtlImageDirectoryEntryToData
7C932975 8945 E0       mov    [ebp-20], eax
7C932978 85C0          test eax, eax
7C93297A 0F84 37450300 je    7C966EB7
7C932980 F645 08 01    test byte ptr [ebp+8], 1
7C932984 0F85 AF040000 jnz    7C932E39
7C93298A 33F6          xor    esi, esi                      ; ntdll.ZwTerminateProcess
7C93298C 8975 DC       mov    [ebp-24], esi                   ; ntdll.ZwTerminateProcess
7C93298F 8B45 10       mov    eax, [ebp+10]
7C932992 85C0          test eax, eax
7C932994 74 0C          je    short 7C9329A2
7C932996 8B4D 0C       mov    ecx, [ebp+C]                   ; RPCRT4.77E8F3B0
7C932999 8B09          mov    ecx, [ecx]
7C93299B 2BCE          sub    ecx, esi                      ; ntdll.ZwTerminateProcess
7C93299D 034D 08       add    ecx, [ebp+8]
7C9329A0 8908          mov    [eax], ecx
7C9329A2 8B45 14       mov    eax, [ebp+14]
7C9329A5 85C0          test eax, eax
7C9329A7  ^ 0F85 5BEEFFFF jnz    7C931808
7C9329AD 834D FC FF    or    dword ptr [ebp-4], FFFFFFFF
7C9329B1 8B45 D8       mov    eax, [ebp-28]
7C9329B4 E8 49C4FFFF    call 7C92EE02
7C9329B9 C2 1000       retn 10
7C9329BC 90             nop
7C9329BD 90             nop
7C9329BE 90             nop
7C9329BF 90             nop
7C9329C0 FFFF          ???                                     ; 未知命令
7C9329C2 FFFF          ???                                     ; 未知命令
7C9329C4 CA 6E96       retf 966E
7C9329C7  ^ 7C DD          jl    short 7C9329A6
7C9329C9 6E             outs dx, byte ptr es:[edi]
7C9329CA 96             xchg eax, esi                      ; ntdll.ZwTerminateProcess
7C9329CB  ^ 7C C7          jl    short 7C932994
7C9329CD 45             inc    ebp
7C9329CE CC             int3
7C9329CF 0D 0000C0E9    or    eax, E9C00000
7C9329D4 46             inc    esi                            ; ntdll.ZwTerminateProcess
7C9329D5 FFFF          ???                                     ; 未知命令
7C9329D7 FF84DB 753D668B inc    dword ptr [ebx+ebx*8+8B663D75]
7C9329DE 45             inc    ebp
7C9329DF A0 663B45E0    mov    al, [E0453B66]
7C9329E4 74 33          je    short 7C932A19
7C9329E6 8B07          mov    eax, [edi]
7C9329E8 8945 B8       mov    [ebp-48], eax
7C9329EB 8B47 04       mov    eax, [edi+4]
7C9329EE 8945 BC       mov    [ebp-44], eax
7C9329F1 0FB745 A0    movzx eax, word ptr [ebp-60]
7C9329F5 8945 C0       mov    [ebp-40], eax
7C9329F8 FF75 18       push dword ptr [ebp+18]             ; trscd.00454965
7C9329FB 8B45 14       mov    eax, [ebp+14]
7C9329FE 83C8 04       or    eax, 4
7C932A01 50             push eax
7C932A02 6A 03          push 3
7C932A04 8D45 B8       lea    eax, [ebp-48]
7C932A07 50             push eax
7C932A08 56             push esi                            ; ntdll.ZwTerminateProcess
7C932A09 E8 7AFDFFFF    call 7C932788
7C932A0E 8945 CC       mov    [ebp-34], eax
7C932A11 85C0          test eax, eax
7C932A13 0F8D CC870100 jge    7C94B1E5
7C932A19 8B07          mov    eax, [edi]
7C932A1B 8945 B8       mov    [ebp-48], eax
7C932A1E 8B47 04       mov    eax, [edi+4]
7C932A21 8945 BC       mov    [ebp-44], eax
7C932A24 0FB745 E0    movzx eax, word ptr [ebp-20]
7C932A28 8945 C0       mov    [ebp-40], eax
7C932A2B FF75 18       push dword ptr [ebp+18]             ; trscd.00454965
7C932A2E 8B45 14       mov    eax, [ebp+14]
7C932A31 83C8 04       or    eax, 4
7C932A34 50             push eax
7C932A35 6A 03          push 3
7C932A37 8D45 B8       lea    eax, [ebp-48]
7C932A3A 50             push eax
7C932A3B 56             push esi                            ; ntdll.ZwTerminateProcess
7C932A3C E8 47FDFFFF    call 7C932788
7C932A41 8945 CC       mov    [ebp-34], eax
7C932A44 85C0          test eax, eax
7C932A46 0F8C 9B540100 jl    7C947EE7
7C932A4C E9 94870100    jmp    7C94B1E5
7C932A51 64:A1 18000000  mov    eax, fs:[18]
7C932A57 8985 68FFFFFF mov    [ebp-98], eax
7C932A5D E9 57010000    jmp    7C932BB9
7C932A62 68 3AC0997C    push 7C99C03A
7C932A67 E8 EEB5FFFF    call ZwQueryInstallUILanguage
7C932A6C 8945 CC       mov    [ebp-34], eax
7C932A6F 85C0          test eax, eax
7C932A71 0F8C 70540100 jl    7C947EE7
7C932A77 E9 C3310200    jmp    7C955C3F
7C932A7C 8365 DC 00    and    dword ptr [ebp-24], 0
7C932A80 8345 C4 02    add    dword ptr [ebp-3C], 2
7C932A84 E9 97000000    jmp    7C932B20
7C932A89 90             nop
7C932A8A 90             nop
7C932A8B 90             nop
7C932A8C 90             nop
7C932A8D 90             nop
7C932A8E 8B45 EC       mov    eax, [ebp-14]
7C932A91 8B00          mov    eax, [eax]
7C932A93 8B00          mov    eax, [eax]
7C932A95 8945 80       mov    [ebp-80], eax
7C932A98 33C0          xor    eax, eax
7C932A9A 40             inc    eax
7C932A9B C3             retn
7C932A9C 90             nop
7C932A9D 90             nop
7C932A9E 90             nop
7C932A9F 90             nop
7C932AA0 90             nop
7C932AA1 8B65 E8       mov    esp, [ebp-18]
7C932AA4 8B45 80       mov    eax, [ebp-80]                   ; ntdll.7C931993
7C932AA7 8945 CC       mov    [ebp-34], eax
7C932AAA  ^ E9 7CFEFFFF    jmp    7C93292B
7C932AAF 90             nop
7C932AB0 1A2B          sbb    ch, [ebx]
7C932AB2 93             xchg eax, ebx
7C932AB3  ^ 7C C5          jl    short 7C932A7A
7C932AB5 2B93 7C832B93 sub    edx, [ebx+932B837C]
7C932ABB  ^ 7C 89          jl    short 7C932A46
7C932ABD 2B93 7C197E94 sub    edx, [ebx+947E197C]
7C932AC3  ^ 7C 8A          jl    short 7C932A4F
7C932AC5  ^ 7E 94          jle    short 7C932A5B
7C932AC7  ^ 7C EF          jl    short 7C932AB8
7C932AC9  ^ 7E 94          jle    short 7C932A5F
7C932ACB 7C 1D          jl    short 7C932AEA
7C932ACD 5C             pop    esp                            ; ntdll.7C92E89A
7C932ACE 95             xchg eax, ebp
7C932ACF 7C 31          jl    short 7C932B02
7C932AD1 5C             pop    esp                            ; ntdll.7C92E89A
7C932AD2 95             xchg eax, ebp
7C932AD3 7C 4A          jl    short 7C932B1F
7C932AD5 5C             pop    esp                            ; ntdll.7C92E89A
7C932AD6 95             xchg eax, ebp
7C932AD7  ^ 7C 80          jl    short 7C932A59
7C932AD9 5C             pop    esp                            ; ntdll.7C92E89A
7C932ADA 95             xchg eax, ebp
7C932ADB  ^ 7C 9E          jl    short 7C932A7B
7C932ADD 5C             pop    esp                            ; ntdll.7C92E89A
7C932ADE 95             xchg eax, ebp
7C932ADF  ^ 7C A9          jl    short 7C932A8A
7C932AE1 5C             pop    esp                            ; ntdll.7C92E89A
7C932AE2 95             xchg eax, ebp
7C932AE3  ^ 7C 9E          jl    short 7C932A83
7C932AE5 5C             pop    esp                            ; ntdll.7C92E89A
7C932AE6 95             xchg eax, ebp
7C932AE7  ^ 7C CF          jl    short 7C932AB8
7C932AE9 5C             pop    esp                            ; ntdll.7C92E89A
7C932AEA 95             xchg eax, ebp
7C932AEB  ^ 7C DB          jl    short 7C932AC8
7C932AED 5C             pop    esp                            ; ntdll.7C92E89A
7C932AEE 95             xchg eax, ebp
7C932AEF 7C 03          jl    short 7C932AF4
7C932AF1 F3:          prefix rep:
7C932AF2 8975 A4       mov    [ebp-5C], esi                   ; ntdll.ZwTerminateProcess
7C932AF5  ^ E9 77FCFFFF    jmp    7C932771
7C932AFA 33DB          xor    ebx, ebx
7C932AFC 66:8B5F 08    mov    bx, [edi+8]
7C932B00 895D A0       mov    [ebp-60], ebx
7C932B03 66:81E3 FF03 and    bx, 3FF
7C932B08 66:F7DB       neg    bx
7C932B0B 1BDB          sbb    ebx, ebx
7C932B0D 43             inc    ebx
7C932B0E 885D D3       mov    [ebp-2D], bl
7C932B11 EB 1F          jmp    short 7C932B32
7C932B13  - FF2485 B02A937C jmp    [eax*4+7C932AB0]
7C932B1A 8B45 A0       mov    eax, [ebp-60]                   ; ntdll.7C99C080
7C932B1D 8945 E0       mov    [ebp-20], eax
7C932B20 66:837D E0 FF cmp    word ptr [ebp-20], 0FFFF
7C932B25 74 1C          je    short 7C932B43
7C932B27 0FB745 E0    movzx eax, word ptr [ebp-20]
7C932B2B 8B4D E4       mov    ecx, [ebp-1C]
7C932B2E 3BC1          cmp    eax, ecx
7C932B30 75 11          jnz    short 7C932B43
7C932B32 8B45 C4       mov    eax, [ebp-3C]                   ; ntdll.7C92F0AA
7C932B35 FF45 C4       inc    dword ptr [ebp-3C]             ; ntdll.7C92F0AA
7C932B38 83F8 0F       cmp    eax, 0F
7C932B3B 0F87 E58F0100 ja    7C94BB26
7C932B41  ^ EB D0          jmp    short 7C932B13
7C932B43 0FB74D E0    movzx ecx, word ptr [ebp-20]
7C932B47 894D E4       mov    [ebp-1C], ecx
7C932B4A 8D45 E4       lea    eax, [ebp-1C]
7C932B4D 8945 0C       mov    [ebp+C], eax
7C932B50 8B45 A8       mov    eax, [ebp-58]                   ; ntdll.7C92EE18
7C932B53 8945 B4       mov    [ebp-4C], eax
7C932B56  ^ E9 B2FCFFFF    jmp    7C93280D
7C932B5B F645 14 02    test byte ptr [ebp+14], 2
7C932B5F  ^ 0F85 8FFDFFFF jnz    7C9328F4
7C932B65 8B45 18       mov    eax, [ebp+18]                   ; trscd.00454965
7C932B68 8930          mov    [eax], esi                      ; ntdll.ZwTerminateProcess
7C932B6A 8365 CC 00    and    dword ptr [ebp-34], 0
7C932B6E  ^ E9 ABFDFFFF    jmp    7C93291E
7C932B73 837D A8 00    cmp    dword ptr [ebp-58], 0
7C932B77  ^ 0F84 AEFDFFFF je    7C93292B
7C932B7D 8365 A4 00    and    dword ptr [ebp-5C], 0
7C932B81  ^ EB AF          jmp    short 7C932B32
7C932B83 8365 E0 00    and    dword ptr [ebp-20], 0
7C932B87  ^ EB 97          jmp    short 7C932B20
7C932B89 84DB          test bl, bl
7C932B8B 0F84 69530100 je    7C947EFA
7C932B91 64:A1 18000000  mov    eax, fs:[18]
7C932B97 8985 6CFFFFFF mov    [ebp-94], eax
7C932B9D 8B40 30       mov    eax, [eax+30]
7C932BA0 8B40 10       mov    eax, [eax+10]
7C932BA3 8378 10 00    cmp    dword ptr [eax+10], 0
7C932BA7 0F84 3A530100 je    7C947EE7
7C932BAD 64:A1 18000000  mov    eax, fs:[18]
7C932BB3 8985 50FFFFFF mov    [ebp-B0], eax
7C932BB9 0FB780 C4000000 movzx eax, word ptr [eax+C4]
7C932BC0  ^ E9 58FFFFFF    jmp    7C932B1D
7C932BC5 F645 14 04    test byte ptr [ebp+14], 4
7C932BC9 0F85 578F0100 jnz    7C94BB26
7C932BCF 8B45 A0       mov    eax, [ebp-60]                   ; ntdll.7C99C080
7C932BD2 25 FF03FFFF    and    eax, FFFF03FF
7C932BD7  ^ E9 41FFFFFF    jmp    7C932B1D
7C932BDC 90             nop
7C932BDD 90             nop
7C932BDE 90             nop
7C932BDF 90             nop
7C932BE0 90             nop
7C932BE1 8BFF          mov    edi, edi
7C932BE3 55             push ebp
7C932BE4 8BEC          mov    ebp, esp
7C932BE6 83EC 1C       sub    esp, 1C
7C932BE9 53             push ebx
7C932BEA 8B5D 08       mov    ebx, [ebp+8]
7C932BED 8D45 08       lea    eax, [ebp+8]
7C932BF0 50             push eax
7C932BF1 6A 02          push 2
7C932BF3 6A 01          push 1
7C932BF5 53             push ebx
7C932BF6 E8 5BDCFFFF    call RtlImageDirectoryEntryToData
7C932BFB 85C0          test eax, eax
7C932BFD 0F84 F1020000 je    7C932EF4
7C932C03 3945 0C       cmp    [ebp+C], eax
7C932C06 0F82 DF420300 jb    7C966EEB
7C932C0C 8BC3          mov    eax, ebx
7C932C0E 83E0 FE       and    eax, FFFFFFFE
7C932C11 50             push eax
7C932C12 E8 32DCFFFF    call RtlImageNtHeader
7C932C17 85C0          test eax, eax
7C932C19 74 27          je    short 7C932C42
7C932C1B 56             push esi                            ; ntdll.ZwTerminateProcess
7C932C1C 8BF3          mov    esi, ebx
7C932C1E 83E6 FE       and    esi, FFFFFFFE
7C932C21 F6C3 01       test bl, 1
7C932C24 0F85 A8020000 jnz    7C932ED2
7C932C2A 8B40 50       mov    eax, [eax+50]
7C932C2D 3975 0C       cmp    [ebp+C], esi                   ; ntdll.ZwTerminateProcess
7C932C30 0F82 CB420300 jb    7C966F01
7C932C36 03C6          add    eax, esi                      ; ntdll.ZwTerminateProcess
7C932C38 3945 0C       cmp    [ebp+C], eax
7C932C3B 0F83 C0420300 jnb    7C966F01
7C932C41 5E             pop    esi                            ; ntdll.7C92E89A
7C932C42 85DB          test ebx, ebx
7C932C44 0F84 AA020000 je    7C932EF4
7C932C4A FF75 14       push dword ptr [ebp+14]
7C932C4D FF75 10       push dword ptr [ebp+10]
7C932C50 FF75 0C       push dword ptr [ebp+C]             ; RPCRT4.77E8F3B0
7C932C53 53             push ebx
7C932C54 E8 F8FCFFFF    call 7C932951
7C932C59 5B             pop    ebx                            ; ntdll.7C92E89A
7C932C5A C9             leave
7C932C5B C2 1000       retn 10
7C932C5E 8B47 04       mov    eax, [edi+4]
7C932C61 8B7D 9C       mov    edi, [ebp-64]
7C932C64 85C0          test eax, eax
7C932C66 0F89 00600200 jns    7C958C6C
7C932C6C 25 FFFFFF7F    and    eax, 7FFFFFFF
7C932C71 0345 AC       add    eax, [ebp-54]
7C932C74 8945 B4       mov    [ebp-4C], eax
7C932C77  ^ E9 F5FAFFFF    jmp    7C932771
7C932C7C 90             nop
7C932C7D 90             nop
7C932C7E 90             nop
7C932C7F 90             nop
7C932C80 90             nop
7C932C81 >  8BFF          mov    edi, edi
7C932C83 55             push ebp
7C932C84 8BEC          mov    ebp, esp
7C932C86 FF75 14       push dword ptr [ebp+14]
7C932C89 6A 00          push 0
7C932C8B FF75 10       push dword ptr [ebp+10]
7C932C8E FF75 0C       push dword ptr [ebp+C]             ; RPCRT4.77E8F3B0
7C932C91 FF75 08       push dword ptr [ebp+8]
7C932C94 E8 EFFAFFFF    call 7C932788
7C932C99 5D             pop    ebp                            ; ntdll.7C92E89A
7C932C9A C2 1000       retn 10
7C932C9D 90             nop
7C932C9E 90             nop
7C932C9F 90             nop
7C932CA0 90             nop
7C932CA1 90             nop
7C932CA2 >  FF7424 10    push dword ptr [esp+10]
7C932CA6 FF7424 10    push dword ptr [esp+10]
7C932CAA FF7424 10    push dword ptr [esp+10]
7C932CAE FF7424 10    push dword ptr [esp+10]
7C932CB2 E8 2AFFFFFF    call 7C932BE1
7C932CB7 C2 1000       retn 10
7C932CBA 83C7 F8       add    edi, -8
7C932CBD 897D 8C       mov    [ebp-74], edi
7C932CC0 807D CB 00    cmp    byte ptr [ebp-35], 0
7C932CC4  ^ 0F85 EAFBFFFF jnz    7C9328B4
7C932CCA 4B             dec    ebx
7C932CCB  ^ E9 E7FBFFFF    jmp    7C9328B7
7C932CD0 90             nop
7C932CD1 90             nop
7C932CD2 90             nop
7C932CD3 90             nop
7C932CD4 90             nop
7C932CD5 >  68 2C0D0000    push 0D2C
7C932CDA 68 382D937C    push 7C932D38
7C932CDF E8 DEC0FFFF    call 7C92EDC2
7C932CE4 A1 34C0997C    mov    eax, [7C99C034]
7C932CE9 8945 E4       mov    [ebp-1C], eax
7C932CEC 8B7D 08       mov    edi, [ebp+8]
7C932CEF 89BD 44F3FFFF mov    [ebp-CBC], edi
7C932CF5 8B75 0C       mov    esi, [ebp+C]                   ; RPCRT4.77E8F3B0
7C932CF8 33DB          xor    ebx, ebx
7C932CFA 899D 60F3FFFF mov    [ebp-CA0], ebx
7C932D00 899D 90F3FFFF mov    [ebp-C70], ebx
7C932D06 899D 88F3FFFF mov    [ebp-C78], ebx
7C932D0C 889D A7F3FFFF mov    [ebp-C59], bl
7C932D12 899D 8CF3FFFF mov    [ebp-C74], ebx
7C932D18 E8 38000000    call LdrAlternateResourcesEnabled
7C932D1D 84C0          test al, al
7C932D1F 0F85 6B460300 jnz    7C967390
7C932D25 33C0          xor    eax, eax
7C932D27 8B4D E4       mov    ecx, [ebp-1C]
7C932D2A E8 58D6FFFF    call 7C930387
7C932D2F E8 CEC0FFFF    call 7C92EE02
7C932D34 C2 0800       retn 8
7C932D37 90             nop
7C932D38 FFFF          ???                                     ; 未知命令
7C932D3A FFFF          ???                                     ; 未知命令
7C932D3C 0000          add    [eax], al
7C932D3E 0000          add    [eax], al
7C932D40 7A 7A          jpe    short 7C932DBC
7C932D42 96             xchg eax, esi                      ; ntdll.ZwTerminateProcess
7C932D43 7C 00          jl    short 7C932D45
7C932D45 0000          add    [eax], al
7C932D47 0000          add    [eax], al
7C932D49 0000          add    [eax], al
7C932D4B 0006          add    [esi], al
7C932D4D  ^ 76 96          jbe    short 7C932CE5
7C932D4F  ^ 7C 90          jl    short 7C932CE1
7C932D51 90             nop
7C932D52 90             nop
7C932D53 90             nop
7C932D54 90             nop
7C932D55 >  66:833D 38C0997>cmp    word ptr [7C99C038], 0
7C932D5D 0F84 E1BC0000 je    7C93EA44
7C932D63 64:A1 18000000  mov    eax, fs:[18]
7C932D69 83B8 980F0000 0>cmp    dword ptr [eax+F98], 0
7C932D70 0F85 CEBC0000 jnz    7C93EA44
7C932D76 66:833D 3AC0997>cmp    word ptr [7C99C03A], 0
7C932D7E 0F84 EFEB0000 je    7C941973
7C932D84 66:A1 3AC0997C  mov    ax, [7C99C03A]
7C932D8A 66:3905 38C0997>cmp    [7C99C038], ax
7C932D91 0F95C0       setne al
7C932D94 C3             retn
7C932D95 3B50 54       cmp    edx, [eax+54]
7C932D98  ^ 0F82 37DBFFFF jb    7C9308D5
7C932D9E 52             push edx                            ; msvcrt.77C31AE8
7C932D9F FF75 08       push dword ptr [ebp+8]
7C932DA2 50             push eax
7C932DA3 E8 0A000000    call RtlAddressInSectionTable
7C932DA8  ^ E9 2DDBFFFF    jmp    7C9308DA
7C932DAD 90             nop
7C932DAE 90             nop
7C932DAF 90             nop
7C932DB0 90             nop
7C932DB1 90             nop
7C932DB2 >  8BFF          mov    edi, edi
7C932DB4 55             push ebp
7C932DB5 8BEC          mov    ebp, esp
7C932DB7 FF75 10       push dword ptr [ebp+10]
7C932DBA FF75 0C       push dword ptr [ebp+C]             ; RPCRT4.77E8F3B0
7C932DBD FF75 08       push dword ptr [ebp+8]
7C932DC0 E8 1F000000    call RtlImageRvaToSection
7C932DC5 8BC8          mov    ecx, eax
7C932DC7 85C9          test ecx, ecx
7C932DC9 74 10          je    short 7C932DDB
7C932DCB 8B41 14       mov    eax, [ecx+14]
7C932DCE 2B41 0C       sub    eax, [ecx+C]
7C932DD1 0345 0C       add    eax, [ebp+C]                   ; RPCRT4.77E8F3B0
7C932DD4 0345 10       add    eax, [ebp+10]
7C932DD7 5D             pop    ebp                            ; ntdll.7C92E89A
7C932DD8 C2 0C00       retn 0C
7C932DDB 33C0          xor    eax, eax
7C932DDD  ^ EB F8          jmp    short 7C932DD7
7C932DDF 90             nop
7C932DE0 90             nop
7C932DE1 90             nop
7C932DE2 90             nop
7C932DE3 90             nop
7C932DE4 >  8BFF          mov    edi, edi
7C932DE6 55             push ebp
7C932DE7 8BEC          mov    ebp, esp
7C932DE9 8B4D 08       mov    ecx, [ebp+8]
7C932DEC 0FB741 14    movzx eax, word ptr [ecx+14]
7C932DF0 8D4408 18    lea    eax, [eax+ecx+18]
7C932DF4 0FB749 06    movzx ecx, word ptr [ecx+6]
7C932DF8 56             push esi                            ; ntdll.ZwTerminateProcess
7C932DF9 33F6          xor    esi, esi                      ; ntdll.ZwTerminateProcess
7C932DFB 85C9          test ecx, ecx
7C932DFD 57             push edi
7C932DFE 76 22          jbe    short 7C932E22
7C932E00 8B50 0C       mov    edx, [eax+C]
7C932E03 3955 10       cmp    [ebp+10], edx                   ; msvcrt.77C31AE8
7C932E06 72 0A          jb    short 7C932E12
7C932E08 8B78 10       mov    edi, [eax+10]
7C932E0B 03FA          add    edi, edx                      ; msvcrt.77C31AE8
7C932E0D 397D 10       cmp    [ebp+10], edi
7C932E10 72 0A          jb    short 7C932E1C
7C932E12 83C0 28       add    eax, 28
7C932E15 46             inc    esi                            ; ntdll.ZwTerminateProcess
7C932E16 3BF1          cmp    esi, ecx
7C932E18 73 08          jnb    short 7C932E22
7C932E1A  ^ EB E4          jmp    short 7C932E00
7C932E1C 5F             pop    edi                            ; ntdll.7C92E89A
7C932E1D 5E             pop    esi                            ; ntdll.7C92E89A
7C932E1E 5D             pop    ebp                            ; ntdll.7C92E89A
7C932E1F C2 0C00       retn 0C
7C932E22 33C0          xor    eax, eax
7C932E24  ^ EB F6          jmp    short 7C932E1C
7C932E26 83E3 FE       and    ebx, FFFFFFFE
7C932E29 C645 0C 00    mov    byte ptr [ebp+C], 0
7C932E2D  ^ E9 36DAFFFF    jmp    7C930868
7C932E32 33C0          xor    eax, eax
7C932E34  ^ E9 5CDAFFFF    jmp    7C930895
7C932E39 8365 08 FE    and    dword ptr [ebp+8], FFFFFFFE
7C932E3D FF75 08       push dword ptr [ebp+8]
7C932E40 E8 04DAFFFF    call RtlImageNtHeader
7C932E45 8BD8          mov    ebx, eax
7C932E47 895D C4       mov    [ebp-3C], ebx
7C932E4A 66:8B43 18    mov    ax, [ebx+18]
7C932E4E 66:3D 0B01    cmp    ax, 10B
7C932E52 0F85 47400300 jnz    7C966E9F
7C932E58 8B83 88000000 mov    eax, [ebx+88]
7C932E5E 8945 E4       mov    [ebp-1C], eax
7C932E61 85C0          test eax, eax
7C932E63 0F84 4E400300 je    7C966EB7
7C932E69 8BF0          mov    esi, eax
7C932E6B 2B75 E0       sub    esi, [ebp-20]
7C932E6E 0375 08       add    esi, [ebp+8]
7C932E71 8975 DC       mov    [ebp-24], esi                   ; ntdll.ZwTerminateProcess
7C932E74 50             push eax
7C932E75 FF75 08       push dword ptr [ebp+8]
7C932E78 53             push ebx
7C932E79 E8 66FFFFFF    call RtlImageRvaToSection
7C932E7E 8945 D4       mov    [ebp-2C], eax
7C932E81 85C0          test eax, eax
7C932E83 0F84 2E400300 je    7C966EB7
7C932E89 8B4D 0C       mov    ecx, [ebp+C]                   ; RPCRT4.77E8F3B0
7C932E8C 8B09          mov    ecx, [ecx]
7C932E8E 3B48 08       cmp    ecx, [eax+8]
7C932E91  ^ 0F86 F8FAFFFF jbe    7C93298F
7C932E97 8B40 0C       mov    eax, [eax+C]
7C932E9A 8945 D0       mov    [ebp-30], eax
7C932E9D 51             push ecx
7C932E9E FF75 08       push dword ptr [ebp+8]
7C932EA1 53             push ebx
7C932EA2 E8 3DFFFFFF    call RtlImageRvaToSection
7C932EA7 8BF8          mov    edi, eax
7C932EA9 897D D4       mov    [ebp-2C], edi
7C932EAC 85FF          test edi, edi
7C932EAE 0F84 03400300 je    7C966EB7
7C932EB4 FF77 0C       push dword ptr [edi+C]
7C932EB7 FF75 08       push dword ptr [ebp+8]
7C932EBA 53             push ebx
7C932EBB E8 F2FEFFFF    call RtlAddressInSectionTable
7C932EC0 8B4F 0C       mov    ecx, [edi+C]
7C932EC3 2B4D D0       sub    ecx, [ebp-30]
7C932EC6 034D E0       add    ecx, [ebp-20]
7C932EC9 2BC8          sub    ecx, eax
7C932ECB 03F1          add    esi, ecx
7C932ECD  ^ E9 BAFAFFFF    jmp    7C93298C
7C932ED2 6A 00          push 0
7C932ED4 6A 1C          push 1C
7C932ED6 8D45 E4       lea    eax, [ebp-1C]
7C932ED9 50             push eax
7C932EDA 6A 00          push 0
7C932EDC 56             push esi                            ; ntdll.ZwTerminateProcess
7C932EDD 6A FF          push -1
7C932EDF E8 2FB3FFFF    call ZwQueryVirtualMemory
7C932EE4 85C0          test eax, eax
7C932EE6 0F8C 0E400300 jl    7C966EFA
7C932EEC 8B45 F0       mov    eax, [ebp-10]
7C932EEF  ^ E9 39FDFFFF    jmp    7C932C2D
7C932EF4 B8 890000C0    mov    eax, C0000089
7C932EF9  ^ E9 5BFDFFFF    jmp    7C932C59
7C932EFE 85F6          test esi, esi                      ; ntdll.ZwTerminateProcess
7C932F00 8B45 08       mov    eax, [ebp+8]
7C932F03 8945 08       mov    [ebp+8], eax
7C932F06 74 38          je    short 7C932F40
7C932F08 8B7D 0C       mov    edi, [ebp+C]                   ; RPCRT4.77E8F3B0
7C932F0B 85FF          test edi, edi
7C932F0D 74 31          je    short 7C932F40
7C932F0F 8B4D 14       mov    ecx, [ebp+14]
7C932F12 0FB709       movzx ecx, word ptr [ecx]
7C932F15 8B15 60E2997C mov    edx, [7C99E260]
7C932F1B 66:8B0C4A    mov    cx, [edx+ecx*2]
7C932F1F 8345 14 02    add    dword ptr [ebp+14], 2
7C932F23 66:8BD1       mov    dx, cx
7C932F26 66:C1EA 08    shr    dx, 8
7C932F2A 84D2          test dl, dl
7C932F2C 74 0B          je    short 7C932F39
7C932F2E 8BDF          mov    ebx, edi
7C932F30 4F             dec    edi
7C932F31 83FB 02       cmp    ebx, 2
7C932F34 72 0A          jb    short 7C932F40
7C932F36 8810          mov    [eax], dl
7C932F38 40             inc    eax
7C932F39 8808          mov    [eax], cl
7C932F3B 40             inc    eax
7C932F3C 4F             dec    edi
7C932F3D 4E             dec    esi                            ; ntdll.ZwTerminateProcess
7C932F3E  ^ 75 CB          jnz    short 7C932F0B
7C932F40 8B4D 10       mov    ecx, [ebp+10]
7C932F43 85C9          test ecx, ecx
7C932F45 0F84 BB000000 je    7C933006
7C932F4B 2B45 08       sub    eax, [ebp+8]
7C932F4E 8901          mov    [ecx], eax
7C932F50 E9 B1000000    jmp    7C933006
7C932F55 90             nop
7C932F56 FF2F          jmp    far fword ptr [edi]
7C932F58 93             xchg eax, ebx
7C932F59  ^ 7C F5          jl    short 7C932F50
7C932F5B 2F             das
7C932F5C 93             xchg eax, ebx
7C932F5D 7C 0F          jl    short 7C932F6E
7C932F5F 3093 7C2F3093 xor    [ebx+93302F7C], dl
7C932F65 7C 25          jl    short 7C932F8C
7C932F67 3093 7C1B3093 xor    [ebx+93301B7C], dl
7C932F6D 7C 45          jl    short 7C932FB4
7C932F6F 3093 7C3B3093 xor    [ebx+93303B7C], dl
7C932F75 7C 51          jl    short 7C932FC8
7C932F77 3093 7C5D3093 xor    [ebx+93305D7C], dl
7C932F7D 7C 69          jl    short 7C932FE8
7C932F7F 3093 7C753093 xor    [ebx+9330757C], dl
7C932F85  ^ 7C 81          jl    short 7C932F08
7C932F87 3093 7C8D3093 xor    [ebx+93308D7C], dl
7C932F8D  ^ 7C 99          jl    short 7C932F28
7C932F8F 3093 7CA53093 xor    [ebx+9330A57C], dl
7C932F95  ^ 7C 90          jl    short 7C932F27
7C932F97 90             nop
7C932F98 90             nop
7C932F99 90             nop
7C932F9A 90             nop
7C932F9B >  8BFF          mov    edi, edi
7C932F9D 55             push ebp
7C932F9E 8BEC          mov    ebp, esp
7C932FA0 53             push ebx
7C932FA1 56             push esi                            ; ntdll.ZwTerminateProcess
7C932FA2 8B75 18       mov    esi, [ebp+18]                   ; trscd.00454965
7C932FA5 D1EE          shr    esi, 1
7C932FA7 803D 10C0997C 0>cmp    byte ptr [NlsMbCodePageTag], 0
7C932FAE 57             push edi
7C932FAF  ^ 0F85 49FFFFFF jnz    7C932EFE
7C932FB5 8B55 0C       mov    edx, [ebp+C]                   ; RPCRT4.77E8F3B0
7C932FB8 3BF2          cmp    esi, edx                      ; msvcrt.77C31AE8
7C932FBA  ^ 0F82 1EDDFFFF jb    7C930CDE
7C932FC0 8B45 10       mov    eax, [ebp+10]
7C932FC3 85C0          test eax, eax
7C932FC5 74 02          je    short 7C932FC9
7C932FC7 8910          mov    [eax], edx                      ; msvcrt.77C31AE8
7C932FC9 8B4D 08       mov    ecx, [ebp+8]
7C932FCC 8B45 14       mov    eax, [ebp+14]
7C932FCF 8B35 40C0997C mov    esi, [7C99C040]
7C932FD5 8BFA          mov    edi, edx                      ; msvcrt.77C31AE8
7C932FD7 83E7 0F       and    edi, 0F
7C932FDA 03CF          add    ecx, edi
7C932FDC 8D0478       lea    eax, [eax+edi*2]
7C932FDF 83C1 F1       add    ecx, -0F
7C932FE2 83C0 E2       add    eax, -1E
7C932FE5 83FF 0F       cmp    edi, 0F
7C932FE8 0F87 C1000000 ja    7C9330AF
7C932FEE FF24BD 562F937C jmp    [edi*4+7C932F56]                ; ntdll.7C932FFF
7C932FF5 0FB758 1C    movzx ebx, word ptr [eax+1C]
7C932FF9 8A1C33       mov    bl, [ebx+esi]
7C932FFC 8859 0E       mov    [ecx+E], bl
7C932FFF 6A 10          push 10
7C933001 2BD7          sub    edx, edi
7C933003 5F             pop    edi                            ; ntdll.7C92E89A
7C933004  ^ 75 DF          jnz    short 7C932FE5
7C933006 5F             pop    edi                            ; ntdll.7C92E89A
7C933007 5E             pop    esi                            ; ntdll.7C92E89A
7C933008 33C0          xor    eax, eax
7C93300A 5B             pop    ebx                            ; ntdll.7C92E89A
7C93300B 5D             pop    ebp                            ; ntdll.7C92E89A
7C93300C C2 1400       retn 14
7C93300F 0FB758 1A    movzx ebx, word ptr [eax+1A]
7C933013 8A1C33       mov    bl, [ebx+esi]
7C933016 8859 0D       mov    [ecx+D], bl
7C933019  ^ EB DA          jmp    short 7C932FF5
7C93301B 0FB758 14    movzx ebx, word ptr [eax+14]
7C93301F 8A1C33       mov    bl, [ebx+esi]
7C933022 8859 0A       mov    [ecx+A], bl
7C933025 0FB758 16    movzx ebx, word ptr [eax+16]
7C933029 8A1C33       mov    bl, [ebx+esi]
7C93302C 8859 0B       mov    [ecx+B], bl
7C93302F 0FB758 18    movzx ebx, word ptr [eax+18]
7C933033 8A1C33       mov    bl, [ebx+esi]
7C933036 8859 0C       mov    [ecx+C], bl
7C933039  ^ EB D4          jmp    short 7C93300F
7C93303B 0FB758 10    movzx ebx, word ptr [eax+10]
7C93303F 8A1C33       mov    bl, [ebx+esi]
7C933042 8859 08       mov    [ecx+8], bl
7C933045 0FB758 12    movzx ebx, word ptr [eax+12]
7C933049 8A1C33       mov    bl, [ebx+esi]
7C93304C 8859 09       mov    [ecx+9], bl
7C93304F  ^ EB CA          jmp    short 7C93301B
7C933051 0FB758 0E    movzx ebx, word ptr [eax+E]
7C933055 8A1C33       mov    bl, [ebx+esi]
7C933058 8859 07       mov    [ecx+7], bl
7C93305B  ^ EB DE          jmp    short 7C93303B
7C93305D 0FB758 0C    movzx ebx, word ptr [eax+C]
7C933061 8A1C33       mov    bl, [ebx+esi]
7C933064 8859 06       mov    [ecx+6], bl
7C933067  ^ EB E8          jmp    short 7C933051
7C933069 0FB758 0A    movzx ebx, word ptr [eax+A]
7C93306D 8A1C33       mov    bl, [ebx+esi]
7C933070 8859 05       mov    [ecx+5], bl
7C933073  ^ EB E8          jmp    short 7C93305D
7C933075 0FB758 08    movzx ebx, word ptr [eax+8]
7C933079 8A1C33       mov    bl, [ebx+esi]
7C93307C 8859 04       mov    [ecx+4], bl
7C93307F  ^ EB E8          jmp    short 7C933069
7C933081 0FB758 06    movzx ebx, word ptr [eax+6]
7C933085 8A1C33       mov    bl, [ebx+esi]
7C933088 8859 03       mov    [ecx+3], bl
7C93308B  ^ EB E8          jmp    short 7C933075
7C93308D 0FB758 04    movzx ebx, word ptr [eax+4]
7C933091 8A1C33       mov    bl, [ebx+esi]
7C933094 8859 02       mov    [ecx+2], bl
7C933097  ^ EB E8          jmp    short 7C933081
7C933099 0FB758 02    movzx ebx, word ptr [eax+2]
7C93309D 8A1C33       mov    bl, [ebx+esi]
7C9330A0 8859 01       mov    [ecx+1], bl
7C9330A3  ^ EB E8          jmp    short 7C93308D
7C9330A5 0FB718       movzx ebx, word ptr [eax]
7C9330A8 8A1C33       mov    bl, [ebx+esi]
7C9330AB 8819          mov    [ecx], bl
7C9330AD  ^ EB EA          jmp    short 7C933099
7C9330AF 0FB758 1E    movzx ebx, word ptr [eax+1E]
7C9330B3 8A1C33       mov    bl, [ebx+esi]
7C9330B6 83C0 20       add    eax, 20
7C9330B9 83C1 10       add    ecx, 10
7C9330BC 8859 FF       mov    [ecx-1], bl
7C9330BF  ^ EB E4          jmp    short 7C9330A5
7C9330C1 90             nop
7C9330C2 90             nop
7C9330C3 90             nop
7C9330C4 90             nop
7C9330C5 90             nop
7C9330C6 >  8BFF          mov    edi, edi
7C9330C8 55             push ebp
7C9330C9 8BEC          mov    ebp, esp
7C9330CB 51             push ecx
7C9330CC 53             push ebx
7C9330CD 33DB          xor    ebx, ebx
7C9330CF 381D 10C0997C cmp    [NlsMbCodePageTag], bl
7C9330D5 57             push edi
7C9330D6 8B7D 0C       mov    edi, [ebp+C]                   ; RPCRT4.77E8F3B0
7C9330D9 895D FC       mov    [ebp-4], ebx
7C9330DC 0F85 FC930200 jnz    7C95C4DE
7C9330E2 0FB707       movzx eax, word ptr [edi]
7C9330E5 40             inc    eax
7C9330E6 40             inc    eax
7C9330E7 D1E8          shr    eax, 1
7C9330E9 3D FFFF0000    cmp    eax, 0FFFF
7C9330EE 0F87 F5930200 ja    7C95C4E9
7C9330F4 385D 10       cmp    [ebp+10], bl
7C9330F7 56             push esi                            ; ntdll.ZwTerminateProcess
7C9330F8 8B75 08       mov    esi, [ebp+8]
7C9330FB 8D48 FF       lea    ecx, [eax-1]
7C9330FE 66:890E       mov    [esi], cx
7C933101 0F84 C1160000 je    7C9347C8
7C933107 50             push eax
7C933108 66:8946 02    mov    [esi+2], ax
7C93310C FF15 C009937C call [7C9309C0]                      ; ntdll.7C9309C9
7C933112 3BC3          cmp    eax, ebx
7C933114 8946 04       mov    [esi+4], eax
7C933117 0F84 D6930200 je    7C95C4F3
7C93311D 0FB707       movzx eax, word ptr [edi]
7C933120 50             push eax
7C933121 FF77 04       push dword ptr [edi+4]
7C933124 8D45 0C       lea    eax, [ebp+C]
7C933127 50             push eax
7C933128 0FB706       movzx eax, word ptr [esi]
7C93312B 50             push eax
7C93312C FF76 04       push dword ptr [esi+4]
7C93312F E8 67FEFFFF    call RtlUnicodeToMultiByteN
7C933134 8BF8          mov    edi, eax
7C933136 3BFB          cmp    edi, ebx
7C933138 0F8C DE930200 jl    7C95C51C
7C93313E 8B46 04       mov    eax, [esi+4]
7C933141 8B4D 0C       mov    ecx, [ebp+C]                   ; RPCRT4.77E8F3B0
7C933144 881C01       mov    [ecx+eax], bl
7C933147 8B45 FC       mov    eax, [ebp-4]
7C93314A 5E             pop    esi                            ; ntdll.7C92E89A
7C93314B 5F             pop    edi                            ; ntdll.7C92E89A
7C93314C 5B             pop    ebx                            ; ntdll.7C92E89A
7C93314D C9             leave
7C93314E C2 0C00       retn 0C
7C933151 90             nop
7C933152 90             nop
7C933153 90             nop
7C933154 90             nop
7C933155 90             nop
7C933156 >  8BFF          mov    edi, edi
7C933158 55             push ebp
7C933159 8BEC          mov    ebp, esp
7C93315B 837D 0C 01    cmp    dword ptr [ebp+C], 1
7C93315F 0F84 BDF60000 je    7C942822
7C933165 33C0          xor    eax, eax
7C933167 40             inc    eax
7C933168 5D             pop    ebp                            ; ntdll.7C92E89A
7C933169 C2 0C00       retn 0C
7C93316C 90             nop
7C93316D 90             nop
7C93316E 90             nop
7C93316F 90             nop
7C933170 90             nop
7C933171 >  6A 14          push 14
7C933173 68 1832937C    push 7C933218
7C933178 E8 45BCFFFF    call 7C92EDC2
7C93317D 8A1D 20C1997C mov    bl, [7C99C120]
7C933183 8B75 0C       mov    esi, [ebp+C]                   ; RPCRT4.77E8F3B0
7C933186 33D2          xor    edx, edx                      ; msvcrt.77C31AE8
7C933188 3BF2          cmp    esi, edx                      ; msvcrt.77C31AE8
7C93318A 0F85 A3530200 jnz    7C958533
7C933190 8B7D 10       mov    edi, [ebp+10]
7C933193 3BFA          cmp    edi, edx                      ; msvcrt.77C31AE8
7C933195 74 02          je    short 7C933199
7C933197 8917          mov    [edi], edx                      ; msvcrt.77C31AE8
7C933199 8B4D 08       mov    ecx, [ebp+8]
7C93319C F7C1 FCFFFFFF test ecx, FFFFFFFC
7C9331A2 0F85 8C9F0200 jnz    7C95D134
7C9331A8 3BFA          cmp    edi, edx                      ; msvcrt.77C31AE8
7C9331AA 0F84 9D9F0200 je    7C95D14D
7C9331B0 8BC1          mov    eax, ecx
7C9331B2 83E0 02       and    eax, 2
7C9331B5 0F85 7F530200 jnz    7C95853A
7C9331BB 84DB          test bl, bl
7C9331BD 75 4A          jnz    short 7C933209
7C9331BF 33DB          xor    ebx, ebx
7C9331C1 43             inc    ebx
7C9331C2 84CB          test bl, cl
7C9331C4 0F84 7A160000 je    7C934844
7C9331CA 68 D8C0997C    push 7C99C0D8
7C9331CF 3BC2          cmp    eax, edx                      ; msvcrt.77C31AE8
7C9331D1 0F85 41540200 jnz    7C958618
7C9331D7 E8 29DEFEFF    call RtlEnterCriticalSection
7C9331DC 85F6          test esi, esi                      ; ntdll.ZwTerminateProcess
7C9331DE 0F85 A69F0200 jnz    7C95D18A
7C9331E4 64:A1 18000000  mov    eax, fs:[18]
7C9331EA B9 44C0997C    mov    ecx, 7C99C044
7C9331EF F0:0FC119    lock xadd [ecx], ebx
7C9331F3 43             inc    ebx
7C9331F4 81E3 FFFF0000 and    ebx, 0FFFF
7C9331FA 8B40 24       mov    eax, [eax+24]
7C9331FD 25 FF0F0000    and    eax, 0FFF
7C933202 C1E0 10       shl    eax, 10
7C933205 0BD8          or    ebx, eax
7C933207 891F          mov    [edi], ebx
7C933209 33F6          xor    esi, esi                      ; ntdll.ZwTerminateProcess
7C93320B 8BC6          mov    eax, esi                      ; ntdll.ZwTerminateProcess
7C93320D E8 F0BBFFFF    call 7C92EE02
7C933212 C2 0C00       retn 0C
7C933215 90             nop
7C933216 90             nop
7C933217 90             nop
7C933218 FFFF          ???                                     ; 未知命令
7C93321A FFFF          ???                                     ; 未知命令
7C93321C C1D1 95       rcl    ecx, 95
7C93321F  ^ 7C DC          jl    short 7C9331FD
7C933221 D195 7C909090 rcl    dword ptr [ebp+9090907C], 1
7C933227 90             nop
7C933228 90             nop
7C933229 >  6A 0C          push 0C
7C93322B 68 9032937C    push 7C933290
7C933230 E8 8DBBFFFF    call 7C92EDC2
7C933235 8B55 08       mov    edx, [ebp+8]
7C933238 F7C2 FEFFFFFF test edx, FFFFFFFE
7C93323E 0F85 26A00200 jnz    7C95D26A
7C933244 8B4D 0C       mov    ecx, [ebp+C]                   ; RPCRT4.77E8F3B0
7C933247 85C9          test ecx, ecx
7C933249 74 36          je    short 7C933281
7C93324B F7C1 000000F0 test ecx, F0000000
7C933251 0F85 2CA00200 jnz    7C95D283
7C933257 64:A1 18000000  mov    eax, fs:[18]
7C93325D C1E9 10       shr    ecx, 10
7C933260 3348 24       xor    ecx, [eax+24]
7C933263 66:F7C1 FF0F test cx, 0FFF
7C933268 0F85 15A00200 jnz    7C95D283
7C93326E F6C2 01       test dl, 1
7C933271 0F84 9D750100 je    7C94A814
7C933277 68 D8C0997C    push 7C99C0D8
7C93327C E8 6CDEFEFF    call RtlLeaveCriticalSection
7C933281 33C0          xor    eax, eax
7C933283 E8 7ABBFFFF    call 7C92EE02
7C933288 C2 0800       retn 8
7C93328B 90             nop
7C93328C 90             nop
7C93328D 90             nop
7C93328E 90             nop
7C93328F 90             nop
7C933290 FFFF          ???                                     ; 未知命令
7C933292 FFFF          ???                                     ; 未知命令
7C933294 A1 D2957CBC    mov    eax, [BC7C95D2]
7C933299 D295 7C909090 rcl    byte ptr [ebp+9090907C], cl
7C93329F 90             nop
7C9332A0 90             nop
7C9332A1 >  8BFF          mov    edi, edi
7C9332A3 55             push ebp
7C9332A4 8BEC          mov    ebp, esp
7C9332A6 8B45 14       mov    eax, [ebp+14]
7C9332A9 53             push ebx
7C9332AA 33DB          xor    ebx, ebx
7C9332AC 3BC3          cmp    eax, ebx
7C9332AE 56             push esi                            ; ntdll.ZwTerminateProcess
7C9332AF 8B75 08       mov    esi, [ebp+8]
7C9332B2 0F8C 719A0200 jl    7C95CD29
7C9332B8 895E 04       mov    [esi+4], ebx
7C9332BB 8BC8          mov    ecx, eax
7C9332BD C1E1 10       shl    ecx, 10
7C9332C0 0BC8          or    ecx, eax
7C9332C2 8B45 10       mov    eax, [ebp+10]
7C9332C5 81C1 10002C00 add    ecx, 2C0010
7C9332CB 890E          mov    [esi], ecx
7C9332CD 895E 18       mov    [esi+18], ebx
7C9332D0 8946 1C       mov    [esi+1C], eax
7C9332D3 381D 38C1997C cmp    [7C99C138], bl
7C9332D9 0F85 A9E30100 jnz    7C951688
7C9332DF 57             push edi
7C9332E0 8B7D 0C       mov    edi, [ebp+C]                   ; RPCRT4.77E8F3B0
7C9332E3 3BFB          cmp    edi, ebx
7C9332E5 0F85 5EB90000 jnz    7C93EC49
7C9332EB 56             push esi                            ; ntdll.ZwTerminateProcess
7C9332EC 56             push esi                            ; ntdll.ZwTerminateProcess
7C9332ED FF35 34C1997C push dword ptr [7C99C134]
7C9332F3 E8 E9B0FFFF    call ZwRequestWaitReplyPort
7C9332F8 3BFB          cmp    edi, ebx
7C9332FA 0F85 68B80000 jnz    7C93EB68
7C933300 5F             pop    edi                            ; ntdll.7C92E89A
7C933301 3BC3          cmp    eax, ebx
7C933303 0F8C 2B9A0200 jl    7C95CD34
7C933309 8B46 20       mov    eax, [esi+20]
7C93330C 5E             pop    esi                            ; ntdll.7C92E89A
7C93330D 5B             pop    ebx                            ; ntdll.7C92E89A
7C93330E 5D             pop    ebp                            ; ntdll.7C92E89A
7C93330F C2 1000       retn 10
7C933312 90             nop
7C933313 90             nop
7C933314 90             nop
7C933315 90             nop
7C933316 90             nop
7C933317 8BFF          mov    edi, edi
7C933319 55             push ebp
7C93331A 8BEC          mov    ebp, esp
7C93331C A1 24C1997C    mov    eax, [7C99C124]
7C933321 85C0          test eax, eax
7C933323 56             push esi                            ; ntdll.ZwTerminateProcess
7C933324 8B75 08       mov    esi, [ebp+8]
7C933327 74 11          je    short 7C93333A
7C933329 3970 18       cmp    [eax+18], esi                   ; ntdll.ZwTerminateProcess
7C93332C 75 0C          jnz    short 7C93333A
7C93332E 8B4D 0C       mov    ecx, [ebp+C]                   ; RPCRT4.77E8F3B0
7C933331 8901          mov    [ecx], eax
7C933333 B0 01          mov    al, 1
7C933335 5E             pop    esi                            ; ntdll.7C92E89A
7C933336 5D             pop    ebp                            ; ntdll.7C92E89A
7C933337 C2 0800       retn 8
7C93333A 64:A1 18000000  mov    eax, fs:[18]
7C933340 8B40 30       mov    eax, [eax+30]
7C933343 8B40 0C       mov    eax, [eax+C]
7C933346 83C0 0C       add    eax, 0C
7C933349 8B08          mov    ecx, [eax]
7C93334B 3BC8          cmp    ecx, eax
7C93334D 0F84 29CF0100 je    7C95027C
7C933353 8BD1          mov    edx, ecx
7C933355 837A 08 00    cmp    dword ptr [edx+8], 0
7C933359 8B09          mov    ecx, [ecx]
7C93335B  ^ 74 EE          je    short 7C93334B
7C93335D 3B72 18       cmp    esi, [edx+18]                   ; ntdll.7C99C900
7C933360  ^ 75 E9          jnz    short 7C93334B
7C933362 8B45 0C       mov    eax, [ebp+C]                   ; RPCRT4.77E8F3B0
7C933365 8915 24C1997C mov    [7C99C124], edx                ; msvcrt.77C31AE8
7C93336B 8910          mov    [eax], edx                      ; msvcrt.77C31AE8
7C93336D  ^ EB C4          jmp    short 7C933333
7C93336F 90             nop
7C933370 90             nop
7C933371 90             nop
7C933372 90             nop
7C933373 90             nop
7C933374 >  8BFF          mov    edi, edi
7C933376 55             push ebp
7C933377 8BEC          mov    ebp, esp
7C933379 5D             pop    ebp                            ; ntdll.7C92E89A
7C93337A 90             nop
7C93337B 90             nop
7C93337C 90             nop
7C93337D 90             nop
7C93337E 90             nop
7C93337F 55             push ebp
7C933380 8BEC          mov    ebp, esp
7C933382 57             push edi
7C933383 56             push esi                            ; ntdll.ZwTerminateProcess
7C933384 53             push ebx
7C933385 8B75 0C       mov    esi, [ebp+C]                   ; RPCRT4.77E8F3B0
7C933388 8B7D 08       mov    edi, [ebp+8]
7C93338B B0 FF          mov    al, 0FF
7C93338D 8BFF          mov    edi, edi
7C93338F 0AC0          or    al, al
7C933391 74 2E          je    short 7C9333C1
7C933393 8A06          mov    al, [esi]
7C933395 46             inc    esi                            ; ntdll.ZwTerminateProcess
7C933396 8A27          mov    ah, [edi]
7C933398 47             inc    edi
7C933399 3AE0          cmp    ah, al
7C93339B  ^ 74 F2          je    short 7C93338F
7C93339D 2C 41          sub    al, 41
7C93339F 3C 1A          cmp    al, 1A
7C9333A1 1AC9          sbb    cl, cl
7C9333A3 80E1 20       and    cl, 20
7C9333A6 02C1          add    al, cl
7C9333A8 04 41          add    al, 41
7C9333AA 86E0          xchg al, ah
7C9333AC 2C 41          sub    al, 41
7C9333AE 3C 1A          cmp    al, 1A
7C9333B0 1AC9          sbb    cl, cl
7C9333B2 80E1 20       and    cl, 20
7C9333B5 02C1          add    al, cl
7C9333B7 04 41          add    al, 41
7C9333B9 3AC4          cmp    al, ah
7C9333BB  ^ 74 D2          je    short 7C93338F
7C9333BD 1AC0          sbb    al, al
7C9333BF 1C FF          sbb    al, 0FF
7C9333C1 0FBEC0       movsx eax, al
7C9333C4 5B             pop    ebx                            ; ntdll.7C92E89A
7C9333C5 5E             pop    esi                            ; ntdll.7C92E89A
7C9333C6 5F             pop    edi                            ; ntdll.7C92E89A
7C9333C7 C9             leave
7C9333C8 C3             retn
7C9333C9 90             nop
7C9333CA 90             nop
7C9333CB 90             nop
7C9333CC 90             nop
7C9333CD 90             nop
7C9333CE >  8BFF          mov    edi, edi
7C9333D0 55             push ebp
7C9333D1 8BEC          mov    ebp, esp
7C9333D3 8B4D 08       mov    ecx, [ebp+8]
7C9333D6 8B55 0C       mov    edx, [ebp+C]                   ; RPCRT4.77E8F3B0
7C9333D9 0FB701       movzx eax, word ptr [ecx]
7C9333DC 53             push ebx
7C9333DD 56             push esi                            ; ntdll.ZwTerminateProcess
7C9333DE 0FB732       movzx esi, word ptr [edx]
7C9333E1 3BC6          cmp    eax, esi                      ; ntdll.ZwTerminateProcess
7C9333E3 57             push edi
7C9333E4 74 09          je    short 7C9333EF
7C9333E6 32C0          xor    al, al
7C9333E8 5F             pop    edi                            ; ntdll.7C92E89A
7C9333E9 5E             pop    esi                            ; ntdll.7C92E89A
7C9333EA 5B             pop    ebx                            ; ntdll.7C92E89A
7C9333EB 5D             pop    ebp                            ; ntdll.7C92E89A
7C9333EC C2 0C00       retn 0C
7C9333EF 8B71 04       mov    esi, [ecx+4]
7C9333F2 8B7A 04       mov    edi, [edx+4]
7C9333F5 83E0 FE       and    eax, FFFFFFFE
7C9333F8 03C6          add    eax, esi                      ; ntdll.ZwTerminateProcess
7C9333FA 807D 10 00    cmp    byte ptr [ebp+10], 0
7C9333FE 8BD0          mov    edx, eax
7C933400 8955 0C       mov    [ebp+C], edx                   ; msvcrt.77C31AE8
7C933403 0F84 C04A0200 je    7C957EC9
7C933409 3BF2          cmp    esi, edx                      ; msvcrt.77C31AE8
7C93340B 73 21          jnb    short 7C93342E
7C93340D A1 4CC0997C    mov    eax, [7C99C04C]
7C933412 66:8B16       mov    dx, [esi]
7C933415 33C9          xor    ecx, ecx
7C933417 66:8B0F       mov    cx, [edi]
7C93341A 46             inc    esi                            ; ntdll.ZwTerminateProcess
7C93341B 46             inc    esi                            ; ntdll.ZwTerminateProcess
7C93341C 47             inc    edi
7C93341D 47             inc    edi
7C93341E 66:3BD1       cmp    dx, cx
7C933421 897D 08       mov    [ebp+8], edi
7C933424 894D 10       mov    [ebp+10], ecx
7C933427 75 09          jnz    short 7C933432
7C933429 3B75 0C       cmp    esi, [ebp+C]                   ; RPCRT4.77E8F3B0
7C93342C  ^ 72 E4          jb    short 7C933412
7C93342E B0 01          mov    al, 1
7C933430  ^ EB B6          jmp    short 7C9333E8
7C933432 66:83FA 61    cmp    dx, 61
7C933436 73 24          jnb    short 7C93345C
7C933438 0FB7D2       movzx edx, dx
7C93343B 66:83F9 61    cmp    cx, 61
7C93343F 72 16          jb    short 7C933457
7C933441 66:83F9 7A    cmp    cx, 7A
7C933445 0FB7C9       movzx ecx, cx
7C933448 0F87 F8750300 ja    7C96AA46
7C93344E 83E9 20       sub    ecx, 20
7C933451 3BD1          cmp    edx, ecx
7C933453  ^ 75 91          jnz    short 7C9333E6
7C933455  ^ EB D2          jmp    short 7C933429
7C933457 0FB7C9       movzx ecx, cx
7C93345A  ^ EB F5          jmp    short 7C933451
7C93345C 66:83FA 7A    cmp    dx, 7A
7C933460 0F87 AC750300 ja    7C96AA12
7C933466 0FB7D2       movzx edx, dx
7C933469 83EA 20       sub    edx, 20
7C93346C  ^ EB CD          jmp    short 7C93343B
7C93346E 90             nop
7C93346F 90             nop
7C933470 90             nop
7C933471 90             nop
7C933472 90             nop
7C933473 >  8BFF          mov    edi, edi
7C933475 55             push ebp
7C933476 8BEC          mov    ebp, esp
7C933478 8B4D 08       mov    ecx, [ebp+8]
7C93347B 8B55 0C       mov    edx, [ebp+C]                   ; RPCRT4.77E8F3B0
7C93347E 66:8B02       mov    ax, [edx]
7C933481 66:8901       mov    [ecx], ax
7C933484 41             inc    ecx
7C933485 41             inc    ecx
7C933486 42             inc    edx                            ; msvcrt.77C31AE8
7C933487 42             inc    edx                            ; msvcrt.77C31AE8
7C933488 66:85C0       test ax, ax
7C93348B  ^ 75 F1          jnz    short 7C93347E
7C93348D 8B45 08       mov    eax, [ebp+8]
7C933490 5D             pop    ebp                            ; ntdll.7C92E89A
7C933491 C3             retn
7C933492 90             nop
7C933493 90             nop
7C933494 90             nop
7C933495 90             nop
7C933496 90             nop
7C933497 >  6A 08          push 8
7C933499 68 E834937C    push 7C9334E8
7C93349E E8 1FB9FFFF    call 7C92EDC2
7C9334A3 8365 FC 00    and    dword ptr [ebp-4], 0
7C9334A7 8B45 08       mov    eax, [ebp+8]
7C9334AA 85C0          test eax, eax
7C9334AC 74 2B          je    short 7C9334D9
7C9334AE 8A08          mov    cl, [eax]
7C9334B0 80E1 0F       and    cl, 0F
7C9334B3 80F9 01       cmp    cl, 1
7C9334B6 75 21          jnz    short 7C9334D9
7C9334B8 8A48 01       mov    cl, [eax+1]
7C9334BB 80F9 0F       cmp    cl, 0F
7C9334BE 77 19          ja    short 7C9334D9
7C9334C0 84C9          test cl, cl
7C9334C2 76 07          jbe    short 7C9334CB
7C9334C4 0FB6C9       movzx ecx, cl
7C9334C7 8B4488 04    mov    eax, [eax+ecx*4+4]
7C9334CB 834D FC FF    or    dword ptr [ebp-4], FFFFFFFF
7C9334CF B0 01          mov    al, 1
7C9334D1 E8 2CB9FFFF    call 7C92EE02
7C9334D6 C2 0400       retn 4
7C9334D9 834D FC FF    or    dword ptr [ebp-4], FFFFFFFF
7C9334DD 32C0          xor    al, al
7C9334DF  ^ EB F0          jmp    short 7C9334D1
7C9334E1 90             nop
7C9334E2 90             nop
7C9334E3 90             nop
7C9334E4 90             nop
7C9334E5 90             nop
7C9334E6 90             nop
7C9334E7 90             nop
7C9334E8 FFFF          ???                                     ; 未知命令
7C9334EA FFFF          ???                                     ; 未知命令
7C9334EC B7 85          mov    bh, 85
7C9334EE 96             xchg eax, esi                      ; ntdll.ZwTerminateProcess
7C9334EF  ^ 7C C0          jl    short 7C9334B1
7C9334F1 8596 7C0FB672 test [esi+72B60F7C], edx             ; msvcrt.77C31AE8
7C9334F7 1866 8B       sbb    [esi-75], ah
7C9334FA 34 71          xor    al, 71
7C9334FC 66:8970 30    mov    [eax+30], si
7C933500  ^ E9 73CBFFFF    jmp    7C930078
7C933505 0FB672 19    movzx esi, byte ptr [edx+19]
7C933509 66:8B3471    mov    si, [ecx+esi*2]
7C93350D 66:8970 32    mov    [eax+32], si
7C933511  ^ EB E1          jmp    short 7C9334F4
7C933513 0FB672 1B    movzx esi, byte ptr [edx+1B]
7C933517 66:8B3471    mov    si, [ecx+esi*2]
7C93351B 66:8970 36    mov    [eax+36], si
7C93351F 0FB672 1A    movzx esi, byte ptr [edx+1A]
7C933523 66:8B3471    mov    si, [ecx+esi*2]
7C933527 66:8970 34    mov    [eax+34], si
7C93352B  ^ EB D8          jmp    short 7C933505
7C93352D 0FB672 1D    movzx esi, byte ptr [edx+1D]
7C933531 66:8B3471    mov    si, [ecx+esi*2]
7C933535 66:8970 3A    mov    [eax+3A], si
7C933539 0FB672 1C    movzx esi, byte ptr [edx+1C]
7C93353D 66:8B3471    mov    si, [ecx+esi*2]
7C933541 66:8970 38    mov    [eax+38], si
7C933545  ^ EB CC          jmp    short 7C933513
7C933547 0FB672 1E    movzx esi, byte ptr [edx+1E]
7C93354B 66:8B3471    mov    si, [ecx+esi*2]
7C93354F 66:8970 3C    mov    [eax+3C], si
7C933553  ^ EB D8          jmp    short 7C93352D
7C933555 0FB672 1F    movzx esi, byte ptr [edx+1F]
7C933559 66:8B3471    mov    si, [ecx+esi*2]
7C93355D 66:8970 3E    mov    [eax+3E], si
7C933561  ^ EB E4          jmp    short 7C933547
7C933563 2BDF          sub    ebx, edi
7C933565 83E8 40       sub    eax, 40
7C933568 8BF7          mov    esi, edi
7C93356A 2BD7          sub    edx, edi
7C93356C  ^ E9 A3BCFFFF    jmp    7C92F214
7C933571 50             push eax
7C933572 66:8946 02    mov    [esi+2], ax
7C933576 FF15 C009937C call [7C9309C0]                      ; ntdll.7C9309C9
7C93357C 3BC3          cmp    eax, ebx
7C93357E 8946 04       mov    [esi+4], eax
7C933581 0F84 2B8F0200 je    7C95C4B2
7C933587  ^ E9 07BBFFFF    jmp    7C92F093
7C93358C 90             nop
7C93358D 90             nop
7C93358E 90             nop
7C93358F 90             nop
7C933590 90             nop
7C933591 >  8BFF          mov    edi, edi
7C933593 55             push ebp
7C933594 8BEC          mov    ebp, esp
7C933596 51             push ecx
7C933597 51             push ecx
7C933598 FF75 0C       push dword ptr [ebp+C]             ; RPCRT4.77E8F3B0
7C93359B 8D45 F8       lea    eax, [ebp-8]
7C93359E 50             push eax
7C93359F E8 F5DCFEFF    call RtlInitAnsiString
7C9335A4 6A 01          push 1
7C9335A6 8D45 F8       lea    eax, [ebp-8]
7C9335A9 50             push eax
7C9335AA FF75 08       push dword ptr [ebp+8]
7C9335AD E8 9ABAFFFF    call RtlAnsiStringToUnicodeString
7C9335B2 85C0          test eax, eax
7C9335B4 0F9DC0       setge al
7C9335B7 C9             leave
7C9335B8 C2 0800       retn 8
7C9335BB 90             nop
7C9335BC 90             nop
7C9335BD 90             nop
7C9335BE 90             nop
7C9335BF 90             nop
7C9335C0 >  8BFF          mov    edi, edi
7C9335C2 55             push ebp
7C9335C3 8BEC          mov    ebp, esp
7C9335C5 51             push ecx
7C9335C6 51             push ecx
7C9335C7 FF75 08       push dword ptr [ebp+8]
7C9335CA 8D45 F8       lea    eax, [ebp-8]
7C9335CD 50             push eax
7C9335CE E8 D2CDFFFF    call RtlInitUnicodeStringEx
7C9335D3 85C0          test eax, eax
7C9335D5 0F8C 15930200 jl    7C95C8F0
7C9335DB 8D45 F8       lea    eax, [ebp-8]
7C9335DE 50             push eax
7C9335DF E8 09040000    call 7C9339ED
7C9335E4 C9             leave
7C9335E5 C2 0400       retn 4
7C9335E8 48             dec    eax
7C9335E9 0F84 33600000 je    7C939622
7C9335EF 48             dec    eax
7C9335F0 0F84 F2550200 je    7C958BE8
7C9335F6 48             dec    eax
7C9335F7 0F84 0E780000 je    7C93AE0B
7C9335FD 48             dec    eax
7C9335FE 0F85 8B8C0200 jnz    7C95C28F
7C933604 6A 08          push 8
7C933606 5F             pop    edi                            ; ntdll.7C92E89A
7C933607 897D A0       mov    [ebp-60], edi
7C93360A C745 B8 0400000>mov    dword ptr [ebp-48], 4
7C933611 8D43 08       lea    eax, [ebx+8]
7C933614 E9 406F0000    jmp    7C93A559
7C933619 8B00          mov    eax, [eax]
7C93361B 85C0          test eax, eax
7C93361D 0F84 580A0000 je    7C93407B
7C933623 50             push eax
7C933624 8D85 A8FDFFFF lea    eax, [ebp-258]
7C93362A 50             push eax
7C93362B E8 75CDFFFF    call RtlInitUnicodeStringEx
7C933630 8985 A4FDFFFF mov    [ebp-25C], eax
7C933636 85C0          test eax, eax
7C933638 0F8C B15D0000 jl    7C9393EF
7C93363E 0FB785 A8FDFFFF movzx eax, word ptr [ebp-258]
7C933645 D1E8          shr    eax, 1
7C933647 2BF0          sub    esi, eax
7C933649 8B85 D0FDFFFF mov    eax, [ebp-230]                ; ntdll.7C931970
7C93364F 8D0470       lea    eax, [eax+esi*2]
7C933652 8B8D A0FDFFFF mov    ecx, [ebp-260]                ; ntdll.7C92EE18
7C933658 8901          mov    [ecx], eax
7C93365A E9 1C0A0000    jmp    7C93407B
7C93365F 90             nop
7C933660 90             nop
7C933661 90             nop
7C933662 90             nop
7C933663 90             nop
7C933664 >  8BFF          mov    edi, edi
7C933666 55             push ebp
7C933667 8BEC          mov    ebp, esp
7C933669 8B45 0C       mov    eax, [ebp+C]                   ; RPCRT4.77E8F3B0
7C93366C 8B10          mov    edx, [eax]
7C93366E 8B4D 08       mov    ecx, [ebp+8]
7C933671 8911          mov    [ecx], edx                      ; msvcrt.77C31AE8
7C933673 8B40 04       mov    eax, [eax+4]
7C933676 8941 04       mov    [ecx+4], eax
7C933679 5D             pop    ebp                            ; ntdll.7C92E89A
7C93367A C2 0800       retn 8
7C93367D 90             nop
7C93367E 90             nop
7C93367F 90             nop
7C933680 90             nop
7C933681 90             nop
7C933682 >  8BFF          mov    edi, edi
7C933684 55             push ebp
7C933685 8BEC          mov    ebp, esp
7C933687 8B4D 10       mov    ecx, [ebp+10]
7C93368A 0FB641 01    movzx eax, byte ptr [ecx+1]
7C93368E 8D0485 08000000 lea    eax, [eax*4+8]
7C933695 3B45 08       cmp    eax, [ebp+8]
7C933698 0F87 514F0300 ja    7C9685EF
7C93369E 50             push eax
7C93369F 51             push ecx
7C9336A0 FF75 0C       push dword ptr [ebp+C]             ; RPCRT4.77E8F3B0

2006-1-19 16:04

0

hyueling

雪币： 200

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

1

回帖

29

粉丝

0

关注

私信

hyueling: 27 楼

7C9336A3 E8 92EEFEFF    call memmove
7C9336A8 83C4 0C       add    esp, 0C
7C9336AB 33C0          xor    eax, eax
7C9336AD 5D             pop    ebp                            ; ntdll.7C92E89A
7C9336AE C2 0C00       retn 0C
7C9336B1 90             nop
7C9336B2 90             nop
7C9336B3 90             nop
7C9336B4 90             nop
7C9336B5 90             nop
7C9336B6 >  8BFF          mov    edi, edi
7C9336B8 55             push ebp
7C9336B9 8BEC          mov    ebp, esp
7C9336BB 8B45 08       mov    eax, [ebp+8]
7C9336BE 0FB640 01    movzx eax, byte ptr [eax+1]
7C9336C2 8D0485 08000000 lea    eax, [eax*4+8]
7C9336C9 5D             pop    ebp                            ; ntdll.7C92E89A
7C9336CA C2 0400       retn 4
7C9336CD 90             nop
7C9336CE 90             nop
7C9336CF 90             nop
7C9336D0 90             nop
7C9336D1 90             nop
7C9336D2 >  8BFF          mov    edi, edi
7C9336D4 55             push ebp
7C9336D5 8BEC          mov    ebp, esp
7C9336D7 8B45 10       mov    eax, [ebp+10]
7C9336DA 56             push esi                            ; ntdll.ZwTerminateProcess
7C9336DB 33F6          xor    esi, esi                      ; ntdll.ZwTerminateProcess
7C9336DD D1E8          shr    eax, 1
7C9336DF 803D 10C0997C 0>cmp    byte ptr [NlsMbCodePageTag], 0
7C9336E6 0F85 43450300 jnz    7C967C2F
7C9336EC 8B4D 08       mov    ecx, [ebp+8]
7C9336EF 8901          mov    [ecx], eax
7C9336F1 33C0          xor    eax, eax
7C9336F3 5E             pop    esi                            ; ntdll.7C92E89A
7C9336F4 5D             pop    ebp                            ; ntdll.7C92E89A
7C9336F5 C2 0C00       retn 0C
7C9336F8 90             nop
7C9336F9 90             nop
7C9336FA 90             nop
7C9336FB 90             nop
7C9336FC 90             nop
7C9336FD 8BFF          mov    edi, edi
7C9336FF 55             push ebp
7C933700 8BEC          mov    ebp, esp
7C933702 56             push esi                            ; ntdll.ZwTerminateProcess
7C933703 8B75 08       mov    esi, [ebp+8]
7C933706 57             push edi
7C933707 8D7E 08       lea    edi, [esi+8]
7C93370A 813F FFEEFFEE cmp    dword ptr [edi], EEFFEEFF
7C933710 0F85 D5850300 jnz    7C96BCEB
7C933716 B0 01          mov    al, 1
7C933718 5F             pop    edi                            ; ntdll.7C92E89A
7C933719 5E             pop    esi                            ; ntdll.7C92E89A
7C93371A 5D             pop    ebp                            ; ntdll.7C92E89A
7C93371B C2 0800       retn 8
7C93371E 90             nop
7C93371F 90             nop
7C933720 90             nop
7C933721 90             nop
7C933722 90             nop
7C933723 >  8BFF          mov    edi, edi
7C933725 55             push ebp
7C933726 8BEC          mov    ebp, esp
7C933728 51             push ecx
7C933729 51             push ecx
7C93372A 56             push esi                            ; ntdll.ZwTerminateProcess
7C93372B 8B75 08       mov    esi, [ebp+8]
7C93372E F646 13 01    test byte ptr [esi+13], 1
7C933732 0F85 A3890200 jnz    7C95C0DB
7C933738 68 7437937C    push 7C933774                      ; ASCII "RtlLockHeap"
7C93373D 56             push esi                            ; ntdll.ZwTerminateProcess
7C93373E E8 BAFFFFFF    call 7C9336FD
7C933743 84C0          test al, al
7C933745 74 27          je    short 7C93376E
7C933747 F646 0C 01    test byte ptr [esi+C], 1
7C93374B 75 12          jnz    short 7C93375F
7C93374D FFB6 78050000 push dword ptr [esi+578]
7C933753 E8 ADD8FEFF    call RtlEnterCriticalSection
7C933758 66:FF86 8405000>inc    word ptr [esi+584]
7C93375F F605 F002FE7F 0>test byte ptr [7FFE02F0], 2
7C933766 0F85 7A890200 jnz    7C95C0E6
7C93376C B0 01          mov    al, 1
7C93376E 5E             pop    esi                            ; ntdll.7C92E89A
7C93376F C9             leave
7C933770 C2 0400       retn 4
7C933773 90             nop
7C933774 52             push edx                            ; msvcrt.77C31AE8
7C933775 74 6C          je    short 7C9337E3
7C933777 4C             dec    esp
7C933778 6F             outs dx, dword ptr es:[edi]
7C933779 636B 48       arpl [ebx+48], bp
7C93377C 65:61          popad
7C93377E 70 00          jo    short 7C933780
7C933780 CC             int3
7C933781 CC             int3
7C933782 CC             int3
7C933783 CC             int3
7C933784 CC             int3
7C933785 CC             int3
7C933786 90             nop
7C933787 90             nop
7C933788 90             nop
7C933789 90             nop
7C93378A 90             nop
7C93378B >  8BFF          mov    edi, edi
7C93378D 55             push ebp
7C93378E 8BEC          mov    ebp, esp
7C933790 51             push ecx
7C933791 51             push ecx
7C933792 56             push esi                            ; ntdll.ZwTerminateProcess
7C933793 8B75 08       mov    esi, [ebp+8]
7C933796 F646 13 01    test byte ptr [esi+13], 1
7C93379A 0F85 BB890200 jnz    7C95C15B
7C9337A0 68 DC37937C    push 7C9337DC                      ; ASCII "RtlUnlockHeap"
7C9337A5 56             push esi                            ; ntdll.ZwTerminateProcess
7C9337A6 E8 52FFFFFF    call 7C9336FD
7C9337AB 84C0          test al, al
7C9337AD 74 27          je    short 7C9337D6
7C9337AF F646 0C 01    test byte ptr [esi+C], 1
7C9337B3 75 12          jnz    short 7C9337C7
7C9337B5 FFB6 78050000 push dword ptr [esi+578]
7C9337BB 66:FF8E 8405000>dec    word ptr [esi+584]
7C9337C2 E8 26D9FEFF    call RtlLeaveCriticalSection
7C9337C7 F605 F002FE7F 0>test byte ptr [7FFE02F0], 2
7C9337CE 0F85 92890200 jnz    7C95C166
7C9337D4 B0 01          mov    al, 1
7C9337D6 5E             pop    esi                            ; ntdll.7C92E89A
7C9337D7 C9             leave
7C9337D8 C2 0400       retn 4
7C9337DB 90             nop
7C9337DC 52             push edx                            ; msvcrt.77C31AE8
7C9337DD 74 6C          je    short 7C93384B
7C9337DF 55             push ebp
7C9337E0 6E             outs dx, byte ptr es:[edi]
7C9337E1 6C             ins    byte ptr es:[edi], dx
7C9337E2 6F             outs dx, dword ptr es:[edi]
7C9337E3 636B 48       arpl [ebx+48], bp
7C9337E6 65:61          popad
7C9337E8 70 00          jo    short 7C9337EA
7C9337EA CC             int3
7C9337EB CC             int3
7C9337EC CC             int3
7C9337ED CC             int3
7C9337EE CC             int3
7C9337EF CC             int3
7C9337F0 90             nop
7C9337F1 90             nop
7C9337F2 90             nop
7C9337F3 90             nop
7C9337F4 90             nop
7C9337F5 >  8BFF          mov    edi, edi
7C9337F7 55             push ebp
7C9337F8 8BEC          mov    ebp, esp
7C9337FA 8B45 0C       mov    eax, [ebp+C]                   ; RPCRT4.77E8F3B0
7C9337FD 85C0          test eax, eax
7C9337FF 74 20          je    short 7C933821
7C933801 8B4D 08       mov    ecx, [ebp+8]
7C933804 3B41 14       cmp    eax, [ecx+14]
7C933807 72 18          jb    short 7C933821
7C933809 3B41 18       cmp    eax, [ecx+18]
7C93380C 73 13          jnb    short 7C933821
7C93380E 8B49 04       mov    ecx, [ecx+4]
7C933811 49             dec    ecx
7C933812 85C8          test eax, ecx
7C933814 75 0B          jnz    short 7C933821
7C933816 F600 01       test byte ptr [eax], 1
7C933819 74 06          je    short 7C933821
7C93381B B0 01          mov    al, 1
7C93381D 5D             pop    ebp                            ; ntdll.7C92E89A
7C93381E C2 0800       retn 8
7C933821 32C0          xor    al, al
7C933823  ^ EB F8          jmp    short 7C93381D
7C933825 90             nop
7C933826 90             nop
7C933827 90             nop
7C933828 90             nop
7C933829 90             nop
7C93382A 8BFF          mov    edi, edi
7C93382C 55             push ebp
7C93382D 8BEC          mov    ebp, esp
7C93382F 8B45 08       mov    eax, [ebp+8]
7C933832 F640 05 08    test byte ptr [eax+5], 8
7C933836 0F85 3D5D0300 jnz    7C969579
7C93383C 0FB708       movzx ecx, word ptr [eax]
7C93383F 8D44C8 F8    lea    eax, [eax+ecx*8-8]
7C933843 5D             pop    ebp                            ; ntdll.7C92E89A
7C933844 C2 0400       retn 4
7C933847 83C1 08       add    ecx, 8
7C93384A 894D DC       mov    [ebp-24], ecx
7C93384D E9 44420000    jmp    7C937A96
7C933852 90             nop
7C933853 90             nop
7C933854 90             nop
7C933855 90             nop
7C933856 90             nop
7C933857 >  8BFF          mov    edi, edi
7C933859 55             push ebp
7C93385A 8BEC          mov    ebp, esp
7C93385C 8B55 08       mov    edx, [ebp+8]
7C93385F 8B4A 04       mov    ecx, [edx+4]
7C933862 53             push ebx
7C933863 56             push esi                            ; ntdll.ZwTerminateProcess
7C933864 8B75 0C       mov    esi, [ebp+C]                   ; RPCRT4.77E8F3B0
7C933867 8BD9          mov    ebx, ecx
7C933869 57             push edi
7C93386A 33C0          xor    eax, eax
7C93386C C1E9 02       shr    ecx, 2
7C93386F 8BFE          mov    edi, esi                      ; ntdll.ZwTerminateProcess
7C933871 F3:AB          rep    stos dword ptr es:[edi]
7C933873 8BCB          mov    ecx, ebx
7C933875 83E1 03       and    ecx, 3
7C933878 F3:AA          rep    stos byte ptr es:[edi]
7C93387A 8B42 10       mov    eax, [edx+10]
7C93387D 8906          mov    [esi], eax
7C93387F 5F             pop    edi                            ; ntdll.7C92E89A
7C933880 8972 10       mov    [edx+10], esi                   ; ntdll.ZwTerminateProcess
7C933883 5E             pop    esi                            ; ntdll.7C92E89A
7C933884 B0 01          mov    al, 1
7C933886 5B             pop    ebx                            ; ntdll.7C92E89A
7C933887 5D             pop    ebp                            ; ntdll.7C92E89A
7C933888 C2 0800       retn 8
7C93388B 90             nop
7C93388C 90             nop
7C93388D 90             nop
7C93388E 90             nop
7C93388F 90             nop
7C933890 >  8BFF          mov    edi, edi
7C933892 55             push ebp
7C933893 8BEC          mov    ebp, esp
7C933895 8B55 08       mov    edx, [ebp+8]
7C933898 56             push esi                            ; ntdll.ZwTerminateProcess
7C933899 8B75 0C       mov    esi, [ebp+C]                   ; RPCRT4.77E8F3B0
7C93389C 33C0          xor    eax, eax
7C93389E 66:8B02       mov    ax, [edx]
7C9338A1 66:3D 4100    cmp    ax, 41
7C9338A5 72 09          jb    short 7C9338B0
7C9338A7 66:3D 5A00    cmp    ax, 5A
7C9338AB 8D48 20       lea    ecx, [eax+20]
7C9338AE 76 02          jbe    short 7C9338B2
7C9338B0 8BC8          mov    ecx, eax
7C9338B2 33C0          xor    eax, eax
7C9338B4 66:8B06       mov    ax, [esi]
7C9338B7 66:3D 4100    cmp    ax, 41
7C9338BB 72 06          jb    short 7C9338C3
7C9338BD 66:3D 5A00    cmp    ax, 5A
7C9338C1 76 19          jbe    short 7C9338DC
7C9338C3 42             inc    edx                            ; msvcrt.77C31AE8
7C9338C4 42             inc    edx                            ; msvcrt.77C31AE8
7C9338C5 46             inc    esi                            ; ntdll.ZwTerminateProcess
7C9338C6 46             inc    esi                            ; ntdll.ZwTerminateProcess
7C9338C7 66:85C9       test cx, cx
7C9338CA 74 05          je    short 7C9338D1
7C9338CC 66:3BC8       cmp    cx, ax
7C9338CF  ^ 74 CB          je    short 7C93389C
7C9338D1 0FB7D0       movzx edx, ax
7C9338D4 0FB7C1       movzx eax, cx
7C9338D7 2BC2          sub    eax, edx                      ; msvcrt.77C31AE8
7C9338D9 5E             pop    esi                            ; ntdll.7C92E89A
7C9338DA 5D             pop    ebp                            ; ntdll.7C92E89A
7C9338DB C3             retn
7C9338DC 83C0 20       add    eax, 20
7C9338DF  ^ EB E2          jmp    short 7C9338C3
7C9338E1 90             nop
7C9338E2 90             nop
7C9338E3 90             nop
7C9338E4 90             nop
7C9338E5 90             nop
7C9338E6 >  8BFF          mov    edi, edi
7C9338E8 55             push ebp
7C9338E9 8BEC          mov    ebp, esp
7C9338EB 8B45 08       mov    eax, [ebp+8]
7C9338EE 8B50 04       mov    edx, [eax+4]
7C9338F1 0FAF55 0C    imul edx, [ebp+C]                   ; RPCRT4.77E8F3B0
7C9338F5 0350 14       add    edx, [eax+14]
7C9338F8 52             push edx                            ; msvcrt.77C31AE8
7C9338F9 50             push eax
7C9338FA E8 F6FEFFFF    call RtlIsValidHandle
7C9338FF 84C0          test al, al
7C933901 74 0B          je    short 7C93390E
7C933903 8B45 10       mov    eax, [ebp+10]
7C933906 8910          mov    [eax], edx                      ; msvcrt.77C31AE8
7C933908 B0 01          mov    al, 1
7C93390A 5D             pop    ebp                            ; ntdll.7C92E89A
7C93390B C2 0C00       retn 0C
7C93390E 32C0          xor    al, al
7C933910  ^ EB F8          jmp    short 7C93390A
7C933912 90             nop
7C933913 90             nop
7C933914 90             nop
7C933915 90             nop
7C933916 90             nop
7C933917 >  8BFF          mov    edi, edi
7C933919 55             push ebp
7C93391A 8BEC          mov    ebp, esp
7C93391C 51             push ecx
7C93391D 6A 00          push 0
7C93391F 6A 04          push 4
7C933921 8D45 FC       lea    eax, [ebp-4]
7C933924 50             push eax
7C933925 6A 24          push 24
7C933927 6A FF          push -1
7C933929 E8 EDA6FFFF    call ZwQueryInformationProcess
7C93392E 8B45 FC       mov    eax, [ebp-4]
7C933931 3345 08       xor    eax, [ebp+8]
7C933934 C9             leave
7C933935 C2 0400       retn 4
7C933938 90             nop
7C933939 90             nop
7C93393A 90             nop
7C93393B 90             nop
7C93393C 90             nop
7C93393D >  8BFF          mov    edi, edi
7C93393F 55             push ebp
7C933940 8BEC          mov    ebp, esp
7C933942 5D             pop    ebp                            ; ntdll.7C92E89A
7C933943  ^ EB D2          jmp    short RtlEncodePointer
7C933945 90             nop
7C933946 90             nop
7C933947 90             nop
7C933948 90             nop
7C933949 90             nop
7C93394A >  8BFF          mov    edi, edi
7C93394C 55             push ebp
7C93394D 8BEC          mov    ebp, esp
7C93394F 53             push ebx
7C933950 56             push esi                            ; ntdll.ZwTerminateProcess
7C933951 8B75 0C       mov    esi, [ebp+C]                   ; RPCRT4.77E8F3B0
7C933954 56             push esi                            ; ntdll.ZwTerminateProcess
7C933955 E8 00CAFFFF    call wcslen
7C93395A 59             pop    ecx                            ; ntdll.7C92E89A
7C93395B 8D5C00 02    lea    ebx, [eax+eax+2]
7C93395F 53             push ebx
7C933960 FF15 C009937C call [7C9309C0]                      ; ntdll.7C9309C9
7C933966 85C0          test eax, eax
7C933968 8B55 08       mov    edx, [ebp+8]
7C93396B 8942 04       mov    [edx+4], eax
7C93396E 74 26          je    short 7C933996
7C933970 57             push edi
7C933971 8BCB          mov    ecx, ebx
7C933973 8BF8          mov    edi, eax
7C933975 8BC1          mov    eax, ecx
7C933977 C1E9 02       shr    ecx, 2
7C93397A F3:A5          rep    movs dword ptr es:[edi], dword p>
7C93397C 8BC8          mov    ecx, eax
7C93397E 83E1 03       and    ecx, 3
7C933981 F3:A4          rep    movs byte ptr es:[edi], byte ptr>
7C933983 66:895A 02    mov    [edx+2], bx
7C933987 83C3 FE       add    ebx, -2
7C93398A 66:891A       mov    [edx], bx
7C93398D B0 01          mov    al, 1
7C93398F 5F             pop    edi                            ; ntdll.7C92E89A
7C933990 5E             pop    esi                            ; ntdll.7C92E89A
7C933991 5B             pop    ebx                            ; ntdll.7C92E89A
7C933992 5D             pop    ebp                            ; ntdll.7C92E89A
7C933993 C2 0800       retn 8
7C933996 32C0          xor    al, al
7C933998  ^ EB F6          jmp    short 7C933990
7C93399A 90             nop
7C93399B 90             nop
7C93399C 90             nop
7C93399D 90             nop
7C93399E 90             nop
7C93399F >  8BFF          mov    edi, edi
7C9339A1 55             push ebp
7C9339A2 8BEC          mov    ebp, esp
7C9339A4 8B45 08       mov    eax, [ebp+8]
7C9339A7 66:8B08       mov    cx, [eax]
7C9339AA 6A 5C          push 5C
7C9339AC 5A             pop    edx                            ; ntdll.7C92E89A
7C9339AD 66:3BCA       cmp    cx, dx
7C9339B0 0F84 616B0000 je    7C93A517
7C9339B6 66:83F9 2F    cmp    cx, 2F
7C9339BA 0F84 576B0000 je    7C93A517
7C9339C0 66:85C9       test cx, cx
7C9339C3 0F84 D50E0000 je    7C93489E
7C9339C9 66:8378 02 3A cmp    word ptr [eax+2], 3A
7C9339CE 0F85 CA0E0000 jnz    7C93489E
7C9339D4 66:8B40 04    mov    ax, [eax+4]
7C9339D8 66:3BC2       cmp    ax, dx
7C9339DB 0F85 1A5C0000 jnz    7C9395FB
7C9339E1 6A 02          push 2
7C9339E3 58             pop    eax                            ; ntdll.7C92E89A
7C9339E4 5D             pop    ebp                            ; ntdll.7C92E89A
7C9339E5 C2 0400       retn 4
7C9339E8 90             nop
7C9339E9 90             nop
7C9339EA 90             nop
7C9339EB 90             nop
7C9339EC 90             nop
7C9339ED 8BFF          mov    edi, edi
7C9339EF 55             push ebp
7C9339F0 8BEC          mov    ebp, esp
7C9339F2 51             push ecx
7C9339F3 51             push ecx
7C9339F4 53             push ebx
7C9339F5 56             push esi                            ; ntdll.ZwTerminateProcess
7C9339F6 8B75 08       mov    esi, [ebp+8]
7C9339F9 57             push edi
7C9339FA 8B7E 04       mov    edi, [esi+4]
7C9339FD 57             push edi
7C9339FE 33DB          xor    ebx, ebx
7C933A00 E8 9AFFFFFF    call RtlDetermineDosPathNameType_U
7C933A05 85C0          test eax, eax
7C933A07 7C 12          jl    short 7C933A1B
7C933A09 83F8 01       cmp    eax, 1
7C933A0C 0F8E 47010000 jle    7C933B59
7C933A12 83F8 06       cmp    eax, 6
7C933A15 0F84 876B0000 je    7C93A5A2
7C933A1B 8B06          mov    eax, [esi]
7C933A1D 8B4E 04       mov    ecx, [esi+4]
7C933A20 8945 F8       mov    [ebp-8], eax
7C933A23 33C0          xor    eax, eax
7C933A25 66:8B06       mov    ax, [esi]
7C933A28 66:D1E8       shr    ax, 1
7C933A2B 66:85C0       test ax, ax
7C933A2E 894D FC       mov    [ebp-4], ecx
7C933A31 0F84 22010000 je    7C933B59
7C933A37 0FB7F0       movzx esi, ax
7C933A3A 66:837C77 FE 3A cmp    word ptr [edi+esi*2-2], 3A
7C933A40 BA FFFF0000    mov    edx, 0FFFF
7C933A45 0F84 C15B0000 je    7C93960C
7C933A4B 66:85C0       test ax, ax
7C933A4E 0F84 05010000 je    7C933B59
7C933A54 0FB7F0       movzx esi, ax
7C933A57 66:8B7471 FE mov    si, [ecx+esi*2-2]
7C933A5C 66:83FE 2E    cmp    si, 2E
7C933A60 0F84 86080000 je    7C9342EC
7C933A66 66:83FE 20    cmp    si, 20
7C933A6A 0F84 7C080000 je    7C9342EC
7C933A70 33FF          xor    edi, edi
7C933A72 66:85C0       test ax, ax
7C933A75 0F84 8D000000 je    7C933B08
7C933A7B 0FB7D0       movzx edx, ax
7C933A7E 8D5451 FE    lea    edx, [ecx+edx*2-2]
7C933A82 3BD1          cmp    edx, ecx
7C933A84 72 6B          jb    short 7C933AF1
7C933A86 66:8B32       mov    si, [edx]
7C933A89 66:83FE 5C    cmp    si, 5C
7C933A8D 74 17          je    short 7C933AA6
7C933A8F 66:83FE 2F    cmp    si, 2F
7C933A93 74 11          je    short 7C933AA6
7C933A95 66:83FE 3A    cmp    si, 3A
7C933A99 74 04          je    short 7C933A9F
7C933A9B 4A             dec    edx                            ; msvcrt.77C31AE8
7C933A9C 4A             dec    edx                            ; msvcrt.77C31AE8
7C933A9D  ^ EB E3          jmp    short 7C933A82
7C933A9F 8D71 02       lea    esi, [ecx+2]
7C933AA2 3BD6          cmp    edx, esi                      ; ntdll.ZwTerminateProcess
7C933AA4  ^ 75 F5          jnz    short 7C933A9B
7C933AA6 42             inc    edx                            ; msvcrt.77C31AE8
7C933AA7 42             inc    edx                            ; msvcrt.77C31AE8
7C933AA8 66:8B02       mov    ax, [edx]
7C933AAB 66:0D 2000    or    ax, 20
7C933AAF 66:3D 6C00    cmp    ax, 6C
7C933AB3 74 16          je    short 7C933ACB
7C933AB5 66:3D 6300    cmp    ax, 63
7C933AB9 74 10          je    short 7C933ACB
7C933ABB 66:3D 7000    cmp    ax, 70
7C933ABF 74 0A          je    short 7C933ACB
7C933AC1 66:3D 6100    cmp    ax, 61
7C933AC5 0F85 C9060000 jnz    7C934194
7C933ACB 52             push edx                            ; msvcrt.77C31AE8
7C933ACC 8D45 F8       lea    eax, [ebp-8]
7C933ACF 8BFA          mov    edi, edx                      ; msvcrt.77C31AE8
7C933AD1 50             push eax
7C933AD2 2BF9          sub    edi, ecx
7C933AD4 E8 FDD7FEFF    call RtlInitUnicodeString
7C933AD9 8B4D FC       mov    ecx, [ebp-4]
7C933ADC 33C0          xor    eax, eax
7C933ADE 66:8B45 F8    mov    ax, [ebp-8]
7C933AE2 66:D1E8       shr    ax, 1
7C933AE5 2BC3          sub    eax, ebx
7C933AE7 69DB FEFF0000 imul ebx, ebx, 0FFFE
7C933AED 66:015D F8    add    [ebp-8], bx
7C933AF1 66:8B11       mov    dx, [ecx]
7C933AF4 66:83CA 20    or    dx, 20
7C933AF8 66:83FA 6C    cmp    dx, 6C
7C933AFC 74 0A          je    short 7C933B08
7C933AFE 66:83FA 63    cmp    dx, 63
7C933B02 0F85 E0060000 jnz    7C9341E8
7C933B08 0FB7C0       movzx eax, ax
7C933B0B 8D3441       lea    esi, [ecx+eax*2]
7C933B0E 3BCE          cmp    ecx, esi                      ; ntdll.ZwTerminateProcess
7C933B10 8BD1          mov    edx, ecx
7C933B12 73 26          jnb    short 7C933B3A
7C933B14 66:8B02       mov    ax, [edx]
7C933B17 66:3D 2E00    cmp    ax, 2E
7C933B1B 74 0C          je    short 7C933B29
7C933B1D 66:3D 3A00    cmp    ax, 3A
7C933B21 74 06          je    short 7C933B29
7C933B23 42             inc    edx                            ; msvcrt.77C31AE8
7C933B24 42             inc    edx                            ; msvcrt.77C31AE8
7C933B25 3BD6          cmp    edx, esi                      ; ntdll.ZwTerminateProcess
7C933B27  ^ 72 EB          jb    short 7C933B14
7C933B29 3BD1          cmp    edx, ecx
7C933B2B 76 0D          jbe    short 7C933B3A
7C933B2D 8D42 FE       lea    eax, [edx-2]
7C933B30 66:8338 20    cmp    word ptr [eax], 20
7C933B34 0F84 32890200 je    7C95C46C
7C933B3A 2BD1          sub    edx, ecx
7C933B3C D1FA          sar    edx, 1
7C933B3E 66:83FA 04    cmp    dx, 4
7C933B42 8D0412       lea    eax, [edx+edx]
7C933B45 66:8945 F8    mov    [ebp-8], ax
7C933B49 0F84 C32B0100 je    7C946712
7C933B4F 66:83FA 03    cmp    dx, 3
7C933B53 0F84 4F2C0100 je    7C9467A8
7C933B59 33C0          xor    eax, eax
7C933B5B 5F             pop    edi                            ; ntdll.7C92E89A
7C933B5C 5E             pop    esi                            ; ntdll.7C92E89A
7C933B5D 5B             pop    ebx                            ; ntdll.7C92E89A
7C933B5E C9             leave
7C933B5F C2 0400       retn 4
7C933B62 90             nop
7C933B63 90             nop
7C933B64 90             nop
7C933B65 90             nop
7C933B66 90             nop
7C933B67 68 88000000    push 88
7C933B6C 68 003D937C    push 7C933D00
7C933B71 E8 4CB2FFFF    call 7C92EDC2
7C933B76 A1 34C0997C    mov    eax, [7C99C034]
7C933B7B 8945 E4       mov    [ebp-1C], eax
7C933B7E 8B45 08       mov    eax, [ebp+8]
7C933B81 8B4D 10       mov    ecx, [ebp+10]
7C933B84 894D C8       mov    [ebp-38], ecx
7C933B87 8B4D 14       mov    ecx, [ebp+14]
7C933B8A 894D 94       mov    [ebp-6C], ecx
7C933B8D 8B4D 18       mov    ecx, [ebp+18]                   ; trscd.00454965
7C933B90 898D 7CFFFFFF mov    [ebp-84], ecx
7C933B96 8B5D 1C       mov    ebx, [ebp+1C]
7C933B99 33F6          xor    esi, esi                      ; ntdll.ZwTerminateProcess
7C933B9B 3BCE          cmp    ecx, esi                      ; ntdll.ZwTerminateProcess
7C933B9D 74 03          je    short 7C933BA2
7C933B9F C601 00       mov    byte ptr [ecx], 0
7C933BA2 817D 0C FFFF000>cmp    dword ptr [ebp+C], 0FFFF
7C933BA9 0F87 D4860200 ja    7C95C283
7C933BAF 8933          mov    [ebx], esi                      ; ntdll.ZwTerminateProcess
7C933BB1 8B08          mov    ecx, [eax]
7C933BB3 894D 8C       mov    [ebp-74], ecx
7C933BB6 8B40 04       mov    eax, [eax+4]
7C933BB9 8945 90       mov    [ebp-70], eax
7C933BBC 8945 9C       mov    [ebp-64], eax
7C933BBF 0FB7C9       movzx ecx, cx
7C933BC2 8BD1          mov    edx, ecx
7C933BC4 D1EA          shr    edx, 1
7C933BC6 8955 84       mov    [ebp-7C], edx                   ; msvcrt.77C31AE8
7C933BC9 894D B0       mov    [ebp-50], ecx
7C933BCC 3BCE          cmp    ecx, esi                      ; ntdll.ZwTerminateProcess
7C933BCE  ^ 0F84 1FD1FFFF je    7C930CF3
7C933BD4 66:3930       cmp    [eax], si
7C933BD7  ^ 0F84 16D1FFFF je    7C930CF3
7C933BDD 8BF9          mov    edi, ecx
7C933BDF D1E9          shr    ecx, 1
7C933BE1 66:8B4C48 FE mov    cx, [eax+ecx*2-2]
7C933BE6 66:83F9 20    cmp    cx, 20
7C933BEA 0F84 6D6F0100 je    7C94AB5D
7C933BF0 3BFE          cmp    edi, esi                      ; ntdll.ZwTerminateProcess
7C933BF2  ^ 0F84 FBD0FFFF je    7C930CF3
7C933BF8 66:8B4450 FE mov    ax, [eax+edx*2-2]
7C933BFD 66:3D 5C00    cmp    ax, 5C
7C933C01 0F84 9C050000 je    7C9341A3
7C933C07 66:3D 2F00    cmp    ax, 2F
7C933C0B C645 C7 01    mov    byte ptr [ebp-39], 1
7C933C0F 0F84 8E050000 je    7C9341A3
7C933C15 8D45 8C       lea    eax, [ebp-74]
7C933C18 50             push eax
7C933C19 E8 CFFDFFFF    call 7C9339ED
7C933C1E 8BF8          mov    edi, eax
7C933C20 3BFE          cmp    edi, esi                      ; ntdll.ZwTerminateProcess
7C933C22 0F85 22150100 jnz    7C94514A
7C933C28 8B4D 0C       mov    ecx, [ebp+C]                   ; RPCRT4.77E8F3B0
7C933C2B 66:894D A6    mov    [ebp-5A], cx
7C933C2F 66:8365 A4 00 and    word ptr [ebp-5C], 0
7C933C34 33C0          xor    eax, eax
7C933C36 8B7D C8       mov    edi, [ebp-38]
7C933C39 8BD1          mov    edx, ecx
7C933C3B C1E9 02       shr    ecx, 2
7C933C3E F3:AB          rep    stos dword ptr es:[edi]
7C933C40 8BCA          mov    ecx, edx                      ; msvcrt.77C31AE8
7C933C42 83E1 03       and    ecx, 3
7C933C45 F3:AA          rep    stos byte ptr es:[edi]
7C933C47 64:A1 18000000  mov    eax, fs:[18]
7C933C4D 8B40 30       mov    eax, [eax+30]
7C933C50 8B70 10       mov    esi, [eax+10]
7C933C53 83C6 24       add    esi, 24
7C933C56 FF75 9C       push dword ptr [ebp-64]
7C933C59 E8 41FDFFFF    call RtlDetermineDosPathNameType_U
7C933C5E 8945 88       mov    [ebp-78], eax
7C933C61 8903          mov    [ebx], eax
7C933C63 E8 B5CCFFFF    call RtlAcquirePebLock
7C933C68 8365 FC 00    and    dword ptr [ebp-4], 0
7C933C6C 8B5D 9C       mov    ebx, [ebp-64]
7C933C6F 8BCB          mov    ecx, ebx
7C933C71 894D D8       mov    [ebp-28], ecx
7C933C74 33FF          xor    edi, edi
7C933C76 897D A0       mov    [ebp-60], edi
7C933C79 66:897D D0    mov    [ebp-30], di
7C933C7D 66:897D D2    mov    [ebp-2E], di
7C933C81 897D D4       mov    [ebp-2C], edi
7C933C84 8B45 88       mov    eax, [ebp-78]                   ; ntdll.7C931970
7C933C87 48             dec    eax
7C933C88 0F84 83360100 je    7C947311
7C933C8E 48             dec    eax
7C933C8F  ^ 0F85 53F9FFFF jnz    7C9335E8
7C933C95 8B46 04       mov    eax, [esi+4]
7C933C98 0FB700       movzx eax, word ptr [eax]
7C933C9B 50             push eax
7C933C9C E8 4FCCFFFF    call RtlUpcaseUnicodeChar
7C933CA1 8845 CF       mov    [ebp-31], al
7C933CA4 33C0          xor    eax, eax
7C933CA6 66:8B03       mov    ax, [ebx]
7C933CA9 50             push eax
7C933CAA E8 41CCFFFF    call RtlUpcaseUnicodeChar
7C933CAF 8845 AF       mov    [ebp-51], al
7C933CB2 3845 CF       cmp    [ebp-31], al
7C933CB5 75 06          jnz    short 7C933CBD
7C933CB7 56             push esi                            ; ntdll.ZwTerminateProcess
7C933CB8 E8 99040000    call 7C934156
7C933CBD C745 B8 0300000>mov    dword ptr [ebp-48], 3
7C933CC4 66:8B75 D0    mov    si, [ebp-30]
7C933CC8 0FB7CE       movzx ecx, si
7C933CCB 8B45 B0       mov    eax, [ebp-50]                   ; ntdll.7C92EE18
7C933CCE 8D1401       lea    edx, [ecx+eax]
7C933CD1 8995 68FFFFFF mov    [ebp-98], edx                   ; msvcrt.77C31AE8
7C933CD7 3B55 0C       cmp    edx, [ebp+C]                   ; RPCRT4.77E8F3B0
7C933CDA 0F83 2E660000 jnb    7C93A30E
7C933CE0 8B45 C8       mov    eax, [ebp-38]
7C933CE3 85FF          test edi, edi
7C933CE5 75 09          jnz    short 7C933CF0
7C933CE7 3945 D4       cmp    [ebp-2C], eax
7C933CEA 0F84 1CFC0100 je    7C95390C
7C933CF0 33D2          xor    edx, edx                      ; msvcrt.77C31AE8
7C933CF2 8955 C0       mov    [ebp-40], edx                   ; msvcrt.77C31AE8
7C933CF5 8955 B4       mov    [ebp-4C], edx                   ; msvcrt.77C31AE8
7C933CF8 EB 12          jmp    short 7C933D0C
7C933CFA 90             nop
7C933CFB 90             nop
7C933CFC 90             nop
7C933CFD 90             nop
7C933CFE 90             nop
7C933CFF 90             nop
7C933D00 FFFF          ???                                     ; 未知命令
7C933D02 FFFF          ???                                     ; 未知命令
7C933D04 0000          add    [eax], al
7C933D06 0000          add    [eax], al
7C933D08 34 A3          xor    al, 0A3
7C933D0A 93             xchg eax, ebx
7C933D0B 7C 39          jl    short 7C933D46
7C933D0D  ^ 7D C0          jge    short 7C933CCF
7C933D0F 0F82 4C680000 jb    7C93A561
7C933D15 66:897D A4    mov    [ebp-5C], di
7C933D19 8955 C0       mov    [ebp-40], edx                   ; msvcrt.77C31AE8
7C933D1C 8955 B4       mov    [ebp-4C], edx                   ; msvcrt.77C31AE8
7C933D1F 0FB74D D0    movzx ecx, word ptr [ebp-30]
7C933D23 394D C0       cmp    [ebp-40], ecx
7C933D26 0F82 6E700000 jb    7C93AD9A
7C933D2C 8B4D A4       mov    ecx, [ebp-5C]
7C933D2F 8B55 D0       mov    edx, [ebp-30]
7C933D32 03D1          add    edx, ecx
7C933D34 66:8955 A4    mov    [ebp-5C], dx
7C933D38 0FB74D A4    movzx ecx, word ptr [ebp-5C]
7C933D3C 03C8          add    ecx, eax
7C933D3E 894D BC       mov    [ebp-44], ecx
7C933D41 66:8321 00    and    word ptr [ecx], 0
7C933D45 6A 5C          push 5C
7C933D47 5B             pop    ebx                            ; ntdll.7C92E89A
7C933D48 6A 02          push 2
7C933D4A 58             pop    eax                            ; ntdll.7C92E89A
7C933D4B 8B75 D8       mov    esi, [ebp-28]
7C933D4E 66:8B3E       mov    di, [esi]
7C933D51 66:85FF       test di, di
7C933D54 74 66          je    short 7C933DBC
7C933D56 0FB7D7       movzx edx, di
7C933D59 83EA 2E       sub    edx, 2E
7C933D5C 0F84 C8700000 je    7C93AE2A
7C933D62 4A             dec    edx                            ; msvcrt.77C31AE8
7C933D63 74 05          je    short 7C933D6A
7C933D65 83EA 2D       sub    edx, 2D
7C933D68 75 15          jnz    short 7C933D7F
7C933D6A 66:3959 FE    cmp    [ecx-2], bx
7C933D6E 74 08          je    short 7C933D78
7C933D70 66:8919       mov    [ecx], bx
7C933D73 03C8          add    ecx, eax
7C933D75 894D BC       mov    [ebp-44], ecx
7C933D78 03F0          add    esi, eax
7C933D7A 8975 D8       mov    [ebp-28], esi                   ; ntdll.ZwTerminateProcess
7C933D7D  ^ EB CC          jmp    short 7C933D4B
7C933D7F 66:8B16       mov    dx, [esi]
7C933D82 66:3BD3       cmp    dx, bx
7C933D85 74 1A          je    short 7C933DA1
7C933D87 66:83FA 2F    cmp    dx, 2F
7C933D8B 74 14          je    short 7C933DA1
7C933D8D 66:85D2       test dx, dx
7C933D90 74 0F          je    short 7C933DA1
7C933D92 66:8911       mov    [ecx], dx
7C933D95 03C8          add    ecx, eax
7C933D97 894D BC       mov    [ebp-44], ecx
7C933D9A 03F0          add    esi, eax
7C933D9C 8975 D8       mov    [ebp-28], esi                   ; ntdll.ZwTerminateProcess
7C933D9F  ^ EB DE          jmp    short 7C933D7F
7C933DA1 66:8B16       mov    dx, [esi]
7C933DA4 66:3BD3       cmp    dx, bx
7C933DA7 0F85 C3000000 jnz    7C933E70
7C933DAD 8D51 FE       lea    edx, [ecx-2]
7C933DB0 66:833A 2E    cmp    word ptr [edx], 2E
7C933DB4 0F84 67860200 je    7C95C421
7C933DBA  ^ EB 89          jmp    short 7C933D45
7C933DBC 66:8321 00    and    word ptr [ecx], 0
7C933DC0 807D C7 00    cmp    byte ptr [ebp-39], 0
7C933DC4 74 19          je    short 7C933DDF
7C933DC6 8B45 B8       mov    eax, [ebp-48]
7C933DC9 8B55 C8       mov    edx, [ebp-38]
7C933DCC 8D0442       lea    eax, [edx+eax*2]
7C933DCF 3BC8          cmp    ecx, eax
7C933DD1 76 0C          jbe    short 7C933DDF
7C933DD3 8D51 FE       lea    edx, [ecx-2]
7C933DD6 66:391A       cmp    [edx], bx
7C933DD9 0F84 F26F0000 je    7C93ADD1
7C933DDF 8BF9          mov    edi, ecx
7C933DE1 2B7D C8       sub    edi, [ebp-38]
7C933DE4 66:897D A4    mov    [ebp-5C], di
7C933DE8 3B4D C8       cmp    ecx, [ebp-38]
7C933DEB 76 1A          jbe    short 7C933E07
7C933DED 8D51 FE       lea    edx, [ecx-2]
7C933DF0 66:8B32       mov    si, [edx]
7C933DF3 66:83FE 20    cmp    si, 20
7C933DF7 0F84 CE410100 je    7C947FCB
7C933DFD 66:83FE 2E    cmp    si, 2E
7C933E01 0F84 C4410100 je    7C947FCB
7C933E07 8B75 94       mov    esi, [ebp-6C]                   ; trscd.004B027C
7C933E0A 85F6          test esi, esi                      ; ntdll.ZwTerminateProcess
7C933E0C 74 3B          je    short 7C933E49
7C933E0E 83C1 FE       add    ecx, -2
7C933E11 894D D8       mov    [ebp-28], ecx
7C933E14 33D2          xor    edx, edx                      ; msvcrt.77C31AE8
7C933E16 8955 BC       mov    [ebp-44], edx                   ; msvcrt.77C31AE8
7C933E19 EB 0A          jmp    short 7C933E25
7C933E1B 66:3919       cmp    [ecx], bx
7C933E1E 74 5F          je    short 7C933E7F
7C933E20 49             dec    ecx
7C933E21 49             dec    ecx
7C933E22 894D D8       mov    [ebp-28], ecx
7C933E25 3B4D C8       cmp    ecx, [ebp-38]
7C933E28  ^ 77 F1          ja    short 7C933E1B
7C933E2A 33C9          xor    ecx, ecx
7C933E2C 3BD1          cmp    edx, ecx
7C933E2E 0F84 09AC0000 je    7C93EA3D
7C933E34 66:390A       cmp    [edx], cx
7C933E37 0F84 00AC0000 je    7C93EA3D
7C933E3D 837D 88 01    cmp    dword ptr [ebp-78], 1
7C933E41 0F84 E5AB0000 je    7C93EA2C
7C933E47 8916          mov    [esi], edx                      ; msvcrt.77C31AE8
7C933E49 834D FC FF    or    dword ptr [ebp-4], FFFFFFFF
7C933E4D E8 18000000    call 7C933E6A
7C933E52 0FB7C7       movzx eax, di
7C933E55 8B4D E4       mov    ecx, [ebp-1C]
7C933E58 E8 2AC5FFFF    call 7C930387
7C933E5D E8 A0AFFFFF    call 7C92EE02
7C933E62 C2 1800       retn 18
7C933E65 90             nop
7C933E66 90             nop
7C933E67 90             nop
7C933E68 90             nop
7C933E69 90             nop
7C933E6A E8 F2CAFFFF    call RtlReleasePebLock
7C933E6F C3             retn
7C933E70 66:83FA 2F    cmp    dx, 2F
7C933E74  ^ 0F84 33FFFFFF je    7C933DAD
7C933E7A  ^ E9 C6FEFFFF    jmp    7C933D45
7C933E7F 8D51 02       lea    edx, [ecx+2]
7C933E82 8955 BC       mov    [ebp-44], edx                   ; msvcrt.77C31AE8
7C933E85  ^ EB A3          jmp    short 7C933E2A
7C933E87 90             nop
7C933E88 5C             pop    esp                            ; ntdll.7C92E89A
7C933E89 003F          add    [edi], bh
7C933E8B 003F          add    [edi], bh
7C933E8D 005C00 00    add    [eax+eax], bl
7C933E91 0090 90909090 add    [eax+90909090], dl
7C933E97 68 70020000    push 270
7C933E9C 68 C040937C    push 7C9340C0
7C933EA1 E8 1CAFFFFF    call 7C92EDC2
7C933EA6 A1 34C0997C    mov    eax, [7C99C034]
7C933EAB 8945 E4       mov    [ebp-1C], eax
7C933EAE 8B45 08       mov    eax, [ebp+8]
7C933EB1 8B75 0C       mov    esi, [ebp+C]                   ; RPCRT4.77E8F3B0
7C933EB4 8B7D 10       mov    edi, [ebp+10]
7C933EB7 89BD A0FDFFFF mov    [ebp-260], edi
7C933EBD 8B5D 14       mov    ebx, [ebp+14]
7C933EC0 33D2          xor    edx, edx                      ; msvcrt.77C31AE8
7C933EC2 8995 D0FDFFFF mov    [ebp-230], edx                ; msvcrt.77C31AE8
7C933EC8 8995 C8FDFFFF mov    [ebp-238], edx                ; msvcrt.77C31AE8
7C933ECE C785 9CFDFFFF 0>mov    dword ptr [ebp-264], 20A
7C933ED8 8B08          mov    ecx, [eax]
7C933EDA 898D C0FDFFFF mov    [ebp-240], ecx
7C933EE0 8B40 04       mov    eax, [eax+4]
7C933EE3 8985 C4FDFFFF mov    [ebp-23C], eax
7C933EE9 66:83F9 08    cmp    cx, 8
7C933EED 76 0A          jbe    short 7C933EF9
7C933EEF 66:8338 5C    cmp    word ptr [eax], 5C
7C933EF3 0F84 F1650000 je    7C93A4EA
7C933EF9 C685 D5FDFFFF 0>mov    byte ptr [ebp-22B], 0
7C933F00 8D85 D8FDFFFF lea    eax, [ebp-228]
7C933F06 8985 C8FDFFFF mov    [ebp-238], eax
7C933F0C B9 1A020000    mov    ecx, 21A
7C933F11 898D 9CFDFFFF mov    [ebp-264], ecx
7C933F17 64:A1 18000000  mov    eax, fs:[18]
7C933F1D 51             push ecx
7C933F1E 52             push edx                            ; msvcrt.77C31AE8
7C933F1F 8B40 30       mov    eax, [eax+30]
7C933F22 FF70 18       push dword ptr [eax+18]
7C933F25 E8 AAC6FFFF    call RtlAllocateHeap
7C933F2A 8985 D0FDFFFF mov    [ebp-230], eax
7C933F30 85C0          test eax, eax
7C933F32 0F84 C9890200 je    7C95C901
7C933F38 E8 E0C9FFFF    call RtlAcquirePebLock
7C933F3D C685 D7FDFFFF 0>mov    byte ptr [ebp-229], 1
7C933F44 8365 FC 00    and    dword ptr [ebp-4], 0
7C933F48 C745 FC 0100000>mov    dword ptr [ebp-4], 1
7C933F4F 80BD D5FDFFFF 0>cmp    byte ptr [ebp-22B], 0
7C933F56 0F85 EA6D0100 jnz    7C94AD46
7C933F5C 8D85 CCFDFFFF lea    eax, [ebp-234]
7C933F62 50             push eax
7C933F63 8D85 D6FDFFFF lea    eax, [ebp-22A]
7C933F69 50             push eax
7C933F6A 57             push edi
7C933F6B FFB5 C8FDFFFF push dword ptr [ebp-238]             ; ntdll.7C931993
7C933F71 BF 08020000    mov    edi, 208
7C933F76 57             push edi
7C933F77 8D85 C0FDFFFF lea    eax, [ebp-240]
7C933F7D 50             push eax
7C933F7E E8 E4FBFFFF    call 7C933B67
7C933F83 8985 B0FDFFFF mov    [ebp-250], eax
7C933F89 80BD D6FDFFFF 0>cmp    byte ptr [ebp-22A], 0
7C933F90 0F85 59540000 jnz    7C9393EF
7C933F96 85C0          test eax, eax
7C933F98 0F84 51540000 je    7C9393EF
7C933F9E 3BC7          cmp    eax, edi
7C933FA0 0F87 49540000 ja    7C9393EF
7C933FA6 8B3D F040937C mov    edi, [7C9340F0]
7C933FAC 89BD 94FDFFFF mov    [ebp-26C], edi
7C933FB2 A1 F440937C    mov    eax, [7C9340F4]
7C933FB7 8985 98FDFFFF mov    [ebp-268], eax
7C933FBD FFB5 C8FDFFFF push dword ptr [ebp-238]             ; ntdll.7C931993
7C933FC3 E8 D7F9FFFF    call RtlDetermineDosPathNameType_U
7C933FC8 8985 80FDFFFF mov    [ebp-280], eax
7C933FCE 83F8 01       cmp    eax, 1
7C933FD1 0F84 14330100 je    7C9472EB
7C933FD7 7E 10          jle    short 7C933FE9
7C933FD9 83F8 05       cmp    eax, 5
7C933FDC 0F8F F2650000 jg    7C93A5D4
7C933FE2 83A5 B4FDFFFF 0>and    dword ptr [ebp-24C], 0
7C933FE9 0FB7FF       movzx edi, di
7C933FEC 57             push edi
7C933FED FFB5 98FDFFFF push dword ptr [ebp-268]
7C933FF3 FFB5 D0FDFFFF push dword ptr [ebp-230]             ; ntdll.7C931970
7C933FF9 E8 3CE5FEFF    call memmove
7C933FFE 8B85 B4FDFFFF mov    eax, [ebp-24C]                ; ntdll.7C931993
7C934004 8D0C00       lea    ecx, [eax+eax]
7C934007 898D 90FDFFFF mov    [ebp-270], ecx
7C93400D 8B95 B0FDFFFF mov    edx, [ebp-250]                ; ntdll.7C931962
7C934013 2BD1          sub    edx, ecx
7C934015 52             push edx                            ; msvcrt.77C31AE8
7C934016 8B8D C8FDFFFF mov    ecx, [ebp-238]                ; ntdll.7C931993
7C93401C 8D0441       lea    eax, [ecx+eax*2]
7C93401F 50             push eax
7C934020 8B85 D0FDFFFF mov    eax, [ebp-230]                ; ntdll.7C931970
7C934026 03C7          add    eax, edi
7C934028 50             push eax
7C934029 E8 0CE5FEFF    call memmove
7C93402E 83C4 18       add    esp, 18
7C934031 8B8D D0FDFFFF mov    ecx, [ebp-230]                ; ntdll.7C931970
7C934037 894E 04       mov    [esi+4], ecx
7C93403A 8B85 B4FDFFFF mov    eax, [ebp-24C]                ; ntdll.7C931993
7C934040 03C0          add    eax, eax
7C934042 8B95 B0FDFFFF mov    edx, [ebp-250]                ; ntdll.7C931962
7C934048 2BD0          sub    edx, eax
7C93404A 0FB7C2       movzx eax, dx
7C93404D 03C7          add    eax, edi
7C93404F 66:8906       mov    [esi], ax
7C934052 66:8B95 9CFDFFF>mov    dx, [ebp-264]
7C934059 66:8956 02    mov    [esi+2], dx
7C93405D 0FB7F0       movzx esi, ax
7C934060 D1EE          shr    esi, 1
7C934062 89B5 84FDFFFF mov    [ebp-27C], esi                ; ntdll.ZwTerminateProcess
7C934068 66:832471 00 and    word ptr [ecx+esi*2], 0
7C93406D 8B85 A0FDFFFF mov    eax, [ebp-260]                ; ntdll.7C92EE18
7C934073 85C0          test eax, eax
7C934075  ^ 0F85 9EF5FFFF jnz    7C933619
7C93407B 85DB          test ebx, ebx
7C93407D 74 1C          je    short 7C93409B
7C93407F 33C0          xor    eax, eax
7C934081 66:8903       mov    [ebx], ax
7C934084 66:8943 02    mov    [ebx+2], ax
7C934088 8943 04       mov    [ebx+4], eax
7C93408B 8943 08       mov    [ebx+8], eax
7C93408E 83BD CCFDFFFF 0>cmp    dword ptr [ebp-234], 5
7C934095 0F84 C26D0000 je    7C93AE5D
7C93409B 8365 FC 00    and    dword ptr [ebp-4], 0
7C93409F 834D FC FF    or    dword ptr [ebp-4], FFFFFFFF
7C9340A3 E8 35000000    call 7C9340DD
7C9340A8 8A85 D7FDFFFF mov    al, [ebp-229]
7C9340AE 8B4D E4       mov    ecx, [ebp-1C]
7C9340B1 E8 D1C2FFFF    call 7C930387
7C9340B6 E8 47ADFFFF    call 7C92EE02
7C9340BB C2 1000       retn 10
7C9340BE 90             nop
7C9340BF 90             nop
7C9340C0 FFFF          ???                                     ; 未知命令
7C9340C2 FFFF          ???                                     ; 未知命令
7C9340C4 0000          add    [eax], al
7C9340C6 0000          add    [eax], al
7C9340C8 DD40 93       fld    qword ptr [eax-6D]
7C9340CB 7C 00          jl    short 7C9340CD
7C9340CD 0000          add    [eax], al
7C9340CF 0020          add    [eax], ah
7C9340D1 C9             leave
7C9340D2 95             xchg eax, ebp
7C9340D3 7C 29          jl    short 7C9340FE
7C9340D5 C9             leave
7C9340D6 95             xchg eax, ebp
7C9340D7  ^ 7C 90          jl    short 7C934069
7C9340D9 90             nop
7C9340DA 90             nop
7C9340DB 90             nop
7C9340DC 90             nop
7C9340DD 80BD D7FDFFFF 0>cmp    byte ptr [ebp-229], 0
7C9340E4 0F84 11530000 je    7C9393FB
7C9340EA E8 72C8FFFF    call RtlReleasePebLock
7C9340EF C3             retn
7C9340F0 0800          or    [eax], al
7C9340F2 0A00          or    al, [eax]
7C9340F4 883E          mov    [esi], bh
7C9340F6 93             xchg eax, ebx
7C9340F7  ^ 7C 90          jl    short 7C934089
7C9340F9 90             nop
7C9340FA 90             nop
7C9340FB 90             nop
7C9340FC 90             nop
7C9340FD >  8BFF          mov    edi, edi
7C9340FF 55             push ebp
7C934100 8BEC          mov    ebp, esp
7C934102 51             push ecx
7C934103 51             push ecx
7C934104 56             push esi                            ; ntdll.ZwTerminateProcess
7C934105 8B75 08       mov    esi, [ebp+8]
7C934108 33C0          xor    eax, eax
7C93410A 3BF0          cmp    esi, eax
7C93410C 74 3D          je    short 7C93414B
7C93410E 56             push esi                            ; ntdll.ZwTerminateProcess
7C93410F E8 46C2FFFF    call wcslen
7C934114 D1E0          shl    eax, 1
7C934116 59             pop    ecx                            ; ntdll.7C92E89A
7C934117 8D48 02       lea    ecx, [eax+2]
7C93411A 81F9 FEFF0000 cmp    ecx, 0FFFE
7C934120 0F83 13810200 jnb    7C95C239
7C934126 8D48 02       lea    ecx, [eax+2]
7C934129 66:894D FA    mov    [ebp-6], cx
7C93412D FF75 14       push dword ptr [ebp+14]
7C934130 66:8945 F8    mov    [ebp-8], ax
7C934134 FF75 10       push dword ptr [ebp+10]
7C934137 8D45 F8       lea    eax, [ebp-8]
7C93413A FF75 0C       push dword ptr [ebp+C]             ; RPCRT4.77E8F3B0
7C93413D 8975 FC       mov    [ebp-4], esi                   ; ntdll.ZwTerminateProcess
7C934140 50             push eax
7C934141 E8 51FDFFFF    call 7C933E97
7C934146 5E             pop    esi                            ; ntdll.7C92E89A
7C934147 C9             leave
7C934148 C2 1000       retn 10
7C93414B 66:8945 FA    mov    [ebp-6], ax
7C93414F  ^ EB DC          jmp    short 7C93412D
7C934151 90             nop
7C934152 90             nop
7C934153 90             nop
7C934154 90             nop
7C934155 90             nop
7C934156 8BFF          mov    edi, edi
7C934158 55             push ebp
7C934159 8BEC          mov    ebp, esp
7C93415B 83EC 1C       sub    esp, 1C
7C93415E A1 34C0997C    mov    eax, [7C99C034]
7C934163 56             push esi                            ; ntdll.ZwTerminateProcess
7C934164 8B75 08       mov    esi, [ebp+8]
7C934167 8945 FC       mov    [ebp-4], eax
7C93416A 8B46 08       mov    eax, [esi+8]
7C93416D A8 01          test al, 1
7C93416F 0F85 81D70000 jnz    7C9418F6
7C934175 8B0D DC02FE7F mov    ecx, [7FFE02DC]
7C93417B 3B0D 50C0997C cmp    ecx, [7C99C050]
7C934181 0F85 6FD70000 jnz    7C9418F6
7C934187 8B4D FC       mov    ecx, [ebp-4]
7C93418A 5E             pop    esi                            ; ntdll.7C92E89A
7C93418B E8 F7C1FFFF    call 7C930387
7C934190 C9             leave
7C934191 C2 0400       retn 4
7C934194 66:3D 6E00    cmp    ax, 6E
7C934198  ^ 0F84 2DF9FFFF je    7C933ACB
7C93419E  ^ E9 B6F9FFFF    jmp    7C933B59
7C9341A3 C645 C7 00    mov    byte ptr [ebp-39], 0
7C9341A7  ^ E9 69FAFFFF    jmp    7C933C15
7C9341AC 90             nop
7C9341AD 90             nop
7C9341AE 90             nop
7C9341AF 90             nop
7C9341B0 90             nop
7C9341B1 >  8BFF          mov    edi, edi
7C9341B3 55             push ebp
7C9341B4 8BEC          mov    ebp, esp
7C9341B6 51             push ecx
7C9341B7 51             push ecx
7C9341B8 FF75 08       push dword ptr [ebp+8]
7C9341BB 8D45 F8       lea    eax, [ebp-8]
7C9341BE 50             push eax
7C9341BF E8 E1C1FFFF    call RtlInitUnicodeStringEx
7C9341C4 85C0          test eax, eax
7C9341C6 0F8C AB890200 jl    7C95CB77
7C9341CC 8D45 08       lea    eax, [ebp+8]
7C9341CF 50             push eax
7C9341D0 6A 00          push 0
7C9341D2 FF75 14       push dword ptr [ebp+14]
7C9341D5 8D45 F8       lea    eax, [ebp-8]
7C9341D8 FF75 10       push dword ptr [ebp+10]
7C9341DB FF75 0C       push dword ptr [ebp+C]             ; RPCRT4.77E8F3B0
7C9341DE 50             push eax
7C9341DF E8 83F9FFFF    call 7C933B67
7C9341E4 C9             leave
7C9341E5 C2 1000       retn 10
7C9341E8 66:83FA 70    cmp    dx, 70
7C9341EC  ^ 0F84 16F9FFFF je    7C933B08
7C9341F2 66:83FA 61    cmp    dx, 61
7C9341F6  ^ 0F84 0CF9FFFF je    7C933B08
7C9341FC 66:83FA 6E    cmp    dx, 6E
7C934200  ^ 0F85 53F9FFFF jnz    7C933B59
7C934206  ^ E9 FDF8FFFF    jmp    7C933B08
7C93420B 90             nop
7C93420C 90             nop
7C93420D 90             nop
7C93420E 90             nop
7C93420F 90             nop
7C934210 >  8BFF          mov    edi, edi
7C934212 55             push ebp
7C934213 8BEC          mov    ebp, esp
7C934215 8B45 08       mov    eax, [ebp+8]
7C934218 8B4D 0C       mov    ecx, [ebp+C]                   ; RPCRT4.77E8F3B0
7C93421B 0FB710       movzx edx, word ptr [eax]
7C93421E 53             push ebx
7C93421F 8B59 04       mov    ebx, [ecx+4]
7C934222 57             push edi
7C934223 8B78 04       mov    edi, [eax+4]
7C934226 0FB701       movzx eax, word ptr [ecx]
7C934229 3BC2          cmp    eax, edx                      ; msvcrt.77C31AE8
7C93422B 0F82 09940100 jb    7C94D63A
7C934231 D1EA          shr    edx, 1
7C934233 807D 10 00    cmp    byte ptr [ebp+10], 0
7C934237 56             push esi                            ; ntdll.ZwTerminateProcess
7C934238 8955 08       mov    [ebp+8], edx                   ; msvcrt.77C31AE8
7C93423B 0F84 A1470200 je    7C9589E2
7C934241 85D2          test edx, edx                      ; msvcrt.77C31AE8
7C934243 74 1F          je    short 7C934264
7C934245 A1 4CC0997C    mov    eax, [7C99C04C]
7C93424A 66:8B17       mov    dx, [edi]
7C93424D 66:8B33       mov    si, [ebx]
7C934250 47             inc    edi
7C934251 47             inc    edi
7C934252 43             inc    ebx
7C934253 43             inc    ebx
7C934254 66:3BD6       cmp    dx, si
7C934257 897D 10       mov    [ebp+10], edi
7C93425A 895D 0C       mov    [ebp+C], ebx
7C93425D 75 0E          jnz    short 7C93426D
7C93425F FF4D 08       dec    dword ptr [ebp+8]
7C934262  ^ 75 E6          jnz    short 7C93424A
7C934264 B0 01          mov    al, 1
7C934266 5E             pop    esi                            ; ntdll.7C92E89A
7C934267 5F             pop    edi                            ; ntdll.7C92E89A
7C934268 5B             pop    ebx                            ; ntdll.7C92E89A
7C934269 5D             pop    ebp                            ; ntdll.7C92E89A
7C93426A C2 0C00       retn 0C
7C93426D 66:83FA 61    cmp    dx, 61
7C934271 0F83 DFD70100 jnb    7C951A56
7C934277 0FB7D2       movzx edx, dx
7C93427A 66:83FE 61    cmp    si, 61
7C93427E 0FB7CE       movzx ecx, si
7C934281 0F83 80660100 jnb    7C94A907
7C934287 3BD1          cmp    edx, ecx
7C934289 0F84 8A660100 je    7C94A919
7C93428F 32C0          xor    al, al
7C934291  ^ EB D3          jmp    short 7C934266
7C934293 33C9          xor    ecx, ecx
7C934295 8D50 18       lea    edx, [eax+18]
7C934298 EB 0A          jmp    short 7C9342A4
7C93429A B8 0D0000C0    mov    eax, C000000D
7C93429F E9 5D330000    jmp    7C937601
7C9342A4 F602 04       test byte ptr [edx], 4
7C9342A7 75 0F          jnz    short 7C9342B8
7C9342A9 41             inc    ecx
7C9342AA 83C2 30       add    edx, 30
7C9342AD 83F9 20       cmp    ecx, 20
7C9342B0 0F83 DAED0200 jnb    7C963090
7C9342B6  ^ EB EC          jmp    short 7C9342A4
7C9342B8 FF40 FC       inc    dword ptr [eax-4]
7C9342BB 8D0C49       lea    ecx, [ecx+ecx*2]
7C9342BE C1E1 04       shl    ecx, 4
7C9342C1 8D4C01 10    lea    ecx, [ecx+eax+10]
7C9342C5 3BCF          cmp    ecx, edi
7C9342C7 0F85 29330000 jnz    7C9375F6
7C9342CD E9 BEED0200    jmp    7C963090
7C9342D2 2BCA          sub    ecx, edx                      ; msvcrt.77C31AE8
7C9342D4 33C0          xor    eax, eax
7C9342D6 8D3C13       lea    edi, [ebx+edx]
7C9342D9 8BD1          mov    edx, ecx
7C9342DB C1E9 02       shr    ecx, 2
7C9342DE F3:AB          rep    stos dword ptr es:[edi]
7C9342E0 8BCA          mov    ecx, edx                      ; msvcrt.77C31AE8
7C9342E2 83E1 03       and    ecx, 3
7C9342E5 F3:AA          rep    stos byte ptr es:[edi]
7C9342E7 E9 BD390000    jmp    7C937CA9
7C9342EC 66:8345 F8 FE add    word ptr [ebp-8], 0FFFE
7C9342F1 03C2          add    eax, edx                      ; msvcrt.77C31AE8
7C9342F3 0FB7F0       movzx esi, ax
7C9342F6 66:8B7471 FE mov    si, [ecx+esi*2-2]
7C9342FB 43             inc    ebx
7C9342FC 66:85C0       test ax, ax
7C9342FF  ^ 0F84 6BF7FFFF je    7C933A70
7C934305  ^ E9 52F7FFFF    jmp    7C933A5C
7C93430A 90             nop
7C93430B 90             nop
7C93430C 90             nop
7C93430D 90             nop
7C93430E 90             nop
7C93430F >  6A 0C          push 0C
7C934311 68 9043937C    push 7C934390
7C934316 E8 A7AAFFFF    call 7C92EDC2
7C93431B 64:A1 18000000  mov    eax, fs:[18]
7C934321 8B40 30       mov    eax, [eax+30]
7C934324 8B70 10       mov    esi, [eax+10]
7C934327 83C6 24       add    esi, 24
7C93432A E8 EEC5FFFF    call RtlAcquirePebLock
7C93432F 8B46 04       mov    eax, [esi+4]
7C934332 0FB736       movzx esi, word ptr [esi]
7C934335 D1EE          shr    esi, 1
7C934337 8D3C36       lea    edi, [esi+esi]
7C93433A 66:837C70 FC 3A cmp    word ptr [eax+esi*2-4], 3A
7C934340 0F84 E0250200 je    7C956926
7C934346 397D 08       cmp    [ebp+8], edi
7C934349 0F82 CB250200 jb    7C95691A
7C93434F 33DB          xor    ebx, ebx
7C934351 895D FC       mov    [ebp-4], ebx
7C934354 57             push edi
7C934355 50             push eax
7C934356 8B7D 0C       mov    edi, [ebp+C]                   ; RPCRT4.77E8F3B0
7C934359 57             push edi
7C93435A E8 DBE1FEFF    call memmove
7C93435F 83C4 0C       add    esp, 0C
7C934362 66:837C77 FC 3A cmp    word ptr [edi+esi*2-4], 3A
7C934368 0F84 58840200 je    7C95C7C6
7C93436E 66:895C77 FE mov    [edi+esi*2-2], bx
7C934373 4E             dec    esi                            ; ntdll.ZwTerminateProcess
7C934374 8975 E4       mov    [ebp-1C], esi                   ; ntdll.ZwTerminateProcess
7C934377 834D FC FF    or    dword ptr [ebp-4], FFFFFFFF
7C93437B E8 E1C5FFFF    call RtlReleasePebLock
7C934380 8D0436       lea    eax, [esi+esi]
7C934383 E8 7AAAFFFF    call 7C92EE02
7C934388 C2 0800       retn 8
7C93438B 90             nop
7C93438C 90             nop
7C93438D 90             nop
7C93438E 90             nop
7C93438F 90             nop
7C934390 FFFF          ???                                     ; 未知命令
7C934392 FFFF          ???                                     ; 未知命令
7C934394 D4 C7          aam    0C7
7C934396 95             xchg eax, ebp
7C934397  ^ 7C DD          jl    short 7C934376
7C934399 C7             ???                                     ; 未知命令
7C93439A 95             xchg eax, ebp
7C93439B  ^ 7C 90          jl    short 7C93432D
7C93439D 90             nop
7C93439E 90             nop
7C93439F 90             nop
7C9343A0 90             nop
7C9343A1 >  6A 34          push 34
7C9343A3 68 8844937C    push 7C934488
7C9343A8 E8 15AAFFFF    call 7C92EDC2
7C9343AD C645 E7 00    mov    byte ptr [ebp-19], 0
7C9343B1 C745 E0 000100C>mov    dword ptr [ebp-20], C0000100
7C9343B8 64:A1 18000000  mov    eax, fs:[18]
7C9343BE 8B58 30       mov    ebx, [eax+30]
7C9343C1 895D D4       mov    [ebp-2C], ebx
7C9343C4 33FF          xor    edi, edi
7C9343C6 897D FC       mov    [ebp-4], edi
7C9343C9 8B75 08       mov    esi, [ebp+8]
7C9343CC 3BF7          cmp    esi, edi
7C9343CE 0F85 5CCF0000 jnz    7C941330
7C9343D4 E8 44C5FFFF    call RtlAcquirePebLock
7C9343D9 C645 E7 01    mov    byte ptr [ebp-19], 1
7C9343DD 8B43 10       mov    eax, [ebx+10]
7C9343E0 8B70 48       mov    esi, [eax+48]
7C9343E3 8975 DC       mov    [ebp-24], esi                   ; ntdll.ZwTerminateProcess
7C9343E6 803D 54C1997C 0>cmp    byte ptr [7C99C154], 0
7C9343ED 0F84 1C020000 je    7C93460F
7C9343F3 8B43 10       mov    eax, [ebx+10]
7C9343F6 3B70 48       cmp    esi, [eax+48]
7C9343F9 0F85 10020000 jnz    7C93460F
7C9343FF 6A 01          push 1
7C934401 68 58C1997C    push 7C99C158
7C934406 FF75 0C       push dword ptr [ebp+C]             ; RPCRT4.77E8F3B0
7C934409 E8 C0EFFFFF    call RtlEqualUnicodeString
7C93440E 84C0          test al, al
7C934410 0F84 F9010000 je    7C93460F
7C934416 8B45 10       mov    eax, [ebp+10]
7C934419 66:8B0D 60C1997>mov    cx, [7C99C160]
7C934420 66:8908       mov    [eax], cx
7C934423 8B0D 60C1997C mov    ecx, [7C99C160]                ; t40kit32.003C003A
7C934429 66:3948 02    cmp    [eax+2], cx
7C93442D 0F82 89030000 jb    7C9347BC
7C934433 0FB7C9       movzx ecx, cx
7C934436 8B35 64C1997C mov    esi, [7C99C164]
7C93443C 8B78 04       mov    edi, [eax+4]
7C93443F 8BD1          mov    edx, ecx
7C934441 C1E9 02       shr    ecx, 2
7C934444 F3:A5          rep    movs dword ptr es:[edi], dword p>
7C934446 8BCA          mov    ecx, edx                      ; msvcrt.77C31AE8
7C934448 83E1 03       and    ecx, 3
7C93444B F3:A4          rep    movs byte ptr es:[edi], byte ptr>
7C93444D 8B0D 60C1997C mov    ecx, [7C99C160]                ; t40kit32.003C003A
7C934453 66:3948 02    cmp    [eax+2], cx
7C934457 76 0D          jbe    short 7C934466
7C934459 0FB7C9       movzx ecx, cx
7C93445C D1E9          shr    ecx, 1
7C93445E 8B40 04       mov    eax, [eax+4]
7C934461 66:832448 00 and    word ptr [eax+ecx*2], 0
7C934466 8365 E0 00    and    dword ptr [ebp-20], 0
7C93446A 834D FC FF    or    dword ptr [ebp-4], FFFFFFFF
7C93446E 807D E7 00    cmp    byte ptr [ebp-19], 0
7C934472 74 05          je    short 7C934479
7C934474 E8 E8C4FFFF    call RtlReleasePebLock
7C934479 8B45 E0       mov    eax, [ebp-20]
7C93447C E8 81A9FFFF    call 7C92EE02
7C934481 C2 0C00       retn 0C
7C934484 90             nop
7C934485 90             nop
7C934486 90             nop
7C934487 90             nop
7C934488 FFFF          ???                                     ; 未知命令
7C93448A FFFF          ???                                     ; 未知命令
7C93448C  ^ 7E CE          jle    short 7C93445C
7C93448E 96             xchg eax, esi                      ; ntdll.ZwTerminateProcess
7C93448F  ^ 7C 87          jl    short 7C934418
7C934491 CE             into
7C934492 96             xchg eax, esi                      ; ntdll.ZwTerminateProcess
7C934493  ^ 7C 90          jl    short 7C934425
7C934495 90             nop
7C934496 90             nop
7C934497 90             nop
7C934498 90             nop
7C934499 >  8BFF          mov    edi, edi
7C93449B 55             push ebp
7C93449C 8BEC          mov    ebp, esp
7C93449E 8B45 08       mov    eax, [ebp+8]
7C9344A1 8BD0          mov    edx, eax
7C9344A3 66:8B08       mov    cx, [eax]
7C9344A6 40             inc    eax
7C9344A7 40             inc    eax
7C9344A8 66:85C9       test cx, cx
7C9344AB  ^ 75 F6          jnz    short 7C9344A3
7C9344AD 66:8B4D 0C    mov    cx, [ebp+C]
7C9344B1 48             dec    eax
7C9344B2 48             dec    eax
7C9344B3 3BC2          cmp    eax, edx                      ; msvcrt.77C31AE8
7C9344B5 74 05          je    short 7C9344BC
7C9344B7 66:3908       cmp    [eax], cx
7C9344BA  ^ 75 F5          jnz    short 7C9344B1
7C9344BC 66:8B10       mov    dx, [eax]
7C9344BF 66:2BD1       sub    dx, cx
7C9344C2 66:F7DA       neg    dx
7C9344C5 1BD2          sbb    edx, edx                      ; msvcrt.77C31AE8
7C9344C7 F7D2          not    edx                            ; msvcrt.77C31AE8
7C9344C9 23C2          and    eax, edx                      ; msvcrt.77C31AE8
7C9344CB 5D             pop    ebp                            ; ntdll.7C92E89A
7C9344CC C3             retn
7C9344CD 90             nop
7C9344CE 90             nop
7C9344CF 90             nop
7C9344D0 90             nop
7C9344D1 90             nop
7C9344D2 >  8BFF          mov    edi, edi
7C9344D4 55             push ebp
7C9344D5 8BEC          mov    ebp, esp
7C9344D7 83EC 20       sub    esp, 20
7C9344DA 8B45 0C       mov    eax, [ebp+C]                   ; RPCRT4.77E8F3B0
7C9344DD 53             push ebx
7C9344DE 0FB718       movzx ebx, word ptr [eax]
7C9344E1 56             push esi                            ; ntdll.ZwTerminateProcess
7C9344E2 8B70 04       mov    esi, [eax+4]
7C9344E5 8B45 10       mov    eax, [ebp+10]
7C9344E8 8B48 04       mov    ecx, [eax+4]
7C9344EB 0FB740 02    movzx eax, word ptr [eax+2]
7C9344EF 33D2          xor    edx, edx                      ; msvcrt.77C31AE8
7C9344F1 83FB 02       cmp    ebx, 2
7C9344F4 894D FC       mov    [ebp-4], ecx
7C9344F7 8945 0C       mov    [ebp+C], eax
7C9344FA 8955 F8       mov    [ebp-8], edx                   ; msvcrt.77C31AE8
7C9344FD 8955 F4       mov    [ebp-C], edx                   ; msvcrt.77C31AE8
7C934500 72 3D          jb    short 7C93453F
7C934502 57             push edi
7C934503 66:833E 25    cmp    word ptr [esi], 25
7C934507 74 69          je    short 7C934572
7C934509 837D F8 00    cmp    dword ptr [ebp-8], 0
7C93450D 7C 1B          jl    short 7C93452A
7C93450F 837D 0C 02    cmp    dword ptr [ebp+C], 2
7C934513 0F86 38490200 jbe    7C958E51
7C934519 8B4D FC       mov    ecx, [ebp-4]
7C93451C 66:8B06       mov    ax, [esi]
7C93451F 836D 0C 02    sub    dword ptr [ebp+C], 2
7C934523 8345 FC 02    add    dword ptr [ebp-4], 2
7C934527 66:8901       mov    [ecx], ax
7C93452A 8345 F4 02    add    dword ptr [ebp-C], 2
7C93452E 4B             dec    ebx
7C93452F 4B             dec    ebx
7C934530 46             inc    esi                            ; ntdll.ZwTerminateProcess
7C934531 46             inc    esi                            ; ntdll.ZwTerminateProcess
7C934532 33D2          xor    edx, edx                      ; msvcrt.77C31AE8
7C934534 83FB 02       cmp    ebx, 2
7C934537  ^ 73 CA          jnb    short 7C934503
7C934539 3955 F8       cmp    [ebp-8], edx                   ; msvcrt.77C31AE8
7C93453C 5F             pop    edi                            ; ntdll.7C92E89A
7C93453D 7C 0F          jl    short 7C93454E
7C93453F 3955 0C       cmp    [ebp+C], edx                   ; msvcrt.77C31AE8
7C934542 0F84 15490200 je    7C958E5D
7C934548 8B45 FC       mov    eax, [ebp-4]
7C93454B 66:8910       mov    [eax], dx
7C93454E 8B4D F4       mov    ecx, [ebp-C]                   ; kernel32.7C8399F3
7C934551 8B45 14       mov    eax, [ebp+14]
7C934554 41             inc    ecx
7C934555 41             inc    ecx
7C934556 3BC2          cmp    eax, edx                      ; msvcrt.77C31AE8
7C934558 5E             pop    esi                            ; ntdll.7C92E89A
7C934559 5B             pop    ebx                            ; ntdll.7C92E89A
7C93455A 74 02          je    short 7C93455E
7C93455C 8908          mov    [eax], ecx
7C93455E 8B45 F8       mov    eax, [ebp-8]                   ; kernel32.7C81CA78
7C934561 3BC2          cmp    eax, edx                      ; msvcrt.77C31AE8
7C934563 7C 09          jl    short 7C93456E
7C934565 8B55 10       mov    edx, [ebp+10]
7C934568 83C1 FE       add    ecx, -2
7C93456B 66:890A       mov    [edx], cx
7C93456E C9             leave
7C93456F C2 1000       retn 10
7C934572 33C0          xor    eax, eax
7C934574 8D4B FE       lea    ecx, [ebx-2]
7C934577 3BCA          cmp    ecx, edx                      ; msvcrt.77C31AE8
7C934579 8D7E 02       lea    edi, [esi+2]
7C93457C 8945 F0       mov    [ebp-10], eax
7C93457F 66:8955 E8    mov    [ebp-18], dx
7C934583 897D EC       mov    [ebp-14], edi
7C934586  ^ 76 81          jbe    short 7C934509
7C934588 66:833F 25    cmp    word ptr [edi], 25
7C93458C 74 11          je    short 7C93459F
7C93458E 47             inc    edi
7C93458F 47             inc    edi
7C934590 40             inc    eax
7C934591 40             inc    eax
7C934592 3BC1          cmp    eax, ecx
7C934594 8945 F0       mov    [ebp-10], eax
7C934597  ^ 0F83 6CFFFFFF jnb    7C934509
7C93459D  ^ EB E9          jmp    short 7C934588
7C93459F 3BC2          cmp    eax, edx                      ; msvcrt.77C31AE8
7C9345A1  ^ 0F84 62FFFFFF je    7C934509
7C9345A7 66:3BC2       cmp    ax, dx
7C9345AA 66:8945 E8    mov    [ebp-18], ax
7C9345AE 66:8945 EA    mov    [ebp-16], ax
7C9345B2  ^ 0F84 51FFFFFF je    7C934509
7C9345B8 8B45 FC       mov    eax, [ebp-4]
7C9345BB 8945 E4       mov    [ebp-1C], eax
7C9345BE 66:8B45 0C    mov    ax, [ebp+C]
7C9345C2 66:8945 E2    mov    [ebp-1E], ax
7C9345C6 8D45 E0       lea    eax, [ebp-20]
7C9345C9 50             push eax
7C9345CA 8D45 E8       lea    eax, [ebp-18]
7C9345CD 50             push eax
7C9345CE FF75 08       push dword ptr [ebp+8]
7C9345D1 66:8955 E0    mov    [ebp-20], dx
7C9345D5 E8 C7FDFFFF    call RtlQueryEnvironmentVariable_U
7C9345DA 85C0          test eax, eax
7C9345DC 0F8C 2A3B0100 jl    7C94810C
7C9345E2 0FB74D E0    movzx ecx, word ptr [ebp-20]
7C9345E6 014D F4       add    [ebp-C], ecx
7C9345E9 6A FC          push -4
7C9345EB 5A             pop    edx                            ; ntdll.7C92E89A
7C9345EC 2B55 F0       sub    edx, [ebp-10]
7C9345EF 8D77 02       lea    esi, [edi+2]
7C9345F2 03DA          add    ebx, edx                      ; msvcrt.77C31AE8
7C9345F4 85C0          test eax, eax
7C9345F6 0F8C 203B0100 jl    7C94811C
7C9345FC 294D 0C       sub    [ebp+C], ecx
7C9345FF 8B45 FC       mov    eax, [ebp-4]
7C934602 D1E9          shr    ecx, 1
7C934604 8D0448       lea    eax, [eax+ecx*2]
7C934607 8945 FC       mov    [ebp-4], eax
7C93460A  ^ E9 23FFFFFF    jmp    7C934532
7C93460F 3BF7          cmp    esi, edi
7C934611 0F84 9D5D0000 je    7C93A3B4
7C934617 6A 02          push 2
7C934619 5B             pop    ebx                            ; ntdll.7C92E89A
7C93461A E9 A8000000    jmp    7C9346C7
7C93461F 817D E0 000100C>cmp    dword ptr [ebp-20], C0000100
7C934626  ^ 0F85 3EFEFFFF jnz    7C93446A
7C93462C 6A 01          push 1
7C93462E 68 6846937C    push 7C934668
7C934633 FF75 0C       push dword ptr [ebp+C]             ; RPCRT4.77E8F3B0
7C934636 E8 93EDFFFF    call RtlEqualUnicodeString
7C93463B 84C0          test al, al
7C93463D 0F85 58870300 jnz    7C96CD9B
7C934643 6A 01          push 1
7C934645 68 7046937C    push 7C934670
7C93464A FF75 0C       push dword ptr [ebp+C]             ; RPCRT4.77E8F3B0
7C93464D E8 7CEDFFFF    call RtlEqualUnicodeString
7C934652 84C0          test al, al
7C934654 0F85 6D870300 jnz    7C96CDC7
7C93465A 397D E0       cmp    [ebp-20], edi
7C93465D  ^ 0F8C 07FEFFFF jl    7C93446A
7C934663 E9 C9870300    jmp    7C96CE31
7C934668 0C 00          or    al, 0
7C93466A 0E             push cs
7C93466B 0088 A3937C14 add    [eax+147C93A3], cl
7C934671 0016          add    [esi], dl
7C934673 0098 A3937C66 add    [eax+667C93A3], bl
7C934679 393E          cmp    [esi], edi
7C93467B 74 07          je    short 7C934684
7C93467D 03F3          add    esi, ebx
7C93467F 8975 DC       mov    [ebp-24], esi                   ; ntdll.ZwTerminateProcess
7C934682  ^ EB F4          jmp    short 7C934678
7C934684 8BC6          mov    eax, esi                      ; ntdll.ZwTerminateProcess
7C934686 2B45 C8       sub    eax, [ebp-38]
7C934689 D1F8          sar    eax, 1
7C93468B D1E0          shl    eax, 1
7C93468D 66:8945 C4    mov    [ebp-3C], ax
7C934691 8B45 C4       mov    eax, [ebp-3C]                   ; ntdll.7C92F0AA
7C934694 83C0 02       add    eax, 2
7C934697 66:8945 C6    mov    [ebp-3A], ax
7C93469B EB 13          jmp    short 7C9346B0
7C93469D 66:3D 3D00    cmp    ax, 3D
7C9346A1 74 3A          je    short 7C9346DD
7C9346A3 03F3          add    esi, ebx
7C9346A5 8975 DC       mov    [ebp-24], esi                   ; ntdll.ZwTerminateProcess
7C9346A8 66:8B06       mov    ax, [esi]
7C9346AB 66:3BC7       cmp    ax, di
7C9346AE  ^ 75 ED          jnz    short 7C93469D
7C9346B0 03F3          add    esi, ebx
7C9346B2 8975 DC       mov    [ebp-24], esi                   ; ntdll.ZwTerminateProcess
7C9346B5 6A 01          push 1
7C9346B7 8D45 BC       lea    eax, [ebp-44]
7C9346BA 50             push eax
7C9346BB FF75 0C       push dword ptr [ebp+C]             ; RPCRT4.77E8F3B0
7C9346BE E8 0BEDFFFF    call RtlEqualUnicodeString
7C9346C3 84C0          test al, al
7C9346C5 75 3F          jnz    short 7C934706
7C9346C7 66:393E       cmp    [esi], di
7C9346CA 0F84 E45C0000 je    7C93A3B4
7C9346D0 8975 C0       mov    [ebp-40], esi                   ; ntdll.ZwTerminateProcess
7C9346D3 66:897D BC    mov    [ebp-44], di
7C9346D7 66:897D BE    mov    [ebp-42], di
7C9346DB  ^ EB CB          jmp    short 7C9346A8
7C9346DD 3B75 C0       cmp    esi, [ebp-40]
7C9346E0  ^ 74 C1          je    short 7C9346A3
7C9346E2 8BC6          mov    eax, esi                      ; ntdll.ZwTerminateProcess
7C9346E4 2B45 C0       sub    eax, [ebp-40]
7C9346E7 D1F8          sar    eax, 1
7C9346E9 D1E0          shl    eax, 1
7C9346EB 66:8945 BC    mov    [ebp-44], ax
7C9346EF 8B45 BC       mov    eax, [ebp-44]
7C9346F2 83C0 02       add    eax, 2
7C9346F5 66:8945 BE    mov    [ebp-42], ax
7C9346F9 03F3          add    esi, ebx
7C9346FB 8975 DC       mov    [ebp-24], esi                   ; ntdll.ZwTerminateProcess
7C9346FE 8975 C8       mov    [ebp-38], esi                   ; ntdll.ZwTerminateProcess
7C934701  ^ E9 72FFFFFF    jmp    7C934678
7C934706 66:8B45 C4    mov    ax, [ebp-3C]
7C93470A 8B5D 10       mov    ebx, [ebp+10]
7C93470D 66:8903       mov    [ebx], ax
7C934710 66:3943 02    cmp    [ebx+2], ax
7C934714 0F82 96000000 jb    7C9347B0
7C93471A 0FB7C8       movzx ecx, ax
7C93471D 8B75 C8       mov    esi, [ebp-38]
7C934720 8B7B 04       mov    edi, [ebx+4]
7C934723 8BC1          mov    eax, ecx
7C934725 C1E9 02       shr    ecx, 2
7C934728 F3:A5          rep    movs dword ptr es:[edi], dword p>
7C93472A 8BC8          mov    ecx, eax
7C93472C 83E1 03       and    ecx, 3
7C93472F F3:A4          rep    movs byte ptr es:[edi], byte ptr>
7C934731 66:8B45 C4    mov    ax, [ebp-3C]
7C934735 66:3943 02    cmp    [ebx+2], ax
7C934739 76 0D          jbe    short 7C934748
7C93473B 0FB7C0       movzx eax, ax
7C93473E D1E8          shr    eax, 1
7C934740 8B4B 04       mov    ecx, [ebx+4]
7C934743 66:832441 00 and    word ptr [ecx+eax*2], 0
7C934748 8B45 08       mov    eax, [ebp+8]
7C93474B 85C0          test eax, eax
7C93474D 0F85 EECB0000 jnz    7C941341
7C934753 C605 54C1997C 0>mov    byte ptr [7C99C154], 1
7C93475A 8B45 BC       mov    eax, [ebp-44]
7C93475D A3 58C1997C    mov    [7C99C158], eax
7C934762 8B45 C0       mov    eax, [ebp-40]
7C934765 A3 5CC1997C    mov    [7C99C15C], eax
7C93476A 8B45 C4       mov    eax, [ebp-3C]                   ; ntdll.7C92F0AA
7C93476D A3 60C1997C    mov    [7C99C160], eax
7C934772 8B45 C8       mov    eax, [ebp-38]
7C934775 A3 64C1997C    mov    [7C99C164], eax
7C93477A 8365 E0 00    and    dword ptr [ebp-20], 0
7C93477E 33FF          xor    edi, edi
7C934780  ^ E9 9AFEFFFF    jmp    7C93461F
7C934785 90             nop
7C934786 90             nop
7C934787 90             nop
7C934788 90             nop
7C934789 90             nop
7C93478A >  8BFF          mov    edi, edi
7C93478C 55             push ebp
7C93478D 8BEC          mov    ebp, esp
7C93478F 8B45 08       mov    eax, [ebp+8]
7C934792 66:8B55 0C    mov    dx, [ebp+C]
7C934796 66:8B08       mov    cx, [eax]
7C934799 66:85C9       test cx, cx
7C93479C 74 09          je    short 7C9347A7
7C93479E 66:3BCA       cmp    cx, dx
7C9347A1 74 0B          je    short 7C9347AE
7C9347A3 40             inc    eax
7C9347A4 40             inc    eax
7C9347A5  ^ EB EF          jmp    short 7C934796
7C9347A7 66:3BCA       cmp    cx, dx
7C9347AA 74 02          je    short 7C9347AE
7C9347AC 33C0          xor    eax, eax
7C9347AE 5D             pop    ebp                            ; ntdll.7C92E89A
7C9347AF C3             retn
7C9347B0 C745 E0 230000C>mov    dword ptr [ebp-20], C0000023
7C9347B7  ^ E9 63FEFFFF    jmp    7C93461F
7C9347BC C745 E0 230000C>mov    dword ptr [ebp-20], C0000023
7C9347C3  ^ E9 A2FCFFFF    jmp    7C93446A
7C9347C8 66:8B46 02    mov    ax, [esi+2]
7C9347CC 66:3BC8       cmp    cx, ax
7C9347CF 0F83 287D0200 jnb    7C95C4FD
7C9347D5  ^ E9 43E9FFFF    jmp    7C93311D
7C9347DA 90             nop
7C9347DB 90             nop
7C9347DC 90             nop
7C9347DD 90             nop
7C9347DE 90             nop
7C9347DF >  B8 15010000    mov    eax, 115
7C9347E4 C3             retn
7C9347E5 90             nop
7C9347E6 90             nop
7C9347E7 90             nop
7C9347E8 90             nop
7C9347E9 90             nop
7C9347EA 8BFF          mov    edi, edi
7C9347EC 55             push ebp
7C9347ED 8BEC          mov    ebp, esp
7C9347EF 8B4D 08       mov    ecx, [ebp+8]
7C9347F2 8B41 04       mov    eax, [ecx+4]
7C9347F5 66:8B09       mov    cx, [ecx]
7C9347F8 66:83F9 02    cmp    cx, 2
7C9347FC 72 17          jb    short 7C934815
7C9347FE 66:8B10       mov    dx, [eax]
7C934801 66:83FA 5C    cmp    dx, 5C
7C934805 0F84 6C430200 je    7C958B77
7C93480B 66:83FA 2F    cmp    dx, 2F
7C93480F 0F84 62430200 je    7C958B77
7C934815 66:83F9 04    cmp    cx, 4
7C934819 72 11          jb    short 7C93482C
7C93481B 66:8338 00    cmp    word ptr [eax], 0
7C93481F 74 0B          je    short 7C93482C
7C934821 66:8378 02 3A cmp    word ptr [eax+2], 3A
7C934826 0F84 BC240000 je    7C936CE8
7C93482C 6A 05          push 5
7C93482E 58             pop    eax                            ; ntdll.7C92E89A
7C93482F 5D             pop    ebp                            ; ntdll.7C92E89A
7C934830 C2 0400       retn 4
7C934833 B8 010015C0    mov    eax, C0150001
7C934838 E9 47090000    jmp    7C935184
7C93483D 8BC6          mov    eax, esi                      ; ntdll.ZwTerminateProcess
7C93483F E9 26080000    jmp    7C93506A
7C934844 8955 FC       mov    [ebp-4], edx                   ; msvcrt.77C31AE8
7C934847 68 D8C0997C    push 7C99C0D8
7C93484C 3BC2          cmp    eax, edx                      ; msvcrt.77C31AE8
7C93484E 0F85 3D890200 jnz    7C95D191
7C934854 E8 ACC7FEFF    call RtlEnterCriticalSection
7C934859 85F6          test esi, esi                      ; ntdll.ZwTerminateProcess
7C93485B 0F85 54890200 jnz    7C95D1B5
7C934861 64:A1 18000000  mov    eax, fs:[18]
7C934867 8945 DC       mov    [ebp-24], eax
7C93486A B9 44C0997C    mov    ecx, 7C99C044
7C93486F F0:0FC119    lock xadd [ecx], ebx
7C934873 43             inc    ebx
7C934874 8B40 24       mov    eax, [eax+24]
7C934877 25 FF0F0000    and    eax, 0FFF
7C93487C 81E3 FFFF0000 and    ebx, 0FFFF
7C934882 C1E0 10       shl    eax, 10
7C934885 0BD8          or    ebx, eax
7C934887 891F          mov    [edi], ebx
7C934889 834D FC FF    or    dword ptr [ebp-4], FFFFFFFF
7C93488D  ^ E9 77E9FFFF    jmp    7C933209
7C934892 C745 CC 8A0000C>mov    dword ptr [ebp-34], C000008A
7C934899  ^ E9 80E0FFFF    jmp    7C93291E
7C93489E 6A 05          push 5
7C9348A0  ^ E9 3EF1FFFF    jmp    7C9339E3
7C9348A5 C745 CC 8B0000C>mov    dword ptr [ebp-34], C000008B
7C9348AC  ^ E9 6DE0FFFF    jmp    7C93291E
7C9348B1 90             nop
7C9348B2 90             nop
7C9348B3 90             nop
7C9348B4 0000          add    [eax], al
7C9348B6 1F             pop    ds
7C9348B7 003B          add    [ebx], bh
7C9348B9 005A 00       add    [edx], bl
7C9348BC 78 00          js    short 7C9348BE
7C9348BE 97             xchg eax, edi
7C9348BF 00B5 00D400F3 add    [ebp+F300D400], dh
7C9348C5 0011          add    [ecx], dl
7C9348C7 0130          add    [eax], esi                      ; ntdll.ZwTerminateProcess
7C9348C9 014E 01       add    [esi+1], ecx
7C9348CC 6D             ins    dword ptr es:[edi], dx
7C9348CD 0100          add    [eax], eax
7C9348CF 000F          add    [edi], cl
7C9348D1 B6 87          mov    dh, 87
7C9348D3 E8 48937C89    call 060FDC20
7C9348D8 45             inc    ebp
7C9348D9 080F          or    [edi], cl
7C9348DB BF 0445B448    mov    edi, 48B44504
7C9348E0 93             xchg eax, ebx
7C9348E1  ^ 7C E9          jl    short 7C9348CC
7C9348E3 C2 DBFF       retn 0FFDB
7C9348E6 FF90 00000000 call [eax]
7C9348EC 0000          add    [eax], al
7C9348EE 0000          add    [eax], al
7C9348F0 0000          add    [eax], al
7C9348F2 0000          add    [eax], al
7C9348F4 0000          add    [eax], al
7C9348F6 0000          add    [eax], al
7C9348F8 0000          add    [eax], al
7C9348FA 0000          add    [eax], al
7C9348FC 0000          add    [eax], al
7C9348FE 0000          add    [eax], al
7C934900 0000          add    [eax], al
7C934902 0000          add    [eax], al
7C934904 0000          add    [eax], al
7C934906 0001          add    [ecx], al
7C934908 0101          add    [ecx], eax
7C93490A 0101          add    [ecx], eax
7C93490C 0101          add    [ecx], eax
7C93490E 0101          add    [ecx], eax
7C934910 0101          add    [ecx], eax
7C934912 0101          add    [ecx], eax
7C934914 0101          add    [ecx], eax
7C934916 0101          add    [ecx], eax
7C934918 0101          add    [ecx], eax
7C93491A 0101          add    [ecx], eax
7C93491C 0101          add    [ecx], eax
7C93491E 0101          add    [ecx], eax
7C934920 0101          add    [ecx], eax
7C934922 0102          add    [edx], eax
7C934924 0202          add    al, [edx]
7C934926 0202          add    al, [edx]
7C934928 0202          add    al, [edx]
7C93492A 0202          add    al, [edx]
7C93492C 0202          add    al, [edx]
7C93492E 0202          add    al, [edx]
7C934930 0202          add    al, [edx]
7C934932 0202          add    al, [edx]
7C934934 0202          add    al, [edx]
7C934936 0202          add    al, [edx]
7C934938 0202          add    al, [edx]
7C93493A 0202          add    al, [edx]
7C93493C 0202          add    al, [edx]
7C93493E 0202          add    al, [edx]
7C934940 0202          add    al, [edx]
7C934942 0303          add    eax, [ebx]
7C934944 0303          add    eax, [ebx]
7C934946 0303          add    eax, [ebx]
7C934948 0303          add    eax, [ebx]
7C93494A 0303          add    eax, [ebx]
7C93494C 0303          add    eax, [ebx]
7C93494E 0303          add    eax, [ebx]
7C934950 0303          add    eax, [ebx]
7C934952 0303          add    eax, [ebx]
7C934954 0303          add    eax, [ebx]
7C934956 0303          add    eax, [ebx]
7C934958 0303          add    eax, [ebx]
7C93495A 0303          add    eax, [ebx]
7C93495C 0303          add    eax, [ebx]
7C93495E 0303          add    eax, [ebx]
7C934960 04 04          add    al, 4
7C934962 04 04          add    al, 4
7C934964 04 04          add    al, 4
7C934966 04 04          add    al, 4
7C934968 04 04          add    al, 4
7C93496A 04 04          add    al, 4
7C93496C 04 04          add    al, 4
7C93496E 04 04          add    al, 4
7C934970 04 04          add    al, 4
7C934972 04 04          add    al, 4
7C934974 04 04          add    al, 4
7C934976 04 04          add    al, 4
7C934978 04 04          add    al, 4
7C93497A 04 04          add    al, 4
7C93497C 04 04          add    al, 4
7C93497E 04 05          add    al, 5
7C934980 05 05050505    add    eax, 5050505
7C934985 05 05050505    add    eax, 5050505
7C93498A 05 05050505    add    eax, 5050505
7C93498F 05 05050505    add    eax, 5050505
7C934994 05 05050505    add    eax, 5050505
7C934999 05 05050506    add    eax, 6050505
7C93499E 06             push es
7C93499F 06             push es
7C9349A0 06             push es
7C9349A1 06             push es
7C9349A2 06             push es
7C9349A3 06             push es
7C9349A4 06             push es
7C9349A5 06             push es
7C9349A6 06             push es
7C9349A7 06             push es
7C9349A8 06             push es
7C9349A9 06             push es
7C9349AA 06             push es
7C9349AB 06             push es
7C9349AC 06             push es
7C9349AD 06             push es
7C9349AE 06             push es
7C9349AF 06             push es
7C9349B0 06             push es
7C9349B1 06             push es
7C9349B2 06             push es
7C9349B3 06             push es
7C9349B4 06             push es
7C9349B5 06             push es
7C9349B6 06             push es
7C9349B7 06             push es
7C9349B8 06             push es
7C9349B9 06             push es
7C9349BA 06             push es
7C9349BB 06             push es
7C9349BC 07             pop    es
7C9349BD 07             pop    es
7C9349BE 07             pop    es
7C9349BF 07             pop    es
7C9349C0 07             pop    es
7C9349C1 07             pop    es
7C9349C2 07             pop    es
7C9349C3 07             pop    es
7C9349C4 07             pop    es
7C9349C5 07             pop    es
7C9349C6 07             pop    es
7C9349C7 07             pop    es
7C9349C8 07             pop    es
7C9349C9 07             pop    es
7C9349CA 07             pop    es
7C9349CB 07             pop    es
7C9349CC 07             pop    es
7C9349CD 07             pop    es
7C9349CE 07             pop    es
7C9349CF 07             pop    es
7C9349D0 07             pop    es
7C9349D1 07             pop    es
7C9349D2 07             pop    es
7C9349D3 07             pop    es
7C9349D4 07             pop    es
7C9349D5 07             pop    es
7C9349D6 07             pop    es
7C9349D7 07             pop    es
7C9349D8 07             pop    es
7C9349D9 07             pop    es
7C9349DA 07             pop    es
7C9349DB 0808          or    [eax], cl
7C9349DD 0808          or    [eax], cl
7C9349DF 0808          or    [eax], cl
7C9349E1 0808          or    [eax], cl
7C9349E3 0808          or    [eax], cl
7C9349E5 0808          or    [eax], cl
7C9349E7 0808          or    [eax], cl
7C9349E9 0808          or    [eax], cl
7C9349EB 0808          or    [eax], cl
7C9349ED 0808          or    [eax], cl
7C9349EF 0808          or    [eax], cl
7C9349F1 0808          or    [eax], cl
7C9349F3 0808          or    [eax], cl
7C9349F5 0808          or    [eax], cl
7C9349F7 0808          or    [eax], cl
7C9349F9 0909          or    [ecx], ecx
7C9349FB 0909          or    [ecx], ecx
7C9349FD 0909          or    [ecx], ecx
7C9349FF 0909          or    [ecx], ecx
7C934A01 0909          or    [ecx], ecx
7C934A03 0909          or    [ecx], ecx
7C934A05 0909          or    [ecx], ecx
7C934A07 0909          or    [ecx], ecx
7C934A09 0909          or    [ecx], ecx
7C934A0B 0909          or    [ecx], ecx
7C934A0D 0909          or    [ecx], ecx
7C934A0F 0909          or    [ecx], ecx
7C934A11 0909          or    [ecx], ecx
7C934A13 0909          or    [ecx], ecx
7C934A15 0909          or    [ecx], ecx
7C934A17 090A          or    [edx], ecx
7C934A19 0A0A          or    cl, [edx]
7C934A1B 0A0A          or    cl, [edx]
7C934A1D 0A0A          or    cl, [edx]
7C934A1F 0A0A          or    cl, [edx]
7C934A21 0A0A          or    cl, [edx]
7C934A23 0A0A          or    cl, [edx]
7C934A25 0A0A          or    cl, [edx]
7C934A27 0A0A          or    cl, [edx]
7C934A29 0A0A          or    cl, [edx]
7C934A2B 0A0A          or    cl, [edx]
7C934A2D 0A0A          or    cl, [edx]
7C934A2F 0A0A          or    cl, [edx]
7C934A31 0A0A          or    cl, [edx]
7C934A33 0A0A          or    cl, [edx]
7C934A35 0A0B          or    cl, [ebx]
7C934A37 0B0B          or    ecx, [ebx]
7C934A39 0B0B          or    ecx, [ebx]
7C934A3B 0B0B          or    ecx, [ebx]
7C934A3D 0B0B          or    ecx, [ebx]
7C934A3F 0B0B          or    ecx, [ebx]
7C934A41 0B0B          or    ecx, [ebx]
7C934A43 0B0B          or    ecx, [ebx]
7C934A45 0B0B          or    ecx, [ebx]
7C934A47 0B0B          or    ecx, [ebx]
7C934A49 0B0B          or    ecx, [ebx]
7C934A4B 0B0B          or    ecx, [ebx]
7C934A4D 0B0B          or    ecx, [ebx]
7C934A4F 0B0B          or    ecx, [ebx]
7C934A51 0B0B          or    ecx, [ebx]
7C934A53 0B0B          or    ecx, [ebx]
7C934A55 0000          add    [eax], al
7C934A57 0090 90909090 add    [eax+90909090], dl
7C934A5D >  8BFF          mov    edi, edi
7C934A5F 55             push ebp
7C934A60 8BEC          mov    ebp, esp
7C934A62 81EC 18020000 sub    esp, 218
7C934A68 A1 34C0997C    mov    eax, [7C99C034]
7C934A6D 56             push esi                            ; ntdll.ZwTerminateProcess
7C934A6E 8B75 0C       mov    esi, [ebp+C]                   ; RPCRT4.77E8F3B0
7C934A71 8945 FC       mov    [ebp-4], eax
7C934A74 8B45 08       mov    eax, [ebp+8]
7C934A77 56             push esi                            ; ntdll.ZwTerminateProcess
7C934A78 8985 F8FDFFFF mov    [ebp-208], eax
7C934A7E E8 14EAFFFF    call RtlValidSid
7C934A83 3C 01          cmp    al, 1
7C934A85 0F85 783B0300 jnz    7C968603
7C934A8B 3806          cmp    [esi], al
7C934A8D 0F85 703B0300 jnz    7C968603
7C934A93 57             push edi
7C934A94 8D85 FCFDFFFF lea    eax, [ebp-204]
7C934A9A 68 124B937C    push 7C934B12                      ; UNICODE "S-1-"
7C934A9F 50             push eax
7C934AA0 E8 CEE9FFFF    call wcscpy
7C934AA5 8A46 02       mov    al, [esi+2]
7C934AA8 84C0          test al, al
7C934AAA 59             pop    ecx                            ; ntdll.7C92E89A
7C934AAB 59             pop    ecx                            ; ntdll.7C92E89A
7C934AAC 8DBD 04FEFFFF lea    edi, [ebp-1FC]
7C934AB2 0F85 553B0300 jnz    7C96860D
7C934AB8 3846 03       cmp    [esi+3], al
7C934ABB 0F85 4C3B0300 jnz    7C96860D
7C934AC1 0FB646 04    movzx eax, byte ptr [esi+4]
7C934AC5 0FB64E 05    movzx ecx, byte ptr [esi+5]
7C934AC9 C1E0 08       shl    eax, 8
7C934ACC 03C1          add    eax, ecx
7C934ACE 0FB64E 06    movzx ecx, byte ptr [esi+6]
7C934AD2 C1E0 08       shl    eax, 8
7C934AD5 03C1          add    eax, ecx
7C934AD7 0FB64E 07    movzx ecx, byte ptr [esi+7]
7C934ADB C1E0 08       shl    eax, 8
7C934ADE 03C1          add    eax, ecx
7C934AE0 8BCF          mov    ecx, edi
7C934AE2 51             push ecx
7C934AE3 68 FC000000    push 0FC
7C934AE8 6A 0A          push 0A
7C934AEA 50             push eax
7C934AEB E8 E0000000    call 7C934BD0
7C934AF0 85C0          test eax, eax
7C934AF2 0F8C C5000000 jl    7C934BBD
7C934AF8 53             push ebx
7C934AF9 32DB          xor    bl, bl
7C934AFB 385E 01       cmp    [esi+1], bl
7C934AFE 76 57          jbe    short 7C934B57
7C934B00 66:833F 00    cmp    word ptr [edi], 0
7C934B04 74 1C          je    short 7C934B22
7C934B06 8D45 FA       lea    eax, [ebp-6]
7C934B09 3BF8          cmp    edi, eax
7C934B0B 73 15          jnb    short 7C934B22
7C934B0D 47             inc    edi
7C934B0E 47             inc    edi
7C934B0F  ^ EB EF          jmp    short 7C934B00
7C934B11 90             nop
7C934B12 53             push ebx
7C934B13 002D 0031002D add    [2D003100], ch
7C934B19 0000          add    [eax], al
7C934B1B 00CC          add    ah, cl
7C934B1D CC             int3
7C934B1E CC             int3
7C934B1F CC             int3
7C934B20 CC             int3
7C934B21 CC             int3
7C934B22 66:C707 2D00 mov    word ptr [edi], 2D
7C934B27 47             inc    edi
7C934B28 47             inc    edi
7C934B29 8D8D FCFDFFFF lea    ecx, [ebp-204]
7C934B2F 8BC7          mov    eax, edi
7C934B31 2BC1          sub    eax, ecx
7C934B33 D1F8          sar    eax, 1
7C934B35 57             push edi
7C934B36 B9 00010000    mov    ecx, 100
7C934B3B 2BC8          sub    ecx, eax
7C934B3D 51             push ecx
7C934B3E 0FB6C3       movzx eax, bl
7C934B41 6A 0A          push 0A
7C934B43 FF7486 08    push dword ptr [esi+eax*4+8]
7C934B47 E8 84000000    call 7C934BD0
7C934B4C 85C0          test eax, eax
7C934B4E 7C 6C          jl    short 7C934BBC
7C934B50 FEC3          inc    bl
7C934B52 3A5E 01       cmp    bl, [esi+1]
7C934B55  ^ 72 A9          jb    short 7C934B00
7C934B57 807D 10 00    cmp    byte ptr [ebp+10], 0
7C934B5B 0F85 61360100 jnz    7C9481C2
7C934B61 66:833F 00    cmp    word ptr [edi], 0
7C934B65 74 0B          je    short 7C934B72
7C934B67 8D45 FA       lea    eax, [ebp-6]
7C934B6A 3BF8          cmp    edi, eax
7C934B6C 73 04          jnb    short 7C934B72
7C934B6E 47             inc    edi
7C934B6F 47             inc    edi
7C934B70  ^ EB EF          jmp    short 7C934B61
7C934B72 8D85 FCFDFFFF lea    eax, [ebp-204]
7C934B78 2BF8          sub    edi, eax
7C934B7A 8B85 F8FDFFFF mov    eax, [ebp-208]
7C934B80 0FB748 02    movzx ecx, word ptr [eax+2]
7C934B84 D1FF          sar    edi, 1
7C934B86 D1E7          shl    edi, 1
7C934B88 3BF9          cmp    edi, ecx
7C934B8A 0F83 57360100 jnb    7C9481E7
7C934B90 8D8D FCFDFFFF lea    ecx, [ebp-204]
7C934B96 898D F4FDFFFF mov    [ebp-20C], ecx
7C934B9C 8D8D F0FDFFFF lea    ecx, [ebp-210]
7C934BA2 66:89BD F0FDFFF>mov    [ebp-210], di
7C934BA9 51             push ecx
7C934BAA 83C7 02       add    edi, 2
7C934BAD 50             push eax
7C934BAE 66:89BD F2FDFFF>mov    [ebp-20E], di
7C934BB5 E8 27010000    call RtlCopyUnicodeString
7C934BBA 33C0          xor    eax, eax
7C934BBC 5B             pop    ebx                            ; ntdll.7C92E89A
7C934BBD 5F             pop    edi                            ; ntdll.7C92E89A
7C934BBE 8B4D FC       mov    ecx, [ebp-4]
7C934BC1 5E             pop    esi                            ; ntdll.7C92E89A
7C934BC2 E8 C0B7FFFF    call 7C930387
7C934BC7 C9             leave
7C934BC8 C2 0C00       retn 0C
7C934BCB 90             nop
7C934BCC 90             nop
7C934BCD 90             nop
7C934BCE 90             nop
7C934BCF 90             nop
7C934BD0 6A 5C          push 5C
7C934BD2 68 B04C937C    push 7C934CB0
7C934BD7 E8 E6A1FFFF    call 7C92EDC2
7C934BDC A1 34C0997C    mov    eax, [7C99C034]
7C934BE1 8945 E4       mov    [ebp-1C], eax
7C934BE4 8B45 14       mov    eax, [ebp+14]
7C934BE7 8945 9C       mov    [ebp-64], eax
7C934BEA 8B45 0C       mov    eax, [ebp+C]                   ; RPCRT4.77E8F3B0
7C934BED 83E8 00       sub    eax, 0
7C934BF0 0F84 AE000000 je    7C934CA4
7C934BF6 48             dec    eax
7C934BF7 48             dec    eax
7C934BF8 0F84 9E000000 je    7C934C9C
7C934BFE 83E8 06       sub    eax, 6
7C934C01 0F84 D9690300 je    7C96B5E0
7C934C07 48             dec    eax
7C934C08 48             dec    eax
7C934C09 0F85 BE690300 jnz    7C96B5CD
7C934C0F 33FF          xor    edi, edi
7C934C11 85FF          test edi, edi
7C934C13 0F85 CF690300 jnz    7C96B5E8
7C934C19 8B5D 94       mov    ebx, [ebp-6C]                   ; trscd.004B027C
7C934C1C 8D75 E0       lea    esi, [ebp-20]
7C934C1F 66:8365 E0 00 and    word ptr [ebp-20], 0
7C934C24 8B45 08       mov    eax, [ebp+8]
7C934C27 85FF          test edi, edi
7C934C29 0F85 C8690300 jnz    7C96B5F7
7C934C2F 33D2          xor    edx, edx                      ; msvcrt.77C31AE8
7C934C31 F775 0C       div    dword ptr [ebp+C]             ; RPCRT4.77E8F3B0
7C934C34 4E             dec    esi                            ; ntdll.ZwTerminateProcess
7C934C35 4E             dec    esi                            ; ntdll.ZwTerminateProcess
7C934C36 66:8B0C55 BC4C9>mov    cx, [edx*2+7C934CBC]
7C934C3E 66:890E       mov    [esi], cx
7C934C41 85C0          test eax, eax
7C934C43  ^ 75 E2          jnz    short 7C934C27
7C934C45 8D45 E0       lea    eax, [ebp-20]
7C934C48 2BC6          sub    eax, esi                      ; ntdll.ZwTerminateProcess
7C934C4A D1F8          sar    eax, 1
7C934C4C 837D 10 00    cmp    dword ptr [ebp+10], 0
7C934C50 0F8C AE690300 jl    7C96B604
7C934C56 3B45 10       cmp    eax, [ebp+10]
7C934C59 0F8F C7690300 jg    7C96B626
7C934C5F 8365 FC 00    and    dword ptr [ebp-4], 0
7C934C63 8D1400       lea    edx, [eax+eax]
7C934C66 8BCA          mov    ecx, edx                      ; msvcrt.77C31AE8
7C934C68 8B7D 9C       mov    edi, [ebp-64]
7C934C6B 8BD9          mov    ebx, ecx
7C934C6D C1E9 02       shr    ecx, 2
7C934C70 F3:A5          rep    movs dword ptr es:[edi], dword p>
7C934C72 8BCB          mov    ecx, ebx
7C934C74 83E1 03       and    ecx, 3
7C934C77 F3:A4          rep    movs byte ptr es:[edi], byte ptr>
7C934C79 3B45 10       cmp    eax, [ebp+10]
7C934C7C 7D 08          jge    short 7C934C86
7C934C7E 8B45 9C       mov    eax, [ebp-64]
7C934C81 66:832402 00 and    word ptr [edx+eax], 0
7C934C86 834D FC FF    or    dword ptr [ebp-4], FFFFFFFF
7C934C8A 33C0          xor    eax, eax
7C934C8C 8B4D E4       mov    ecx, [ebp-1C]
7C934C8F E8 F3B6FFFF    call 7C930387
7C934C94 E8 69A1FFFF    call 7C92EE02
7C934C99 C2 1000       retn 10
7C934C9C 33FF          xor    edi, edi
7C934C9E 47             inc    edi
7C934C9F  ^ E9 6DFFFFFF    jmp    7C934C11
7C934CA4 C745 0C 0A00000>mov    dword ptr [ebp+C], 0A
7C934CAB  ^ E9 5FFFFFFF    jmp    7C934C0F
7C934CB0 FFFF          ???                                     ; 未知命令
7C934CB2 FFFF          ???                                     ; 未知命令
7C934CB4 35 B6967C48    xor    eax, 487C96B6
7C934CB9 B6 96          mov    dh, 96
7C934CBB 7C 30          jl    short 7C934CED
7C934CBD 0031          add    [ecx], dh
7C934CBF 0032          add    [edx], dh
7C934CC1 0033          add    [ebx], dh
7C934CC3 003400       add    [eax+eax], dh
7C934CC6 35 00360037    xor    eax, 37003600
7C934CCB 0038          add    [eax], bh
7C934CCD 0039          add    [ecx], bh
7C934CCF 0041 00       add    [ecx], al
7C934CD2 42             inc    edx                            ; msvcrt.77C31AE8
7C934CD3 0043 00       add    [ebx], al
7C934CD6 44             inc    esp
7C934CD7 0045 00       add    [ebp], al
7C934CDA 46             inc    esi                            ; ntdll.ZwTerminateProcess
7C934CDB 0090 90909090 add    [eax+90909090], dl
7C934CE1 >  8BFF          mov    edi, edi
7C934CE3 55             push ebp
7C934CE4 8BEC          mov    ebp, esp
7C934CE6 8B45 0C       mov    eax, [ebp+C]                   ; RPCRT4.77E8F3B0
7C934CE9 85C0          test eax, eax
7C934CEB 0F84 5EFC0000 je    7C94494F
7C934CF1 8B55 08       mov    edx, [ebp+8]
7C934CF4 66:8B4A 02    mov    cx, [edx+2]
7C934CF8 53             push ebx
7C934CF9 56             push esi                            ; ntdll.ZwTerminateProcess
7C934CFA 8B70 04       mov    esi, [eax+4]
7C934CFD 0FB700       movzx eax, word ptr [eax]
7C934D00 66:3BC1       cmp    ax, cx
7C934D03 57             push edi
7C934D04 8B7A 04       mov    edi, [edx+4]
7C934D07 897D 08       mov    [ebp+8], edi
7C934D0A 0F87 37FC0000 ja    7C944947
7C934D10 8BC8          mov    ecx, eax
7C934D12 8BD9          mov    ebx, ecx
7C934D14 C1E9 02       shr    ecx, 2
7C934D17 66:8902       mov    [edx], ax
7C934D1A F3:A5          rep    movs dword ptr es:[edi], dword p>
7C934D1C 8BCB          mov    ecx, ebx
7C934D1E 83E1 03       and    ecx, 3
7C934D21 F3:A4          rep    movs byte ptr es:[edi], byte ptr>
7C934D23 66:8B0A       mov    cx, [edx]
7C934D26 66:3B4A 02    cmp    cx, [edx+2]
7C934D2A 5F             pop    edi                            ; ntdll.7C92E89A
7C934D2B 5E             pop    esi                            ; ntdll.7C92E89A
7C934D2C 5B             pop    ebx                            ; ntdll.7C92E89A
7C934D2D 73 0A          jnb    short 7C934D39
7C934D2F 8B4D 08       mov    ecx, [ebp+8]
7C934D32 D1E8          shr    eax, 1
7C934D34 66:832441 00 and    word ptr [ecx+eax*2], 0
7C934D39 5D             pop    ebp                            ; ntdll.7C92E89A
7C934D3A C2 0800       retn 8
7C934D3D 90             nop
7C934D3E 90             nop
7C934D3F 90             nop
7C934D40 90             nop
7C934D41 90             nop
7C934D42 >  8BFF          mov    edi, edi
7C934D44 55             push ebp
7C934D45 8BEC          mov    ebp, esp
7C934D47 83EC 0C       sub    esp, 0C
7C934D4A 837D 0C 00    cmp    dword ptr [ebp+C], 0
7C934D4E 56             push esi                            ; ntdll.ZwTerminateProcess
7C934D4F 57             push edi
7C934D50 74 58          je    short 7C934DAA
7C934D52 FF75 0C       push dword ptr [ebp+C]             ; RPCRT4.77E8F3B0
7C934D55 8D45 F4       lea    eax, [ebp-C]
7C934D58 50             push eax
7C934D59 E8 78C5FEFF    call RtlInitUnicodeString
7C934D5E 8B4D F4       mov    ecx, [ebp-C]                   ; kernel32.7C8399F3
7C934D61 8B75 08       mov    esi, [ebp+8]
7C934D64 0FB706       movzx eax, word ptr [esi]
7C934D67 0FB756 02    movzx edx, word ptr [esi+2]
7C934D6B 0FB7F9       movzx edi, cx
7C934D6E 894D FC       mov    [ebp-4], ecx
7C934D71 8D0C07       lea    ecx, [edi+eax]
7C934D74 3BCA          cmp    ecx, edx                      ; msvcrt.77C31AE8
7C934D76 0F8F 275D0300 jg    7C96AAA3
7C934D7C 8B4E 04       mov    ecx, [esi+4]
7C934D7F 53             push ebx
7C934D80 57             push edi
7C934D81 FF75 0C       push dword ptr [ebp+C]             ; RPCRT4.77E8F3B0
7C934D84 D1E8          shr    eax, 1
7C934D86 8D1C41       lea    ebx, [ecx+eax*2]
7C934D89 53             push ebx
7C934D8A E8 ABD7FEFF    call memmove
7C934D8F 66:8B45 FC    mov    ax, [ebp-4]
7C934D93 66:0106       add    [esi], ax
7C934D96 66:8B06       mov    ax, [esi]
7C934D99 83C4 0C       add    esp, 0C
7C934D9C 66:3B46 02    cmp    ax, [esi+2]
7C934DA0 73 07          jnb    short 7C934DA9
7C934DA2 D1EF          shr    edi, 1
7C934DA4 66:83247B 00 and    word ptr [ebx+edi*2], 0
7C934DA9 5B             pop    ebx                            ; ntdll.7C92E89A
7C934DAA 33C0          xor    eax, eax
7C934DAC 5F             pop    edi                            ; ntdll.7C92E89A
7C934DAD 5E             pop    esi                            ; ntdll.7C92E89A
7C934DAE C9             leave
7C934DAF C2 0800       retn 8
7C934DB2 90             nop
7C934DB3 90             nop
7C934DB4 90             nop
7C934DB5 90             nop
7C934DB6 90             nop
7C934DB7 >  8BFF          mov    edi, edi
7C934DB9 55             push ebp
7C934DBA 8BEC          mov    ebp, esp
7C934DBC 8B4D 0C       mov    ecx, [ebp+C]                   ; RPCRT4.77E8F3B0
7C934DBF 33D2          xor    edx, edx                      ; msvcrt.77C31AE8
7C934DC1 66:8B11       mov    dx, [ecx]
7C934DC4 66:85D2       test dx, dx
7C934DC7 53             push ebx
7C934DC8 56             push esi                            ; ntdll.ZwTerminateProcess
7C934DC9 57             push edi
7C934DCA 8955 0C       mov    [ebp+C], edx                   ; msvcrt.77C31AE8
7C934DCD 74 44          je    short 7C934E13
7C934DCF 8B75 08       mov    esi, [ebp+8]
7C934DD2 0FB706       movzx eax, word ptr [esi]
7C934DD5 0FB75E 02    movzx ebx, word ptr [esi+2]
7C934DD9 0FB7FA       movzx edi, dx
7C934DDC 8D1438       lea    edx, [eax+edi]
7C934DDF 3BD3          cmp    edx, ebx
7C934DE1 0F8F C65C0300 jg    7C96AAAD
7C934DE7 8B56 04       mov    edx, [esi+4]
7C934DEA 57             push edi
7C934DEB FF71 04       push dword ptr [ecx+4]
7C934DEE D1E8          shr    eax, 1
7C934DF0 8D1C42       lea    ebx, [edx+eax*2]
7C934DF3 53             push ebx
7C934DF4 E8 41D7FEFF    call memmove
7C934DF9 66:8B45 0C    mov    ax, [ebp+C]
7C934DFD 66:0106       add    [esi], ax
7C934E00 66:8B06       mov    ax, [esi]
7C934E03 83C4 0C       add    esp, 0C
7C934E06 66:3B46 02    cmp    ax, [esi+2]
7C934E0A 73 07          jnb    short 7C934E13
7C934E0C D1EF          shr    edi, 1
7C934E0E 66:83247B 00 and    word ptr [ebx+edi*2], 0
7C934E13 33C0          xor    eax, eax
7C934E15 5F             pop    edi                            ; ntdll.7C92E89A
7C934E16 5E             pop    esi                            ; ntdll.7C92E89A
7C934E17 5B             pop    ebx                            ; ntdll.7C92E89A
7C934E18 5D             pop    ebp                            ; ntdll.7C92E89A
7C934E19 C2 0800       retn 8
7C934E1C 90             nop
7C934E1D 90             nop
7C934E1E 90             nop
7C934E1F 90             nop
7C934E20 90             nop
7C934E21 >  8BFF          mov    edi, edi
7C934E23 55             push ebp
7C934E24 8BEC          mov    ebp, esp
7C934E26 83EC 68       sub    esp, 68
7C934E29 A1 34C0997C    mov    eax, [7C99C034]
7C934E2E 53             push ebx
7C934E2F 56             push esi                            ; ntdll.ZwTerminateProcess
7C934E30 8B75 08       mov    esi, [ebp+8]
7C934E33 57             push edi
7C934E34 8945 FC       mov    [ebp-4], eax
7C934E37 8D45 A8       lea    eax, [ebp-58]
7C934E3A 50             push eax
7C934E3B BB 00020000    mov    ebx, 200
7C934E40 53             push ebx
7C934E41 6A 01          push 1
7C934E43 BF 08000200    mov    edi, 20008
7C934E48 57             push edi
7C934E49 6A FE          push -2
7C934E4B E8 D38FFFFF    call ZwOpenThreadTokenEx
7C934E50 85C0          test eax, eax
7C934E52 7D 20          jge    short 7C934E74
7C934E54 3D 7C0000C0    cmp    eax, C000007C
7C934E59 0F85 B0000000 jnz    7C934F0F
7C934E5F 8D45 A8       lea    eax, [ebp-58]
7C934E62 50             push eax
7C934E63 53             push ebx
7C934E64 57             push edi
7C934E65 6A FF          push -1
7C934E67 E8 398FFFFF    call ZwOpenProcessTokenEx
7C934E6C 85C0          test eax, eax
7C934E6E 0F8C 9B000000 jl    7C934F0F
7C934E74 8D45 98       lea    eax, [ebp-68]
7C934E77 50             push eax
7C934E78 6A 50          push 50
7C934E7A 8D45 AC       lea    eax, [ebp-54]
7C934E7D 50             push eax
7C934E7E 6A 01          push 1
7C934E80 FF75 A8       push dword ptr [ebp-58]             ; ntdll.7C92EE18
7C934E83 E8 BD91FFFF    call ZwQueryInformationToken
7C934E88 FF75 A8       push dword ptr [ebp-58]             ; ntdll.7C92EE18
7C934E8B 8BD8          mov    ebx, eax
7C934E8D E8 F486FFFF    call ZwClose
7C934E92 33FF          xor    edi, edi
7C934E94 3BDF          cmp    ebx, edi
7C934E96 7C 75          jl    short 7C934F0D
7C934E98 8D45 A4       lea    eax, [ebp-5C]
7C934E9B 50             push eax
7C934E9C FF75 AC       push dword ptr [ebp-54]
7C934E9F E8 A5000000    call 7C934F49
7C934EA4 3BC7          cmp    eax, edi
7C934EA6 7C 67          jl    short 7C934F0F
7C934EA8 8B45 A4       mov    eax, [ebp-5C]
7C934EAB 83C0 22       add    eax, 22
7C934EAE 66:8946 02    mov    [esi+2], ax
7C934EB2 0FB7C0       movzx eax, ax
7C934EB5 50             push eax
7C934EB6 66:893E       mov    [esi], di
7C934EB9 FF15 C009937C call [7C9309C0]                      ; ntdll.7C9309C9
7C934EBF 3BC7          cmp    eax, edi
7C934EC1 8946 04       mov    [esi+4], eax
7C934EC4 0F84 40680300 je    7C96B70A
7C934ECA 68 1E4F937C    push 7C934F1E                      ; UNICODE "\REGISTRY\USER\"
7C934ECF 56             push esi                            ; ntdll.ZwTerminateProcess
7C934ED0 E8 6DFEFFFF    call RtlAppendUnicodeToString
7C934ED5 66:8B45 A4    mov    ax, [ebp-5C]
7C934ED9 8B4E 04       mov    ecx, [esi+4]
7C934EDC 66:8945 9E    mov    [ebp-62], ax
7C934EE0 0FB706       movzx eax, word ptr [esi]
7C934EE3 D1E8          shr    eax, 1
7C934EE5 8D0441       lea    eax, [ecx+eax*2]
7C934EE8 57             push edi
7C934EE9 FF75 AC       push dword ptr [ebp-54]
7C934EEC 8945 A0       mov    [ebp-60], eax
7C934EEF 8D45 9C       lea    eax, [ebp-64]
7C934EF2 50             push eax
7C934EF3 66:897D 9C    mov    [ebp-64], di
7C934EF7 E8 61FBFFFF    call RtlConvertSidToUnicodeString
7C934EFC 8BD8          mov    ebx, eax
7C934EFE 3BDF          cmp    ebx, edi
7C934F00 0F8C 0E680300 jl    7C96B714
7C934F06 66:8B45 9C    mov    ax, [ebp-64]
7C934F0A 66:0106       add    [esi], ax
7C934F0D 8BC3          mov    eax, ebx
7C934F0F 8B4D FC       mov    ecx, [ebp-4]
7C934F12 5F             pop    edi                            ; ntdll.7C92E89A
7C934F13 5E             pop    esi                            ; ntdll.7C92E89A
7C934F14 5B             pop    ebx                            ; ntdll.7C92E89A
7C934F15 E8 6DB4FFFF    call 7C930387
7C934F1A C9             leave
7C934F1B C2 0400       retn 4
7C934F1E 5C             pop    esp                            ; ntdll.7C92E89A

2006-1-19 16:06

0

hyueling

雪币： 200

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

1

回帖

29

粉丝

0

关注

私信

hyueling: 28 楼

7C934F1F 0052 00       add    [edx], dl
7C934F22 45             inc    ebp
7C934F23 0047 00       add    [edi], al
7C934F26 49             dec    ecx
7C934F27 0053 00       add    [ebx], dl
7C934F2A 54             push esp
7C934F2B 0052 00       add    [edx], dl
7C934F2E 59             pop    ecx                            ; ntdll.7C92E89A
7C934F2F 005C00 55    add    [eax+eax+55], bl
7C934F33 0053 00       add    [ebx], dl
7C934F36 45             inc    ebp
7C934F37 0052 00       add    [edx], dl
7C934F3A 5C             pop    esp                            ; ntdll.7C92E89A
7C934F3B 0000          add    [eax], al
7C934F3D 00CC          add    ah, cl
7C934F3F CC             int3
7C934F40 CC             int3
7C934F41 CC             int3
7C934F42 CC             int3
7C934F43 CC             int3
7C934F44 90             nop
7C934F45 90             nop
7C934F46 90             nop
7C934F47 90             nop
7C934F48 90             nop
7C934F49 8BFF          mov    edi, edi
7C934F4B 55             push ebp
7C934F4C 8BEC          mov    ebp, esp
7C934F4E 56             push esi                            ; ntdll.ZwTerminateProcess
7C934F4F 8B75 08       mov    esi, [ebp+8]
7C934F52 56             push esi                            ; ntdll.ZwTerminateProcess
7C934F53 E8 3FE5FFFF    call RtlValidSid
7C934F58 3C 01          cmp    al, 1
7C934F5A 0F85 99360300 jnz    7C9685F9
7C934F60 807E 02 00    cmp    byte ptr [esi+2], 0
7C934F64 75 22          jnz    short 7C934F88
7C934F66 807E 03 00    cmp    byte ptr [esi+3], 0
7C934F6A 75 1C          jnz    short 7C934F88
7C934F6C 6A 0A          push 0A
7C934F6E 0FB64E 01    movzx ecx, byte ptr [esi+1]
7C934F72 6BC9 0B       imul ecx, ecx, 0B
7C934F75 58             pop    eax                            ; ntdll.7C92E89A
7C934F76 03C8          add    ecx, eax
7C934F78 8D4409 08    lea    eax, [ecx+ecx+8]
7C934F7C 8B4D 0C       mov    ecx, [ebp+C]                   ; RPCRT4.77E8F3B0
7C934F7F 8901          mov    [ecx], eax
7C934F81 33C0          xor    eax, eax
7C934F83 5E             pop    esi                            ; ntdll.7C92E89A
7C934F84 5D             pop    ebp                            ; ntdll.7C92E89A
7C934F85 C2 0800       retn 8
7C934F88 6A 0E          push 0E
7C934F8A  ^ EB E2          jmp    short 7C934F6E
7C934F8C 90             nop
7C934F8D 90             nop
7C934F8E 90             nop
7C934F8F 90             nop
7C934F90 90             nop
7C934F91 8BFF          mov    edi, edi
7C934F93 55             push ebp
7C934F94 8BEC          mov    ebp, esp
7C934F96 33D2          xor    edx, edx                      ; msvcrt.77C31AE8
7C934F98 3955 14       cmp    [ebp+14], edx                   ; msvcrt.77C31AE8
7C934F9B 56             push esi                            ; ntdll.ZwTerminateProcess
7C934F9C 0F84 7F5B0100 je    7C94AB21
7C934FA2 8B4D 08       mov    ecx, [ebp+8]
7C934FA5 F7C1 F8FFFFFF test ecx, FFFFFFF8
7C934FAB 0F85 705B0100 jnz    7C94AB21
7C934FB1 F6C1 07       test cl, 7
7C934FB4 8B45 18       mov    eax, [ebp+18]                   ; trscd.00454965
7C934FB7 74 08          je    short 7C934FC1
7C934FB9 3BC2          cmp    eax, edx                      ; msvcrt.77C31AE8
7C934FBB 0F84 605B0100 je    7C94AB21
7C934FC1 3BC2          cmp    eax, edx                      ; msvcrt.77C31AE8
7C934FC3 74 09          je    short 7C934FCE
7C934FC5 8338 24       cmp    dword ptr [eax], 24
7C934FC8 0F82 535B0100 jb    7C94AB21
7C934FCE F6C1 02       test cl, 2
7C934FD1 74 11          je    short 7C934FE4
7C934FD3 8B30          mov    esi, [eax]
7C934FD5 57             push edi
7C934FD6 8D78 2C       lea    edi, [eax+2C]
7C934FD9 03F0          add    esi, eax
7C934FDB 3BFE          cmp    edi, esi                      ; ntdll.ZwTerminateProcess
7C934FDD 5F             pop    edi                            ; ntdll.7C92E89A
7C934FDE 0F87 E3E70200 ja    7C9637C7
7C934FE4 F6C1 04       test cl, 4
7C934FE7 0F85 205B0100 jnz    7C94AB0D
7C934FED 33F6          xor    esi, esi                      ; ntdll.ZwTerminateProcess
7C934FEF 8BC6          mov    eax, esi                      ; ntdll.ZwTerminateProcess
7C934FF1 5E             pop    esi                            ; ntdll.7C92E89A
7C934FF2 5D             pop    ebp                            ; ntdll.7C92E89A
7C934FF3 C2 1400       retn 14
7C934FF6 90             nop
7C934FF7 90             nop
7C934FF8 90             nop
7C934FF9 90             nop
7C934FFA 90             nop
7C934FFB >  8BFF          mov    edi, edi
7C934FFD 55             push ebp
7C934FFE 8BEC          mov    ebp, esp
7C935000 8B45 10       mov    eax, [ebp+10]
7C935003 8B4D 0C       mov    ecx, [ebp+C]                   ; RPCRT4.77E8F3B0
7C935006 53             push ebx
7C935007 56             push esi                            ; ntdll.ZwTerminateProcess
7C935008 57             push edi
7C935009 8D78 FF       lea    edi, [eax-1]
7C93500C 0FAF7D 14    imul edi, [ebp+14]
7C935010 03F9          add    edi, ecx
7C935012 3BCF          cmp    ecx, edi
7C935014 894D 0C       mov    [ebp+C], ecx
7C935017 77 4F          ja    short 7C935068
7C935019 8BD8          mov    ebx, eax
7C93501B D1EB          shr    ebx, 1
7C93501D 0F84 A2020000 je    7C9352C5
7C935023 8945 10       mov    [ebp+10], eax
7C935026 8365 10 01    and    dword ptr [ebp+10], 1
7C93502A 8BC3          mov    eax, ebx
7C93502C 75 03          jnz    short 7C935031
7C93502E 8D43 FF       lea    eax, [ebx-1]
7C935031 0FAF45 14    imul eax, [ebp+14]
7C935035 0345 0C       add    eax, [ebp+C]                   ; RPCRT4.77E8F3B0
7C935038 8BF0          mov    esi, eax
7C93503A 56             push esi                            ; ntdll.ZwTerminateProcess
7C93503B FF75 08       push dword ptr [ebp+8]
7C93503E FF55 18       call [ebp+18]                      ; trscd.00454965
7C935041 85C0          test eax, eax
7C935043 59             pop    ecx                            ; ntdll.7C92E89A
7C935044 59             pop    ecx                            ; ntdll.7C92E89A
7C935045  ^ 0F84 F2F7FFFF je    7C93483D
7C93504B 0F8D 65020000 jge    7C9352B6
7C935051 2B75 14       sub    esi, [ebp+14]
7C935054 837D 10 00    cmp    dword ptr [ebp+10], 0
7C935058 8BFE          mov    edi, esi                      ; ntdll.ZwTerminateProcess
7C93505A 0F85 5E020000 jnz    7C9352BE
7C935060 8D43 FF       lea    eax, [ebx-1]
7C935063 397D 0C       cmp    [ebp+C], edi
7C935066  ^ 76 B1          jbe    short 7C935019
7C935068 33C0          xor    eax, eax
7C93506A 5F             pop    edi                            ; ntdll.7C92E89A
7C93506B 5E             pop    esi                            ; ntdll.7C92E89A
7C93506C 5B             pop    ebx                            ; ntdll.7C92E89A
7C93506D 5D             pop    ebp                            ; ntdll.7C92E89A
7C93506E C3             retn
7C93506F 90             nop
7C935070 90             nop
7C935071 90             nop
7C935072 90             nop
7C935073 90             nop
7C935074 8BFF          mov    edi, edi
7C935076 55             push ebp
7C935077 8BEC          mov    ebp, esp
7C935079 8B4D 14       mov    ecx, [ebp+14]
7C93507C 85C9          test ecx, ecx
7C93507E 74 03          je    short 7C935083
7C935080 8321 00       and    dword ptr [ecx], 0
7C935083 8B45 08       mov    eax, [ebp+8]
7C935086 85C0          test eax, eax
7C935088 74 35          je    short 7C9350BF
7C93508A 8338 18       cmp    dword ptr [eax], 18
7C93508D 72 30          jb    short 7C9350BF
7C93508F F740 04 FCFFFFF>test dword ptr [eax+4], FFFFFFFC
7C935096 75 27          jnz    short 7C9350BF
7C935098 837D 0C 00    cmp    dword ptr [ebp+C], 0
7C93509C 74 21          je    short 7C9350BF
7C93509E 837D 10 00    cmp    dword ptr [ebp+10], 0
7C9350A2 74 1B          je    short 7C9350BF
7C9350A4 8360 10 00    and    dword ptr [eax+10], 0
7C9350A8 51             push ecx
7C9350A9 FF75 10       push dword ptr [ebp+10]
7C9350AC FF75 0C       push dword ptr [ebp+C]             ; RPCRT4.77E8F3B0
7C9350AF 50             push eax
7C9350B0 E8 16000000    call 7C9350CB
7C9350B5 85C0          test eax, eax
7C9350B7 7C 02          jl    short 7C9350BB
7C9350B9 33C0          xor    eax, eax
7C9350BB 5D             pop    ebp                            ; ntdll.7C92E89A
7C9350BC C2 1000       retn 10
7C9350BF B8 0D0000C0    mov    eax, C000000D
7C9350C4  ^ EB F5          jmp    short 7C9350BB
7C9350C6 90             nop
7C9350C7 90             nop
7C9350C8 90             nop
7C9350C9 90             nop
7C9350CA 90             nop
7C9350CB 8BFF          mov    edi, edi
7C9350CD 55             push ebp
7C9350CE 8BEC          mov    ebp, esp
7C9350D0 51             push ecx
7C9350D1 51             push ecx
7C9350D2 53             push ebx
7C9350D3 56             push esi                            ; ntdll.ZwTerminateProcess
7C9350D4 57             push edi
7C9350D5 33DB          xor    ebx, ebx
7C9350D7 33FF          xor    edi, edi
7C9350D9 64:A1 18000000  mov    eax, fs:[18]
7C9350DF 8BD0          mov    edx, eax
7C9350E1 8B45 14       mov    eax, [ebp+14]
7C9350E4 3BC3          cmp    eax, ebx
7C9350E6 8B4A 30       mov    ecx, [edx+30]                   ; ntdll.7C99C920
7C9350E9 8955 FC       mov    [ebp-4], edx                   ; msvcrt.77C31AE8
7C9350EC 894D F8       mov    [ebp-8], ecx
7C9350EF 74 02          je    short 7C9350F3
7C9350F1 8918          mov    [eax], ebx
7C9350F3 8B75 08       mov    esi, [ebp+8]
7C9350F6 8B46 10       mov    eax, [esi+10]
7C9350F9 83E8 00       sub    eax, 0
7C9350FC 0F85 97010000 jnz    7C935299
7C935102 8B82 B0010000 mov    eax, [edx+1B0]
7C935108 85C0          test eax, eax
7C93510A 0F85 DD010000 jnz    7C9352ED
7C935110 8BB9 F8010000 mov    edi, [ecx+1F8]
7C935116 33DB          xor    ebx, ebx
7C935118 85FF          test edi, edi
7C93511A 0F85 9F360200 jnz    7C9587BF
7C935120 8BB9 00020000 mov    edi, [ecx+200]
7C935126 85FF          test edi, edi
7C935128 6A FC          push -4
7C93512A 5B             pop    ebx                            ; ntdll.7C92E89A
7C93512B 0F84 76010000 je    7C9352A7
7C935131 C746 10 0300000>mov    dword ptr [esi+10], 3
7C935138 85FF          test edi, edi
7C93513A  ^ 0F84 F3F6FFFF je    7C934833
7C935140 FF75 10       push dword ptr [ebp+10]
7C935143 FF75 0C       push dword ptr [ebp+C]             ; RPCRT4.77E8F3B0
7C935146 FF76 0C       push dword ptr [esi+C]
7C935149 FF76 08       push dword ptr [esi+8]
7C93514C 57             push edi
7C93514D E8 3E000000    call 7C935190
7C935152 85C0          test eax, eax
7C935154 0F8C C2020000 jl    7C93541C
7C93515A 83FB FC       cmp    ebx, -4
7C93515D 0F85 83010000 jnz    7C9352E6
7C935163 6A 02          push 2
7C935165 58             pop    eax                            ; ntdll.7C92E89A
7C935166 33C9          xor    ecx, ecx
7C935168 85DB          test ebx, ebx
7C93516A 0F94C1       sete cl
7C93516D 0BC8          or    ecx, eax
7C93516F 8B45 14       mov    eax, [ebp+14]
7C935172 85C0          test eax, eax
7C935174 894E 14       mov    [esi+14], ecx
7C935177 74 09          je    short 7C935182
7C935179 83FB FC       cmp    ebx, -4
7C93517C 75 02          jnz    short 7C935180
7C93517E 33DB          xor    ebx, ebx
7C935180 8918          mov    [eax], ebx
7C935182 33C0          xor    eax, eax
7C935184 5F             pop    edi                            ; ntdll.7C92E89A
7C935185 5E             pop    esi                            ; ntdll.7C92E89A
7C935186 5B             pop    ebx                            ; ntdll.7C92E89A
7C935187 C9             leave
7C935188 C2 1000       retn 10
7C93518B 90             nop
7C93518C 90             nop
7C93518D 90             nop
7C93518E 90             nop
7C93518F 90             nop
7C935190 8BFF          mov    edi, edi
7C935192 55             push ebp
7C935193 8BEC          mov    ebp, esp
7C935195 83EC 18       sub    esp, 18
7C935198 53             push ebx
7C935199 8B5D 08       mov    ebx, [ebp+8]
7C93519C 56             push esi                            ; ntdll.ZwTerminateProcess
7C93519D 8B73 0C       mov    esi, [ebx+C]
7C9351A0 83FE 20       cmp    esi, 20
7C9351A3 57             push edi
7C9351A4 0F82 38E30200 jb    7C9634E2
7C9351AA 837B 04 20    cmp    dword ptr [ebx+4], 20
7C9351AE 0F82 2EE30200 jb    7C9634E2
7C9351B4 837D 0C 00    cmp    dword ptr [ebp+C], 0
7C9351B8 0F85 0AE20200 jnz    7C9633C8
7C9351BE 8B43 10       mov    eax, [ebx+10]
7C9351C1 85C0          test eax, eax
7C9351C3 0F84 49020000 je    7C935412
7C9351C9 03C3          add    eax, ebx
7C9351CB 85C0          test eax, eax
7C9351CD 0F84 3F020000 je    7C935412
7C9351D3 8B78 04       mov    edi, [eax+4]
7C9351D6 85FF          test edi, edi
7C9351D8 0F84 34020000 je    7C935412
7C9351DE 8B48 08       mov    ecx, [eax+8]
7C9351E1 8B53 0C       mov    edx, [ebx+C]
7C9351E4 3BCA          cmp    ecx, edx                      ; msvcrt.77C31AE8
7C9351E6 0F83 DEE20200 jnb    7C9634CA
7C9351EC 8BF7          mov    esi, edi
7C9351EE C1E6 04       shl    esi, 4
7C9351F1 03F1          add    esi, ecx
7C9351F3 3BF2          cmp    esi, edx                      ; msvcrt.77C31AE8
7C9351F5 0F87 CFE20200 ja    7C9634CA
7C9351FB 8B40 0C       mov    eax, [eax+C]
7C9351FE A8 02          test al, 2
7C935200 8D3419       lea    esi, [ecx+ebx]
7C935203 0F84 8BE20200 je    7C963494
7C935209 8B16          mov    edx, [esi]
7C93520B 8B4D 10       mov    ecx, [ebp+10]
7C93520E 3BCA          cmp    ecx, edx                      ; msvcrt.77C31AE8
7C935210 0F82 FC010000 jb    7C935412
7C935216 A8 01          test al, 1
7C935218 0F85 60E20200 jnz    7C96347E
7C93521E 68 7C52937C    push 7C93527C
7C935223 6A 10          push 10
7C935225 57             push edi
7C935226 8D45 E8       lea    eax, [ebp-18]
7C935229 56             push esi                            ; ntdll.ZwTerminateProcess
7C93522A 50             push eax
7C93522B 894D E8       mov    [ebp-18], ecx
7C93522E E8 C8FDFFFF    call bsearch
7C935233 83C4 14       add    esp, 14
7C935236 85C0          test eax, eax
7C935238 0F84 D4010000 je    7C935412
7C93523E 8B48 04       mov    ecx, [eax+4]
7C935241 85C9          test ecx, ecx
7C935243 0F84 C9010000 je    7C935412
7C935249 8B53 0C       mov    edx, [ebx+C]
7C93524C 3BCA          cmp    ecx, edx                      ; msvcrt.77C31AE8
7C93524E 0F83 6AE20200 jnb    7C9634BE
7C935254 8D71 04       lea    esi, [ecx+4]
7C935257 3BF2          cmp    esi, edx                      ; msvcrt.77C31AE8
7C935259 0F87 5FE20200 ja    7C9634BE
7C93525F 8B55 14       mov    edx, [ebp+14]
7C935262 03CB          add    ecx, ebx
7C935264 890A          mov    [edx], ecx
7C935266 8B40 08       mov    eax, [eax+8]
7C935269 8B4D 18       mov    ecx, [ebp+18]                   ; trscd.00454965
7C93526C 8901          mov    [ecx], eax
7C93526E 33C0          xor    eax, eax
7C935270 5F             pop    edi                            ; ntdll.7C92E89A
7C935271 5E             pop    esi                            ; ntdll.7C92E89A
7C935272 5B             pop    ebx                            ; ntdll.7C92E89A
7C935273 C9             leave
7C935274 C2 1400       retn 14
7C935277 90             nop
7C935278 90             nop
7C935279 90             nop
7C93527A 90             nop
7C93527B 90             nop
7C93527C 8BFF          mov    edi, edi
7C93527E 55             push ebp
7C93527F 8BEC          mov    ebp, esp
7C935281 8B45 08       mov    eax, [ebp+8]
7C935284 8B4D 0C       mov    ecx, [ebp+C]                   ; RPCRT4.77E8F3B0
7C935287 8B00          mov    eax, [eax]
7C935289 8B09          mov    ecx, [ecx]
7C93528B 3BC8          cmp    ecx, eax
7C93528D 0F87 7A010000 ja    7C93540D
7C935293 1BC0          sbb    eax, eax
7C935295 F7D8          neg    eax
7C935297 5D             pop    ebp                            ; ntdll.7C92E89A
7C935298 C3             retn
7C935299 48             dec    eax
7C93529A  ^ 0F84 70FEFFFF je    7C935110
7C9352A0 48             dec    eax
7C9352A1  ^ 0F84 79FEFFFF je    7C935120
7C9352A7 837E 10 03    cmp    dword ptr [esi+10], 3
7C9352AB 0F87 1A350200 ja    7C9587CB
7C9352B1  ^ E9 82FEFFFF    jmp    7C935138
7C9352B6 8B45 14       mov    eax, [ebp+14]
7C9352B9 03F0          add    esi, eax
7C9352BB 8975 0C       mov    [ebp+C], esi                   ; ntdll.ZwTerminateProcess
7C9352BE 8BC3          mov    eax, ebx
7C9352C0  ^ E9 9EFDFFFF    jmp    7C935063
7C9352C5 85C0          test eax, eax
7C9352C7  ^ 0F84 9BFDFFFF je    7C935068
7C9352CD FF75 0C       push dword ptr [ebp+C]             ; RPCRT4.77E8F3B0
7C9352D0 FF75 08       push dword ptr [ebp+8]
7C9352D3 FF55 18       call [ebp+18]                      ; trscd.00454965
7C9352D6 F7D8          neg    eax
7C9352D8 1BC0          sbb    eax, eax
7C9352DA 59             pop    ecx                            ; ntdll.7C92E89A
7C9352DB F7D0          not    eax
7C9352DD 2345 0C       and    eax, [ebp+C]                   ; RPCRT4.77E8F3B0
7C9352E0 59             pop    ecx                            ; ntdll.7C92E89A
7C9352E1  ^ E9 84FDFFFF    jmp    7C93506A
7C9352E6 33C0          xor    eax, eax
7C9352E8  ^ E9 79FEFFFF    jmp    7C935166
7C9352ED 8B58 04       mov    ebx, [eax+4]
7C9352F0 85DB          test ebx, ebx
7C9352F2 74 0C          je    short 7C935300
7C9352F4 83FB FC       cmp    ebx, -4
7C9352F7 0F84 BFE40200 je    7C9637BC
7C9352FD 8B7B 08       mov    edi, [ebx+8]
7C935300 85FF          test edi, edi
7C935302  ^ 0F84 08FEFFFF je    7C935110
7C935308 C746 10 0100000>mov    dword ptr [esi+10], 1
7C93530F  ^ E9 24FEFFFF    jmp    7C935138
7C935314 90             nop
7C935315 90             nop
7C935316 90             nop
7C935317 90             nop
7C935318 90             nop
7C935319 >  8BFF          mov    edi, edi
7C93531B 55             push ebp
7C93531C 8BEC          mov    ebp, esp
7C93531E 83EC 28       sub    esp, 28
7C935321 53             push ebx
7C935322 64:A1 18000000  mov    eax, fs:[18]
7C935328 8B48 30       mov    ecx, [eax+30]
7C93532B 33DB          xor    ebx, ebx
7C93532D 3999 F8010000 cmp    [ecx+1F8], ebx
7C935333 75 0C          jnz    short 7C935341
7C935335 3999 00020000 cmp    [ecx+200], ebx
7C93533B 0F84 36580100 je    7C94AB77
7C935341 834D F0 FF    or    dword ptr [ebp-10], FFFFFFFF
7C935345 56             push esi                            ; ntdll.ZwTerminateProcess
7C935346 8B75 10       mov    esi, [ebp+10]
7C935349 57             push edi
7C93534A FF75 18       push dword ptr [ebp+18]             ; trscd.00454965
7C93534D 8B7D 0C       mov    edi, [ebp+C]                   ; RPCRT4.77E8F3B0
7C935350 FF75 14       push dword ptr [ebp+14]
7C935353 895D FC       mov    [ebp-4], ebx
7C935356 56             push esi                            ; ntdll.ZwTerminateProcess
7C935357 57             push edi
7C935358 FF75 08       push dword ptr [ebp+8]
7C93535B 895D F8       mov    [ebp-8], ebx
7C93535E 895D F4       mov    [ebp-C], ebx
7C935361 E8 2BFCFFFF    call 7C934F91
7C935366 3BC3          cmp    eax, ebx
7C935368 0F8C 98000000 jl    7C935406
7C93536E 8B45 08       mov    eax, [ebp+8]
7C935371 8945 DC       mov    [ebp-24], eax
7C935374 8D45 F4       lea    eax, [ebp-C]
7C935377 50             push eax
7C935378 8D45 FC       lea    eax, [ebp-4]
7C93537B 50             push eax
7C93537C 8D45 10       lea    eax, [ebp+10]
7C93537F 50             push eax
7C935380 8D45 D8       lea    eax, [ebp-28]
7C935383 50             push eax
7C935384 C745 D8 1800000>mov    dword ptr [ebp-28], 18
7C93538B 895D EC       mov    [ebp-14], ebx
7C93538E 897D E0       mov    [ebp-20], edi
7C935391 8975 E4       mov    [ebp-1C], esi                   ; ntdll.ZwTerminateProcess
7C935394 E8 DBFCFFFF    call 7C935074
7C935399 3BC3          cmp    eax, ebx
7C93539B 7C 69          jl    short 7C935406
7C93539D 837D FC 2C    cmp    dword ptr [ebp-4], 2C
7C9353A1 0F82 38EA0200 jb    7C963DDF
7C9353A7 BE 080015C0    mov    esi, C0150008
7C9353AC 8B7D 10       mov    edi, [ebp+10]
7C9353AF 813F 53734864 cmp    dword ptr [edi], 64487353
7C9353B5 0F85 27EA0200 jnz    7C963DE2
7C9353BB 53             push ebx
7C9353BC 53             push ebx
7C9353BD 8D45 F8       lea    eax, [ebp-8]
7C9353C0 50             push eax
7C9353C1 8D45 F0       lea    eax, [ebp-10]
7C9353C4 50             push eax
7C9353C5 FF75 18       push dword ptr [ebp+18]             ; trscd.00454965
7C9353C8 FF75 14       push dword ptr [ebp+14]
7C9353CB FF75 FC       push dword ptr [ebp-4]
7C9353CE 57             push edi
7C9353CF E8 88010000    call 7C93555C
7C9353D4 3BC3          cmp    eax, ebx
7C9353D6 0F8D 1C250000 jge    7C9378F8
7C9353DC 3BC6          cmp    eax, esi                      ; ntdll.ZwTerminateProcess
7C9353DE 75 26          jnz    short 7C935406
7C9353E0 8D45 F4       lea    eax, [ebp-C]
7C9353E3 50             push eax
7C9353E4 8D45 FC       lea    eax, [ebp-4]
7C9353E7 50             push eax
7C9353E8 8D45 10       lea    eax, [ebp+10]
7C9353EB 50             push eax
7C9353EC 8D45 D8       lea    eax, [ebp-28]
7C9353EF 50             push eax
7C9353F0 E8 FB000000    call 7C9354F0
7C9353F5 3BC3          cmp    eax, ebx
7C9353F7 0F8D 980B0000 jge    7C935F95
7C9353FD 3D 010015C0    cmp    eax, C0150001
7C935402 75 02          jnz    short 7C935406
7C935404 8BC6          mov    eax, esi                      ; ntdll.ZwTerminateProcess
7C935406 5F             pop    edi                            ; ntdll.7C92E89A
7C935407 5E             pop    esi                            ; ntdll.7C92E89A
7C935408 5B             pop    ebx                            ; ntdll.7C92E89A
7C935409 C9             leave
7C93540A C2 1400       retn 14
7C93540D 83C8 FF       or    eax, FFFFFFFF
7C935410 5D             pop    ebp                            ; ntdll.7C92E89A
7C935411 C3             retn
7C935412 B8 010015C0    mov    eax, C0150001
7C935417  ^ E9 54FEFFFF    jmp    7C935270
7C93541C 3D 010015C0    cmp    eax, C0150001
7C935421  ^ 0F85 5DFDFFFF jnz    7C935184
7C935427 837E 10 03    cmp    dword ptr [esi+10], 3
7C93542B  ^ 0F84 53FDFFFF je    7C935184
7C935431 8B55 FC       mov    edx, [ebp-4]
7C935434 8B4D F8       mov    ecx, [ebp-8]                   ; kernel32.7C81CA78
7C935437  ^ E9 BAFCFFFF    jmp    7C9350F6
7C93543C 8D48 FF       lea    ecx, [eax-1]
7C93543F 83C9 07       or    ecx, 7
7C935442 83F9 FF       cmp    ecx, -1
7C935445  ^ 0F84 A7ACFFFF je    7C9300F2
7C93544B 8338 FF       cmp    dword ptr [eax], -1
7C93544E  ^ 0F84 9EACFFFF je    7C9300F2
7C935454 33C9          xor    ecx, ecx
7C935456 41             inc    ecx
7C935457 F0:0FC108    lock xadd [eax], ecx
7C93545B  ^ E9 92ACFFFF    jmp    7C9300F2
7C935460 90             nop
7C935461 90             nop
7C935462 90             nop
7C935463 90             nop
7C935464 90             nop
7C935465 >  8BFF          mov    edi, edi
7C935467 55             push ebp
7C935468 8BEC          mov    ebp, esp
7C93546A 51             push ecx
7C93546B 8B45 08       mov    eax, [ebp+8]
7C93546E 33C9          xor    ecx, ecx
7C935470 3BC1          cmp    eax, ecx
7C935472 56             push esi                            ; ntdll.ZwTerminateProcess
7C935473 57             push edi
7C935474 894D FC       mov    [ebp-4], ecx
7C935477 0F84 13680100 je    7C94BC90
7C93547D 8B7D 14       mov    edi, [ebp+14]
7C935480 3BF9          cmp    edi, ecx
7C935482 0F84 08680100 je    7C94BC90
7C935488 8B70 04       mov    esi, [eax+4]
7C93548B 890F          mov    [edi], ecx
7C93548D 0FB700       movzx eax, word ptr [eax]
7C935490 D1E8          shr    eax, 1
7C935492 837D 10 01    cmp    dword ptr [ebp+10], 1
7C935496 0F87 F4670100 ja    7C94BC90
7C93549C 384D 0C       cmp    [ebp+C], cl
7C93549F 0F84 21AF0000 je    7C9403C6
7C9354A5 3BC1          cmp    eax, ecx
7C9354A7 74 38          je    short 7C9354E1
7C9354A9 8945 0C       mov    [ebp+C], eax
7C9354AC A1 4CC0997C    mov    eax, [7C99C04C]
7C9354B1 53             push ebx
7C9354B2 66:8B16       mov    dx, [esi]
7C9354B5 46             inc    esi                            ; ntdll.ZwTerminateProcess
7C9354B6 46             inc    esi                            ; ntdll.ZwTerminateProcess
7C9354B7 66:83FA 61    cmp    dx, 61
7C9354BB 0FB7CA       movzx ecx, dx
7C9354BE 72 0D          jb    short 7C9354CD
7C9354C0 66:83FA 7A    cmp    dx, 7A
7C9354C4 0F87 98670100 ja    7C94BC62
7C9354CA 83E9 20       sub    ecx, 20
7C9354CD 8B55 FC       mov    edx, [ebp-4]
7C9354D0 69D2 3F000100 imul edx, edx, 1003F                ; msvcrt.77C31AE8
7C9354D6 03CA          add    ecx, edx                      ; msvcrt.77C31AE8
7C9354D8 FF4D 0C       dec    dword ptr [ebp+C]             ; RPCRT4.77E8F3B0
7C9354DB 894D FC       mov    [ebp-4], ecx
7C9354DE  ^ 75 D2          jnz    short 7C9354B2
7C9354E0 5B             pop    ebx                            ; ntdll.7C92E89A
7C9354E1 890F          mov    [edi], ecx
7C9354E3 33C0          xor    eax, eax
7C9354E5 5F             pop    edi                            ; ntdll.7C92E89A
7C9354E6 5E             pop    esi                            ; ntdll.7C92E89A
7C9354E7 C9             leave
7C9354E8 C2 1000       retn 10
7C9354EB 90             nop
7C9354EC 90             nop
7C9354ED 90             nop
7C9354EE 90             nop
7C9354EF 90             nop
7C9354F0 8BFF          mov    edi, edi
7C9354F2 55             push ebp
7C9354F3 8BEC          mov    ebp, esp
7C9354F5 51             push ecx
7C9354F6 8365 FC 00    and    dword ptr [ebp-4], 0
7C9354FA 57             push edi
7C9354FB 8B7D 14       mov    edi, [ebp+14]
7C9354FE 85FF          test edi, edi
7C935500 74 03          je    short 7C935505
7C935502 8327 00       and    dword ptr [edi], 0
7C935505 8B45 08       mov    eax, [ebp+8]
7C935508 85C0          test eax, eax
7C93550A 0F84 7B0A0000 je    7C935F8B
7C935510 8338 18       cmp    dword ptr [eax], 18
7C935513 0F82 720A0000 jb    7C935F8B
7C935519 F740 04 FCFFFFF>test dword ptr [eax+4], FFFFFFFC
7C935520 0F85 650A0000 jnz    7C935F8B
7C935526 837D 0C 00    cmp    dword ptr [ebp+C], 0
7C93552A 0F84 5B0A0000 je    7C935F8B
7C935530 837D 10 00    cmp    dword ptr [ebp+10], 0
7C935534 0F84 510A0000 je    7C935F8B
7C93553A 8D4D FC       lea    ecx, [ebp-4]
7C93553D 51             push ecx
7C93553E FF75 10       push dword ptr [ebp+10]
7C935541 FF75 0C       push dword ptr [ebp+C]             ; RPCRT4.77E8F3B0
7C935544 50             push eax
7C935545 E8 81FBFFFF    call 7C9350CB
7C93554A 85C0          test eax, eax
7C93554C 0F8D 210A0000 jge    7C935F73
7C935552 5F             pop    edi                            ; ntdll.7C92E89A
7C935553 C9             leave
7C935554 C2 1000       retn 10
7C935557 90             nop
7C935558 90             nop
7C935559 90             nop
7C93555A 90             nop
7C93555B 90             nop
7C93555C 8BFF          mov    edi, edi
7C93555E 55             push ebp
7C93555F 8BEC          mov    ebp, esp
7C935561 83EC 2C       sub    esp, 2C
7C935564 53             push ebx
7C935565 56             push esi                            ; ntdll.ZwTerminateProcess
7C935566 8B75 08       mov    esi, [ebp+8]
7C935569 8A46 10       mov    al, [esi+10]
7C93556C 24 01          and    al, 1
7C93556E 8845 08       mov    [ebp+8], al
7C935571 8B45 20       mov    eax, [ebp+20]                   ; trscd.00454AA4
7C935574 33DB          xor    ebx, ebx
7C935576 3BC3          cmp    eax, ebx
7C935578 C645 FF 01    mov    byte ptr [ebp-1], 1
7C93557C C645 FE 01    mov    byte ptr [ebp-2], 1
7C935580 0F85 C4E30200 jnz    7C96394A
7C935586 8B45 24       mov    eax, [ebp+24]
7C935589 3BC3          cmp    eax, ebx
7C93558B 0F85 C0E30200 jnz    7C963951
7C935591 813E 53734864 cmp    dword ptr [esi], 64487353
7C935597 0F85 BBE30200 jnz    7C963958
7C93559D 395E 14       cmp    [esi+14], ebx
7C9355A0 0F84 BCE30200 je    7C963962
7C9355A6 8B46 1C       mov    eax, [esi+1C]
7C9355A9 83F8 FF       cmp    eax, -1
7C9355AC 57             push edi
7C9355AD 0F84 B9E30200 je    7C96396C
7C9355B3 8B7D 18       mov    edi, [ebp+18]                   ; trscd.00454965
7C9355B6 3907          cmp    [edi], eax
7C9355B8 74 1C          je    short 7C9355D6
7C9355BA FF75 1C       push dword ptr [ebp+1C]
7C9355BD 50             push eax
7C9355BE FF75 08       push dword ptr [ebp+8]
7C9355C1 FF75 10       push dword ptr [ebp+10]
7C9355C4 E8 9CFEFFFF    call RtlHashUnicodeString
7C9355C9 3BC3          cmp    eax, ebx
7C9355CB 0F8C A8E30200 jl    7C963979
7C9355D1 8B46 1C       mov    eax, [esi+1C]
7C9355D4 8907          mov    [edi], eax
7C9355D6 837E 08 01    cmp    dword ptr [esi+8], 1
7C9355DA 0F85 D4E30200 jnz    7C9639B4
7C9355E0 8B4E 20       mov    ecx, [esi+20]
7C9355E3 3BCB          cmp    ecx, ebx
7C9355E5 0F84 C2080000 je    7C935EAD
7C9355EB 807D FF 00    cmp    byte ptr [ebp-1], 0
7C9355EF 0F84 D6080000 je    7C935ECB
7C9355F5 8B45 1C       mov    eax, [ebp+1C]
7C9355F8 8B00          mov    eax, [eax]
7C9355FA 03CE          add    ecx, esi                      ; ntdll.ZwTerminateProcess
7C9355FC 33D2          xor    edx, edx                      ; msvcrt.77C31AE8
7C9355FE F731          div    dword ptr [ecx]
7C935600 8B41 04       mov    eax, [ecx+4]
7C935603 33C9          xor    ecx, ecx
7C935605 894D 18       mov    [ebp+18], ecx
7C935608 8D3CD0       lea    edi, [eax+edx*8]
7C93560B 03FE          add    edi, esi                      ; ntdll.ZwTerminateProcess
7C93560D 8B5F 04       mov    ebx, [edi+4]
7C935610 03DE          add    ebx, esi                      ; ntdll.ZwTerminateProcess
7C935612 390F          cmp    [edi], ecx
7C935614 8955 F8       mov    [ebp-8], edx                   ; msvcrt.77C31AE8
7C935617 76 33          jbe    short 7C93564C
7C935619 8B048B       mov    eax, [ebx+ecx*4]
7C93561C 3B45 0C       cmp    eax, [ebp+C]                   ; RPCRT4.77E8F3B0
7C93561F 0F87 98E30200 ja    7C9639BD
7C935625 03C6          add    eax, esi                      ; ntdll.ZwTerminateProcess
7C935627 807D FE 00    cmp    byte ptr [ebp-2], 0
7C93562B 8945 F4       mov    [ebp-C], eax
7C93562E 0F84 85230000 je    7C9379B9
7C935634 8B08          mov    ecx, [eax]
7C935636 8B55 1C       mov    edx, [ebp+1C]
7C935639 3B0A          cmp    ecx, [edx]                      ; ntdll.7C99C8E0
7C93563B 0F84 78230000 je    7C9379B9
7C935641 8B4D 18       mov    ecx, [ebp+18]                   ; trscd.00454965
7C935644 41             inc    ecx
7C935645 3B0F          cmp    ecx, [edi]
7C935647 894D 18       mov    [ebp+18], ecx
7C93564A  ^ 72 CD          jb    short 7C935619
7C93564C B8 080015C0    mov    eax, C0150008
7C935651 5F             pop    edi                            ; ntdll.7C92E89A
7C935652 5E             pop    esi                            ; ntdll.7C92E89A
7C935653 5B             pop    ebx                            ; ntdll.7C92E89A
7C935654 C9             leave
7C935655 C2 2000       retn 20
7C935658 90             nop
7C935659 90             nop
7C93565A 90             nop
7C93565B 90             nop
7C93565C 90             nop
7C93565D 8BFF          mov    edi, edi
7C93565F 55             push ebp
7C935660 8BEC          mov    ebp, esp
7C935662 85FF          test edi, edi
7C935664 56             push esi                            ; ntdll.ZwTerminateProcess
7C935665 0F84 12640100 je    7C94BA7D
7C93566B 0FB74F 02    movzx ecx, word ptr [edi+2]
7C93566F 8B57 04       mov    edx, [edi+4]
7C935672 83E1 FE       and    ecx, FFFFFFFE
7C935675 BE FEFF0000    mov    esi, 0FFFE
7C93567A 3BCE          cmp    ecx, esi                      ; ntdll.ZwTerminateProcess
7C93567C 0F87 380D0300 ja    7C9663BA
7C935682 6A 02          push 2
7C935684 5E             pop    esi                            ; ntdll.7C92E89A
7C935685 3BCE          cmp    ecx, esi                      ; ntdll.ZwTerminateProcess
7C935687 0F82 340D0300 jb    7C9663C1
7C93568D 85D2          test edx, edx                      ; msvcrt.77C31AE8
7C93568F 8950 08       mov    [eax+8], edx                   ; msvcrt.77C31AE8
7C935692 8948 10       mov    [eax+10], ecx
7C935695 8950 0C       mov    [eax+C], edx                   ; msvcrt.77C31AE8
7C935698 8948 14       mov    [eax+14], ecx
7C93569B 8950 04       mov    [eax+4], edx                   ; msvcrt.77C31AE8
7C93569E 74 04          je    short 7C9356A4
7C9356A0 66:8322 00    and    word ptr [edx], 0
7C9356A4 66:8948 02    mov    [eax+2], cx
7C9356A8 8B4D 08       mov    ecx, [ebp+8]
7C9356AB 66:8320 00    and    word ptr [eax], 0
7C9356AF 8948 28       mov    [eax+28], ecx
7C9356B2 8B4D 0C       mov    ecx, [ebp+C]                   ; RPCRT4.77E8F3B0
7C9356B5 8978 24       mov    [eax+24], edi
7C9356B8 8948 2C       mov    [eax+2C], ecx
7C9356BB C640 30 01    mov    byte ptr [eax+30], 1
7C9356BF 5E             pop    esi                            ; ntdll.7C92E89A
7C9356C0 5D             pop    ebp                            ; ntdll.7C92E89A
7C9356C1 C2 0800       retn 8
7C9356C4 90             nop
7C9356C5 90             nop
7C9356C6 90             nop
7C9356C7 90             nop
7C9356C8 90             nop
7C9356C9 8BFF          mov    edi, edi
7C9356CB 55             push ebp
7C9356CC 8BEC          mov    ebp, esp
7C9356CE 83EC 18       sub    esp, 18
7C9356D1 8B45 0C       mov    eax, [ebp+C]                   ; RPCRT4.77E8F3B0
7C9356D4 53             push ebx
7C9356D5 33DB          xor    ebx, ebx
7C9356D7 3BF3          cmp    esi, ebx
7C9356D9 8818          mov    [eax], bl
7C9356DB 0F84 F9100000 je    7C9367DA
7C9356E1 395D 08       cmp    [ebp+8], ebx
7C9356E4 0F84 F0100000 je    7C9367DA
7C9356EA 3BFB          cmp    edi, ebx
7C9356EC 74 34          je    short 7C935722
7C9356EE 66:391F       cmp    [edi], bx
7C9356F1 74 2F          je    short 7C935722
7C9356F3 8D45 F8       lea    eax, [ebp-8]
7C9356F6 50             push eax
7C9356F7 68 2C57937C    push 7C93572C
7C9356FC 56             push esi                            ; ntdll.ZwTerminateProcess
7C9356FD 6A 01          push 1
7C9356FF 885D FF       mov    [ebp-1], bl
7C935702 E8 62040000    call RtlFindCharInUnicodeString
7C935707 3BC3          cmp    eax, ebx
7C935709 0F8C BB100000 jl    7C9367CA
7C93570F C645 FF 01    mov    byte ptr [ebp-1], 1
7C935713 33C0          xor    eax, eax
7C935715 3BC3          cmp    eax, ebx
7C935717 7C 0B          jl    short 7C935724
7C935719 385D FF       cmp    [ebp-1], bl
7C93571C 0F84 C2100000 je    7C9367E4
7C935722 33C0          xor    eax, eax
7C935724 5B             pop    ebx                            ; ntdll.7C92E89A
7C935725 C9             leave
7C935726 C2 0800       retn 8
7C935729 90             nop
7C93572A 90             nop
7C93572B 90             nop
7C93572C 0200          add    al, [eax]
7C93572E 04 00          add    al, 0
7C935730 60             pushad
7C935731 5B             pop    ebx                            ; ntdll.7C92E89A
7C935732 93             xchg eax, ebx
7C935733  ^ 7C 90          jl    short 7C9356C5
7C935735 90             nop
7C935736 90             nop
7C935737 90             nop
7C935738 90             nop
7C935739 8BFF          mov    edi, edi
7C93573B 55             push ebp
7C93573C 8BEC          mov    ebp, esp
7C93573E 83EC 14       sub    esp, 14
7C935741 53             push ebx
7C935742 33DB          xor    ebx, ebx
7C935744 3BF3          cmp    esi, ebx
7C935746 57             push edi
7C935747 895D F8       mov    [ebp-8], ebx
7C93574A 885D FF       mov    [ebp-1], bl
7C93574D 0F84 A90F0300 je    7C9666FC
7C935753 8B7D 0C       mov    edi, [ebp+C]                   ; RPCRT4.77E8F3B0
7C935756 3BFB          cmp    edi, ebx
7C935758 74 09          je    short 7C935763
7C93575A 395F 04       cmp    [edi+4], ebx
7C93575D 0F85 990F0300 jnz    7C9666FC
7C935763 56             push esi                            ; ntdll.ZwTerminateProcess
7C935764 E8 81F0FFFF    call 7C9347EA
7C935769 83F8 06       cmp    eax, 6
7C93576C 8945 F4       mov    [ebp-C], eax
7C93576F 0F84 BA190000 je    7C93712F
7C935775 83F8 02       cmp    eax, 2
7C935778 0F84 B1190000 je    7C93712F
7C93577E 83F8 01       cmp    eax, 1
7C935781 0F84 A8190000 je    7C93712F
7C935787 33FF          xor    edi, edi
7C935789 385D FF       cmp    [ebp-1], bl
7C93578C 75 08          jnz    short 7C935796
7C93578E FF75 0C       push dword ptr [ebp+C]             ; RPCRT4.77E8F3B0
7C935791 E8 E0B1FFFF    call RtlFreeUnicodeString
7C935796 8BC7          mov    eax, edi
7C935798 5F             pop    edi                            ; ntdll.7C92E89A
7C935799 5B             pop    ebx                            ; ntdll.7C92E89A
7C93579A C9             leave
7C93579B C2 0800       retn 8
7C93579E 90             nop
7C93579F 90             nop
7C9357A0 90             nop
7C9357A1 90             nop
7C9357A2 90             nop
7C9357A3 >  8BFF          mov    edi, edi
7C9357A5 55             push ebp
7C9357A6 8BEC          mov    ebp, esp
7C9357A8 81EC 48010000 sub    esp, 148
7C9357AE A1 34C0997C    mov    eax, [7C99C034]
7C9357B3 8B55 24       mov    edx, [ebp+24]
7C9357B6 8B4D 28       mov    ecx, [ebp+28]
7C9357B9 8945 FC       mov    [ebp-4], eax
7C9357BC 8B45 0C       mov    eax, [ebp+C]                   ; RPCRT4.77E8F3B0
7C9357BF 8985 C8FEFFFF mov    [ebp-138], eax
7C9357C5 8B45 10       mov    eax, [ebp+10]
7C9357C8 8985 BCFEFFFF mov    [ebp-144], eax
7C9357CE 8B45 14       mov    eax, [ebp+14]
7C9357D1 53             push ebx
7C9357D2 33DB          xor    ebx, ebx
7C9357D4 8985 DCFEFFFF mov    [ebp-124], eax
7C9357DA 8B45 1C       mov    eax, [ebp+1C]
7C9357DD 56             push esi                            ; ntdll.ZwTerminateProcess
7C9357DE 8B75 18       mov    esi, [ebp+18]                   ; trscd.00454965
7C9357E1 8985 D4FEFFFF mov    [ebp-12C], eax
7C9357E7 8B45 20       mov    eax, [ebp+20]                   ; trscd.00454AA4
7C9357EA 3BC3          cmp    eax, ebx
7C9357EC 57             push edi
7C9357ED 8DBD 5CFFFFFF lea    edi, [ebp-A4]
7C9357F3 89B5 CCFEFFFF mov    [ebp-134], esi                ; ntdll.ZwTerminateProcess
7C9357F9 8985 D8FEFFFF mov    [ebp-128], eax
7C9357FF 8995 D0FEFFFF mov    [ebp-130], edx                ; msvcrt.77C31AE8
7C935805 66:899D ECFEFFF>mov    [ebp-114], bx
7C93580C 66:899D EEFEFFF>mov    [ebp-112], bx
7C935813 899D F0FEFFFF mov    [ebp-110], ebx
7C935819 66:899D E0FEFFF>mov    [ebp-120], bx
7C935820 66:C785 E2FEFFF>mov    word ptr [ebp-11E], 80
7C935829 89BD E4FEFFFF mov    [ebp-11C], edi
7C93582F 899D C4FEFFFF mov    [ebp-13C], ebx
7C935835 899D FCFEFFFF mov    [ebp-104], ebx
7C93583B 899D E8FEFFFF mov    [ebp-118], ebx
7C935841 0F85 0F130300 jnz    7C966B56
7C935847 3BD3          cmp    edx, ebx
7C935849 0F85 68610100 jnz    7C94B9B7
7C93584F 3BCB          cmp    ecx, ebx
7C935851 0F85 67610100 jnz    7C94B9BE
7C935857 3BF3          cmp    esi, ebx
7C935859 74 0A          je    short 7C935865
7C93585B 895E 04       mov    [esi+4], ebx
7C93585E 66:891E       mov    [esi], bx
7C935861 66:895E 02    mov    [esi+2], bx
7C935865 8BBD DCFEFFFF mov    edi, [ebp-124]                ; ntdll.7C92E3ED
7C93586B 6A 20          push 20
7C93586D 8D45 DC       lea    eax, [ebp-24]
7C935870 8985 40FFFFFF mov    [ebp-C0], eax
7C935876 58             pop    eax                            ; ntdll.7C92E89A
7C935877 FFB5 D4FEFFFF push dword ptr [ebp-12C]             ; ntdll.7C93094E
7C93587D 8D4D DC       lea    ecx, [ebp-24]
7C935880 8985 48FFFFFF mov    [ebp-B8], eax
7C935886 8985 4CFFFFFF mov    [ebp-B4], eax
7C93588C 66:8985 3AFFFFF>mov    [ebp-C6], ax
7C935893 56             push esi                            ; ntdll.ZwTerminateProcess
7C935894 8D85 04FFFFFF lea    eax, [ebp-FC]
7C93589A 898D 44FFFFFF mov    [ebp-BC], ecx
7C9358A0 898D 3CFFFFFF mov    [ebp-C4], ecx
7C9358A6 66:895D DC    mov    [ebp-24], bx
7C9358AA 66:899D 38FFFFF>mov    [ebp-C8], bx
7C9358B1 E8 A7FDFFFF    call 7C93565D
7C9358B6 F745 08 FEFFFFF>test dword ptr [ebp+8], FFFFFFFE
7C9358BD 0F85 D7120300 jnz    7C966B9A
7C9358C3 8B85 C8FEFFFF mov    eax, [ebp-138]                ; ntdll.7C9468AD
7C9358C9 3BC3          cmp    eax, ebx
7C9358CB 0F84 C9120300 je    7C966B9A
7C9358D1 3BFB          cmp    edi, ebx
7C9358D3 0F84 CA610100 je    7C94BAA3
7C9358D9 3BF3          cmp    esi, ebx
7C9358DB 74 0C          je    short 7C9358E9
7C9358DD 399D D4FEFFFF cmp    [ebp-12C], ebx
7C9358E3 0F84 B1120300 je    7C966B9A
7C9358E9 8B08          mov    ecx, [eax]
7C9358EB 8B40 04       mov    eax, [eax+4]
7C9358EE 8BBD BCFEFFFF mov    edi, [ebp-144]
7C9358F4 8985 F8FEFFFF mov    [ebp-108], eax
7C9358FA 8D85 03FFFFFF lea    eax, [ebp-FD]
7C935900 50             push eax
7C935901 8D85 38FFFFFF lea    eax, [ebp-C8]
7C935907 50             push eax
7C935908 8DB5 F4FEFFFF lea    esi, [ebp-10C]
7C93590E 898D F4FEFFFF mov    [ebp-10C], ecx
7C935914 E8 B0FDFFFF    call 7C9356C9
7C935919 8BF0          mov    esi, eax
7C93591B 3BF3          cmp    esi, ebx
7C93591D 0F8C 99000000 jl    7C9359BC
7C935923 389D 03FFFFFF cmp    [ebp-FD], bl
7C935929 0F85 F00E0000 jnz    7C93681F
7C93592F 8D85 ECFEFFFF lea    eax, [ebp-114]
7C935935 50             push eax
7C935936 8D85 E0FEFFFF lea    eax, [ebp-120]
7C93593C 50             push eax
7C93593D 8DB5 F4FEFFFF lea    esi, [ebp-10C]
7C935943 E8 F1FDFFFF    call 7C935739
7C935948 8BF0          mov    esi, eax
7C93594A 3BF3          cmp    esi, ebx
7C93594C 7C 6E          jl    short 7C9359BC
7C93594E F645 08 01    test byte ptr [ebp+8], 1
7C935952 74 24          je    short 7C935978
7C935954 64:A1 18000000  mov    eax, fs:[18]
7C93595A 8B40 30       mov    eax, [eax+30]
7C93595D 3958 10       cmp    [eax+10], ebx
7C935960 74 16          je    short 7C935978
7C935962 64:A1 18000000  mov    eax, fs:[18]
7C935968 8B40 30       mov    eax, [eax+30]
7C93596B 8B40 10       mov    eax, [eax+10]
7C93596E F640 09 10    test byte ptr [eax+9], 10
7C935972 0F85 F2110300 jnz    7C966B6A
7C935978 F685 E8FEFFFF 0>test byte ptr [ebp-118], 1
7C93597F 0F85 E9990000 jnz    7C93F36E
7C935985 399D DCFEFFFF cmp    [ebp-124], ebx
7C93598B 0F84 1F610100 je    7C94BAB0
7C935991 33C0          xor    eax, eax
7C935993 FFB5 D8FEFFFF push dword ptr [ebp-128]
7C935999 8D8D C4FEFFFF lea    ecx, [ebp-13C]
7C93599F 51             push ecx
7C9359A0 50             push eax
7C9359A1 8DB5 04FFFFFF lea    esi, [ebp-FC]
7C9359A7 8D95 F4FEFFFF lea    edx, [ebp-10C]
7C9359AD E8 BC000000    call 7C935A6E
7C9359B2 8BF0          mov    esi, eax
7C9359B4 3BF3          cmp    esi, ebx
7C9359B6 0F8D B2990000 jge    7C93F36E
7C9359BC 389D 34FFFFFF cmp    [ebp-CC], bl
7C9359C2 74 23          je    short 7C9359E7
7C9359C4 8B85 0CFFFFFF mov    eax, [ebp-F4]
7C9359CA 3BC3          cmp    eax, ebx
7C9359CC 74 0C          je    short 7C9359DA
7C9359CE 3B85 10FFFFFF cmp    eax, [ebp-F0]
7C9359D4 0F85 33120300 jnz    7C966C0D
7C9359DA 8B85 10FFFFFF mov    eax, [ebp-F0]
7C9359E0 3BC3          cmp    eax, ebx
7C9359E2 74 03          je    short 7C9359E7
7C9359E4 66:8918       mov    [eax], bx
7C9359E7 6A 0D          push 0D
7C9359E9 59             pop    ecx                            ; ntdll.7C92E89A
7C9359EA 33C0          xor    eax, eax
7C9359EC 8DBD 04FFFFFF lea    edi, [ebp-FC]
7C9359F2 F3:AB          rep    stos dword ptr es:[edi]
7C9359F4 8D85 ECFEFFFF lea    eax, [ebp-114]
7C9359FA 50             push eax
7C9359FB E8 76AFFFFF    call RtlFreeUnicodeString
7C935A00 8B8D 40FFFFFF mov    ecx, [ebp-C0]
7C935A06 3BCB          cmp    ecx, ebx
7C935A08 8B85 44FFFFFF mov    eax, [ebp-BC]
7C935A0E 74 1A          je    short 7C935A2A
7C935A10 3BC8          cmp    ecx, eax
7C935A12 0F85 15160200 jnz    7C95702D
7C935A18 8B8D 4CFFFFFF mov    ecx, [ebp-B4]
7C935A1E 8985 40FFFFFF mov    [ebp-C0], eax
7C935A24 898D 48FFFFFF mov    [ebp-B8], ecx
7C935A2A 3BC3          cmp    eax, ebx
7C935A2C 8985 3CFFFFFF mov    [ebp-C4], eax
7C935A32 74 03          je    short 7C935A37
7C935A34 66:8918       mov    [eax], bx
7C935A37 81FE 010015C0 cmp    esi, C0150001
7C935A3D 66:8B85 4CFFFFF>mov    ax, [ebp-B4]
7C935A44 66:899D 38FFFFF>mov    [ebp-C8], bx
7C935A4B 66:8985 3AFFFFF>mov    [ebp-C6], ax
7C935A52 0F84 CC110300 je    7C966C24
7C935A58 8B4D FC       mov    ecx, [ebp-4]
7C935A5B 5F             pop    edi                            ; ntdll.7C92E89A
7C935A5C 8BC6          mov    eax, esi                      ; ntdll.ZwTerminateProcess
7C935A5E 5E             pop    esi                            ; ntdll.7C92E89A
7C935A5F 5B             pop    ebx                            ; ntdll.7C92E89A
7C935A60 E8 22A9FFFF    call 7C930387
7C935A65 C9             leave
7C935A66 C2 2400       retn 24
7C935A69 90             nop
7C935A6A 90             nop
7C935A6B 90             nop
7C935A6C 90             nop
7C935A6D 90             nop
7C935A6E 8BFF          mov    edi, edi
7C935A70 55             push ebp
7C935A71 8BEC          mov    ebp, esp
7C935A73 81EC A0000000 sub    esp, 0A0
7C935A79 A1 34C0997C    mov    eax, [7C99C034]
7C935A7E 53             push ebx
7C935A7F 57             push edi
7C935A80 8945 FC       mov    [ebp-4], eax
7C935A83 8B45 0C       mov    eax, [ebp+C]                   ; RPCRT4.77E8F3B0
7C935A86 8945 BC       mov    [ebp-44], eax
7C935A89 8B45 10       mov    eax, [ebp+10]
7C935A8C 6A 0F          push 0F
7C935A8E 59             pop    ecx                            ; ntdll.7C92E89A
7C935A8F 8945 A8       mov    [ebp-58], eax
7C935A92 33C0          xor    eax, eax
7C935A94 C785 60FFFFFF 4>mov    dword ptr [ebp-A0], 40
7C935A9E 8DBD 64FFFFFF lea    edi, [ebp-9C]
7C935AA4 F3:AB          rep    stos dword ptr es:[edi]
7C935AA6 8B02          mov    eax, [edx]                      ; ntdll.7C99C8E0
7C935AA8 8945 C4       mov    [ebp-3C], eax
7C935AAB 8B42 04       mov    eax, [edx+4]
7C935AAE 6A 02          push 2
7C935AB0 8945 C8       mov    [ebp-38], eax
7C935AB3 8D55 F8       lea    edx, [ebp-8]
7C935AB6 8D45 F8       lea    eax, [ebp-8]
7C935AB9 8955 E4       mov    [ebp-1C], edx                   ; msvcrt.77C31AE8
7C935ABC 8955 DC       mov    [ebp-24], edx                   ; msvcrt.77C31AE8
7C935ABF 8945 E0       mov    [ebp-20], eax
7C935AC2 58             pop    eax                            ; ntdll.7C92E89A
7C935AC3 8D95 60FFFFFF lea    edx, [ebp-A0]
7C935AC9 52             push edx                            ; msvcrt.77C31AE8
7C935ACA 33C9          xor    ecx, ecx
7C935ACC 8D55 C4       lea    edx, [ebp-3C]
7C935ACF 52             push edx                            ; msvcrt.77C31AE8
7C935AD0 50             push eax
7C935AD1 51             push ecx
7C935AD2 6A 03          push 3
7C935AD4 894D C0       mov    [ebp-40], ecx
7C935AD7 894D D0       mov    [ebp-30], ecx
7C935ADA 8945 E8       mov    [ebp-18], eax
7C935ADD 8945 EC       mov    [ebp-14], eax
7C935AE0 66:894D F8    mov    [ebp-8], cx
7C935AE4 66:894D D8    mov    [ebp-28], cx
7C935AE8 66:8945 DA    mov    [ebp-26], ax
7C935AEC E8 28F8FFFF    call RtlFindActivationContextSectionS>
7C935AF1 8BD8          mov    ebx, eax
7C935AF3 85DB          test ebx, ebx
7C935AF5 0F8D 8C910000 jge    7C93EC87
7C935AFB 81FB 010015C0 cmp    ebx, C0150001
7C935B01 0F84 86500100 je    7C94AB8D
7C935B07 8B4D E0       mov    ecx, [ebp-20]
7C935B0A 85C9          test ecx, ecx
7C935B0C 8B45 E4       mov    eax, [ebp-1C]
7C935B0F 74 11          je    short 7C935B22
7C935B11 3BC8          cmp    ecx, eax
7C935B13 0F85 600C0300 jnz    7C966779
7C935B19 8B4D EC       mov    ecx, [ebp-14]
7C935B1C 8945 E0       mov    [ebp-20], eax
7C935B1F 894D E8       mov    [ebp-18], ecx
7C935B22 33C9          xor    ecx, ecx
7C935B24 3BC1          cmp    eax, ecx
7C935B26 8945 DC       mov    [ebp-24], eax
7C935B29 74 03          je    short 7C935B2E
7C935B2B 66:8908       mov    [eax], cx
7C935B2E 394D C0       cmp    [ebp-40], ecx
7C935B31 66:8B45 EC    mov    ax, [ebp-14]
7C935B35 66:894D D8    mov    [ebp-28], cx
7C935B39 66:8945 DA    mov    [ebp-26], ax
7C935B3D 0F85 8BA90000 jnz    7C9404CE
7C935B43 8B4D FC       mov    ecx, [ebp-4]
7C935B46 5F             pop    edi                            ; ntdll.7C92E89A
7C935B47 8BC3          mov    eax, ebx
7C935B49 5B             pop    ebx                            ; ntdll.7C92E89A
7C935B4A E8 38A8FFFF    call 7C930387
7C935B4F C9             leave
7C935B50 C2 0C00       retn 0C
7C935B53 90             nop
7C935B54 2E:004400 4C add    cs:[eax+eax+4C], al
7C935B59 004C00 00    add    [eax+eax], cl
7C935B5D 0090 902E0000 add    [eax+2E90], dl
7C935B63 0090 90909090 add    [eax+90909090], dl
7C935B69 >  8BFF          mov    edi, edi
7C935B6B 55             push ebp
7C935B6C 8BEC          mov    ebp, esp
7C935B6E 83EC 64       sub    esp, 64
7C935B71 A1 34C0997C    mov    eax, [7C99C034]
7C935B76 53             push ebx
7C935B77 8B5D 0C       mov    ebx, [ebp+C]                   ; RPCRT4.77E8F3B0
7C935B7A 56             push esi                            ; ntdll.ZwTerminateProcess
7C935B7B 8B75 10       mov    esi, [ebp+10]
7C935B7E 8945 FC       mov    [ebp-4], eax
7C935B81 8B45 14       mov    eax, [ebp+14]
7C935B84 57             push edi
7C935B85 33FF          xor    edi, edi
7C935B87 3BC7          cmp    eax, edi
7C935B89 8945 A4       mov    [ebp-5C], eax
7C935B8C 74 03          je    short 7C935B91
7C935B8E 66:8938       mov    [eax], di
7C935B91 F745 08 F8FFFFF>test dword ptr [ebp+8], FFFFFFF8
7C935B98 0F85 B60C0000 jnz    7C936854
7C935B9E 3BC7          cmp    eax, edi
7C935BA0 0F84 AE0C0000 je    7C936854
7C935BA6 53             push ebx
7C935BA7 57             push edi
7C935BA8 E8 C5000000    call RtlValidateUnicodeString
7C935BAD 3BC7          cmp    eax, edi
7C935BAF 0F8C A9000000 jl    7C935C5E
7C935BB5 56             push esi                            ; ntdll.ZwTerminateProcess
7C935BB6 57             push edi
7C935BB7 E8 B6000000    call RtlValidateUnicodeString
7C935BBC 3BC7          cmp    eax, edi
7C935BBE 0F8C 9A000000 jl    7C935C5E
7C935BC4 66:8B3E       mov    di, [esi]
7C935BC7 8B56 04       mov    edx, [esi+4]
7C935BCA 8B4D 08       mov    ecx, [ebp+8]
7C935BCD 33C0          xor    eax, eax
7C935BCF 66:8B03       mov    ax, [ebx]
7C935BD2 33F6          xor    esi, esi                      ; ntdll.ZwTerminateProcess
7C935BD4 46             inc    esi                            ; ntdll.ZwTerminateProcess
7C935BD5 66:D1EF       shr    di, 1
7C935BD8 8955 AC       mov    [ebp-54], edx                   ; msvcrt.77C31AE8
7C935BDB 8945 A0       mov    [ebp-60], eax
7C935BDE 66:D1E8       shr    ax, 1
7C935BE1 23CE          and    ecx, esi                      ; ntdll.ZwTerminateProcess
7C935BE3 894D 9C       mov    [ebp-64], ecx
7C935BE6 8945 B8       mov    [ebp-48], eax
7C935BE9 0F84 570C0000 je    7C936846
7C935BEF 8B5B 04       mov    ebx, [ebx+4]
7C935BF2 0FB7F0       movzx esi, ax
7C935BF5 83C9 FF       or    ecx, FFFFFFFF
7C935BF8 894D B0       mov    [ebp-50], ecx
7C935BFB 8D7473 FE    lea    esi, [ebx+esi*2-2]
7C935BFF 8B5D 08       mov    ebx, [ebp+8]
7C935C02 F6C3 04       test bl, 4
7C935C05 0F85 AF4F0300 jnz    7C96ABBA
7C935C0B 66:83FF 01    cmp    di, 1
7C935C0F 0F85 7F730000 jnz    7C93CF94
7C935C15 F6C3 02       test bl, 2
7C935C18 66:8B3A       mov    di, [edx]
7C935C1B 0F85 D9500300 jnz    7C96ACFA
7C935C21 66:85C0       test ax, ax
7C935C24 0F84 120C0000 je    7C93683C
7C935C2A 66:393E       cmp    [esi], di
7C935C2D 74 0D          je    short 7C935C3C
7C935C2F 05 FFFF0000    add    eax, 0FFFF
7C935C34 66:85C0       test ax, ax
7C935C37 8D344E       lea    esi, [esi+ecx*2]
7C935C3A  ^ 75 EE          jnz    short 7C935C2A
7C935C3C 66:85C0       test ax, ax
7C935C3F 0F84 F70B0000 je    7C93683C
7C935C45 05 FFFF0000    add    eax, 0FFFF
7C935C4A 03C0          add    eax, eax
7C935C4C 837D 9C 00    cmp    dword ptr [ebp-64], 0
7C935C50 0F84 EF500300 je    7C96AD45
7C935C56 8B4D A4       mov    ecx, [ebp-5C]
7C935C59 66:8901       mov    [ecx], ax
7C935C5C 33C0          xor    eax, eax
7C935C5E 8B4D FC       mov    ecx, [ebp-4]
7C935C61 5F             pop    edi                            ; ntdll.7C92E89A
7C935C62 5E             pop    esi                            ; ntdll.7C92E89A
7C935C63 5B             pop    ebx                            ; ntdll.7C92E89A

2006-1-19 16:09

0