Skip to content

Instantly share code, notes, and snippets.

@Auscitte

Auscitte/ServerDllInitialization_pdc.c

Created November 27, 2020 19:21
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Auscitte/b943fc12f577e2ff396575344c140c69 to your computer and use it in GitHub Desktop.
Save Auscitte/b943fc12f577e2ff396575344c140c69 to your computer and use it in GitHub Desktop.
Download ZIP
pseudocode for basesrv::ServerDllInitialization() generated by radare2's built-in decompiler
Raw
ServerDllInitialization_pdc.c
function sym.BASESRV.dll_ServerDllInitialization () {
// 92 basic blocks
loc_0x180001680:
push rbp
push rbx
push rsi
push r12
push r15
rbp = rsp - 0xde0
rsp -= 0xee0
rax = qword [pdb.__security_cookie] //[0x180010050:8]=0x2b992ddfa232 ; "2\xa2\xdf-\x99+"
rax ^= rsp
qword [var_dd0h] = rax
eax = 0
dword [var_68h] = 4
qword [var_30h] = rax
r12d = 0
qword [var_28h] = rax
rbx = rcx //arg1
rax = qword gs:[0x60]
esi = 0xc0 //192
dword [var_6ch] = 0x100002
r15d = r12d
dword [var_70h] = 8
qword [var_74h] = 0x100004
ecx = dword [rax + 0x2c0]
dword [pdb.SessionId] = ecx //[0x180010958:4]=0
qword [var_8h] = r12
qword [var_38h] = r12
qword [ ; [0x18000cd90:8]=0xee64 reloc.ntdll.dll_RtlGetCurrentServiceSessionId ; "d\xee" ; reloc.ntdll.dll_RtlGetCurrentService
.__imp_RtlGetCurrentServiceSessionId(0x0, 0xc0, 0x0, 0xffffffff)
var = dword [pdb.SessionId] - eax //[0x180010958:4]=-1
ecx = 0xd0 //208
dword [pdb.ServiceSessionId] = eax //[0x180010a50:4]=0
r9 = rip + pdb.___C__1CC_HBLFFKMG___AAT__AAM__AAP__AA__AA__AAV__AAD__AAM__AA__AA__AAS__AAX__AAS__AA__AA__AAA__AAP__AAP__AA__AA__AA__AA //0x18000d198 ; u"TMP"
rax = qword gs:[0x60]
r8 = rip + str.BASESRV //pdb.___C__1BC_NDHIIINN___AAB__AAA__AAS__AAE__AAS__AAR__AAV__AA__CB__AA__AA
//0x18000d180 ; u"BASESRV!"
if (!var) esi = ecx
edx = 0
rcx = qword [rax + 0x30]
qword [pdb.BaseSrvHeap] = rcx //[0x180010908:8]=0
qword [ ; [0x18000cd88:8]=0xee84 reloc.ntdll.dll_RtlCreateTagHeap ; reloc.ntdll.dll_RtlCrea
.__imp_RtlCreateTagHeap(0x0, 0xd0, 0x0, 0xffffffffffffffff)
rcx = qword [rbx + 0x60]
r9 = rip + str.INIT //pdb.___C__1BE_CFIDFAMK___AAI__AAN__AAI__AAT__AA__AA__AAI__AAN__AAI__AA__AA__AA__AA
//0x18000d168 ; u"INIT"
r8 = rip + str.BASESHR //pdb.___C__1BC_KFJCOHCI___AAB__AAA__AAS__AAE__AAS__AAH__AAR__AA__CB__AA__AA
//0x18000d150 ; u"BASESHR!"
qword [pdb.BaseSrvSharedHeap] = rcx //[0x180010918:8]=0
edx = 0
dword [pdb.BaseSrvTag] = eax //[0x180010910:4]=0
qword [ ; [0x18000cd88:8]=0xee84 reloc.ntdll.dll_RtlCreateTagHeap ; reloc.ntdll.dll_RtlCrea
.__imp_RtlCreateTagHeap(0x0, 0xd0, 0x0, 0xffffffffffffffff)
rcx = rip + pdb.BaseSrvDosDeviceCritSec //0x1800109a0
dword [rbx + 0x20] = r12d
dword [pdb.BaseSrvSharedTag] = eax //[0x180010920:4]=0
rax = rip + pdb.BaseServerApiDispatchTable //0x18000c1f0
qword [rbx + 0x28] = rax
rax = rip + pdb.BaseServerApiServerValidTable //0x18000d130
qword [rbx + 0x30] = rax
rax = rip + pdb.BaseClientConnectRoutine //0x180003eb0 ; "A\x838\bu\x17H\x8b\x02H\x8b\x89\x90"
qword [rbx + 0x48] = rax
rax = rip + pdb.BaseClientDisconnectRoutine //0x180003cf0 ; "@SH\x83\xec H\x8b\xd9H\x8d\r\x80\xc9"
qword [rbx + 0x50] = rax
dword [rbx + 0x24] = 0x1d //[0x1d:4]=0xffffff ; 29
dword [rbx + 0x40] = 8
qword [ ; [0x18000cd80:8]=0xee98 reloc.ntdll.dll_RtlInitializeCriticalSection ; reloc.ntdll.dll_RtlInitializeCritic
.__imp_RtlInitializeCriticalSection(0x0, 0xd0, 0x0, 0x1800109a0)
var = eax & eax
js 0x18000233d //likely
{
loc_0x18000233d:
//CODE XREF from sym.BASESRV.dll_ServerDllInitialization @ 0x1800017b8
rcx = qword [var_dd0h]
rcx ^= rsp //uint32_t arg1
pdb.__security_check_cookie () //pdb.__security_check_cookie(0x0)
rsp += 0xee0
pop r15
pop r12
pop rsi
pop rbx
return
loc_0x1800017be:
qword [var_f18h] = rdi
rax = var_80h
qword [var_f20h] = r13
r8 = var_20h
qword [var_f28h] = r14
rdx = rip + pdb.UnexpandedSystemRootString //0x18000c1e0
r9d = 0
qword [var_28h_2] = rax
ecx = 0
dword [var_20h] = 0x3200000
r14d = 0x320 //800
qword [ ; [0x18000cd78:8]=0xeeb8 reloc.ntdll.dll_RtlExpandEnvironmentStrings_U ; "L#" ; reloc.ntdll.dll_RtlExpandEnviron
.__imp_RtlExpandEnvironmentStrings_U(0x0, 0x0, 0x18000c1e0, 0x0)
eax = word [var_20h]
var = ax - r14w
jae 0x180004f72 //unlikely
}
return;
loc_0x180001812:
eax = ax
rax &= 0xfffffffffffffffe
var = rax - r14
jae 0x1800023ec //likely
{
loc_0x1800023ec:
//CODE XREF from sym.BASESRV.dll_ServerDllInitialization @ 0x18000181c
pdb.__report_rangecheckfailure ()
int3
loc_0x180001822:
rdx = var_80h
word [rbp + rax + 0x80] = r12w
rcx = rip + pdb.BaseSrvWindowsDirectory //0x180010930
qword [ ; [0x18000cd70:8]=0xeed8 reloc.ntdll.dll_RtlCreateUnicodeString ; reloc.ntdll.dll_RtlCreate
.__imp_RtlCreateUnicodeString(0x0, 0x0, 0x178080, 0x180010930)
var = al & al
if (!var) goto 0x180004f72 //likely
}
return;
loc_0x180001847:
r8 = rip + str.system32 //pdb.___C__1BE_MCHPLFCF___AA_2__AAs__AAy__AAs__AAt__AAe__AAm__AA3__AA2__AA__AA
//0x18000d118 ; u"\system32"
edx = 0x190 //400
rcx = var_80h
qword [ ; [0x18000cd68:8]=0xeef2 reloc.ntdll.dll_wcscat_s ; reloc.ntdll.dll
.__imp_wcscat_s(0x0, 0x0, 0x190, 0x178080)
rdx = var_80h
rcx = rip + pdb.BaseSrvWindowsSystemDirectory //0x180010940
qword [ ; [0x18000cd70:8]=0xeed8 reloc.ntdll.dll_RtlCreateUnicodeString ; reloc.ntdll.dll_RtlCreateUnic
.__imp_RtlCreateUnicodeString(0x0, 0x0, 0x178080, 0x180010940)
var = al & al
if (!var) goto 0x180004f72 //likely
{
loc_0x180004f72:
//XREFS: CODE 0x18000180c CODE 0x180001841 CODE 0x180001876
//XREFS: CODE 0x18000195b CODE 0x1800019d1 CODE 0x180001a22
//XREFS: CODE 0x180001a8b CODE 0x180001ae9 CODE 0x180001b50
//XREFS: CODE 0x180001d17 CODE 0x180001d54 CODE 0x180004df2
ebx = 0xc0000017
do
{
loc_0x180004f77:
//XREFS(24)
rcx = rip + pdb.BaseSrvDosDeviceCritSec //0x1800109a0
qword [ ; [0x18000cb18:8]=0xf11e reloc.ntdll.dll_RtlDeleteCriticalSection ; reloc.ntdll.dll_RtlDele
.__imp_RtlDeleteCriticalSection(0x0, 0x0, 0x0, 0x1800109a0)
goto 0x180002323
} while (?);
} while (?);
}
return;
goto loc_0x18000187c
loc_0x18000189a:
r9 = rip + str.Sessions //pdb.___C__1BE_GBAFMKEO___AA_2__AAS__AAe__AAs__AAs__AAi__AAo__AAn__AAs__AA__AA
//0x18000cee0 ; u"\Sessions"
dword [ReturnLength] = eax
r8 = rip + str.ws___ld__BaseNamedObjects //pdb.___C__1DC_BGGFLPH___AA__CF__AAw__AAs__AA_2__AA__CF__AAl__AAd__AA_2__AAB__AAa__AAs__AAe__AAN__AAa__AAm__AAe__AAd__AAO__AAb__AAj__AAe__AAc__AAt__AAs__AA__AA
//0x18000cef8 ; u"%ws\%ld\BaseNamedObjects"
qword [ ; [0x18000ca60:8]=0xef0a reloc.ntdll.dll_swprintf_s ; "\n\xef" ; reloc.ntdll.dll_s
.__imp_swprintf_s(0x0, 0x0, 0x0, 0x0)
do
{
loc_0x1800018b2:
//CODE XREF from sym.BASESRV.dll_ServerDllInitialization @ 0x180002377
eax = dword [pdb.SessionId] //[0x180010958:4]=-1
r9 = rip + str.Sessions //pdb.___C__1BE_GBAFMKEO___AA_2__AAS__AAe__AAs__AAs__AAi__AAo__AAn__AAs__AA__AA
//0x18000cee0 ; u"\Sessions"
r8 = rip + str.ws___ld__AppContainerNamedObjects //pdb.___C__1EC_NJAKGLLG___AA__CF__AAw__AAs__AA_2__AA__CF__AAl__AAd__AA_2__AAA__AAp__AAp__AAC__AAo__AAn__AAt__AAa__AAi__AAn__AAe__AAr__AAN__AAa__AAm__AAe__AAd__AAO__AAb__AAj__AAe__AAc__AAt__AAs
//0x18000d0d0 ; u"%ws\%ld\AppContainerNamedObjects"
dword [ReturnLength] = eax
edx = 0x100 //256
rcx = var_7a0h
qword [ ; [0x18000ca60:8]=0xef0a reloc.ntdll.dll_swprintf_s ; "\n\xef" ; reloc.ntdll.d
.__imp_swprintf_s(0x0, 0x0, 0x100, 0x1787a0)
eax = dword [pdb.SessionId] //[0x180010958:4]=-1
r9 = rip + str.Sessions //pdb.___C__1BE_GBAFMKEO___AA_2__AAS__AAe__AAs__AAs__AAi__AAo__AAn__AAs__AA__AA
//0x18000cee0 ; u"\Sessions" ; int64_t arg4
r8 = rip + str.ws___ld__BaseNamedObjects //pdb.___C__1DC_BGGFLPH___AA__CF__AAw__AAs__AA_2__AA__CF__AAl__AAd__AA_2__AAB__AAa__AAs__AAe__AAN__AAa__AAm__AAe__AAd__AAO__AAb__AAj__AAe__AAc__AAt__AAs__AA__AA
//0x18000cef8 ; u"%ws\%ld\BaseNamedObjects" ; int64_t arg3
dword [ReturnLength] = eax
edx = 0x100 //256 ; int64_t arg2
rcx = var_5a0h //int64_t arg1
pdb.RtlStringCchPrintfW () //pdb.RtlStringCchPrintfW(0x0, 0x0, 0x100, 0x1785a0)
rdx = SourceString //PCWSTR SourceString
rcx = DestinationString //PUNICODE_STRING DestinationString
qword [ ; [0x18000cd98:8]=0xee4c reloc.ntdll.dll_RtlInitUnicodeString ; "L\xee" ; reloc.ntdll.dll_RtlInit
.__imp_RtlInitUnicodeString(0x0, 0x0, 0x1783a0, 0x177f98)
rdx = var_5a0h //PCWSTR SourceString
rcx = var_30h //PUNICODE_STRING DestinationString
qword [ ; [0x18000cd98:8]=0xee4c reloc.ntdll.dll_RtlInitUnicodeString ; "L\xee" ; reloc.ntdll.dll_RtlInit
.__imp_RtlInitUnicodeString(0x0, 0x0, 0x1785a0, 0x177fd0)
rdx = var_7a0h //PCWSTR SourceString
rcx = var_20h_2 //PUNICODE_STRING DestinationString
qword [ ; [0x18000cd98:8]=0xee4c reloc.ntdll.dll_RtlInitUnicodeString ; "L\xee" ; reloc.ntdll.dll_RtlInit
.__imp_RtlInitUnicodeString(0x0, 0x0, 0x1787a0, 0x177fe0)
edx = dword [pdb.BaseSrvSharedTag] //[0x180010920:4]=-1
r8d = 0xb68 //2920
rcx = qword [pdb.BaseSrvSharedHeap] //[0x180010918:8]=-1
qword [ ; [0x18000ca70:8]=0xef26 reloc.ntdll.dll_RtlAllocateHeap ; "&\xef" ; reloc.ntdll.dll_Rt
.__imp_RtlAllocateHeap(0x0, 0x0, 0xffffffff, 0xffffffffffffffff)
qword [pdb.BaseSrvpStaticServerData] = rax //[0x180010950:8]=0
var = rax & rax
if (!var) goto 0x180004f72 //unlikely
} while (?);
return;
loc_0x180001961:
qword [rbx + 0x60] = rax
rdx = rax + 0x140 //PVOID SystemInformation
r9d = 0 //PULONG ReturnLength
qword [rax + 0xb50] = rax
dword [rax + 0xb30] = 0xffffffff //[0xffffffff:4]=-1 ; -1
dword [rax + 0xb38] = r12d
ecx = r9 + 3
r8d = r9 + 0x30
qword [ ; [0x18000ca78:8]=0xef38 reloc.ntdll.dll_NtQuerySystemInformation ; "8\xef" ; reloc.ntdll.dll_NtQuerySystemIn
.__imp_NtQuerySystemInformation(0x0, 0x0, 0x140, 0x3)
ebx = eax
var = eax & eax
js 0x180004f77 //unlikely
loc_0x18000199f:
rax = qword [pdb.BaseSrvpStaticServerData] //[0x180010950:8]=-1
xmm0 = xmmword [pdb.BaseSrvWindowsDirectory] //[0x180010930:16]=-1
edx = dword [pdb.BaseSrvSharedTag] //[0x180010920:4]=-1
rcx = qword [pdb.BaseSrvSharedHeap] //[0x180010918:8]=-1
xmmword [rax] = xmm0
r8d = word [0x180010932] //[0x180010932:2]=0
qword [ ; [0x18000ca70:8]=0xef26 reloc.ntdll.dll_RtlAllocateHeap ; "&\xef" ; reloc.ntdll.dll_RtlAll
.__imp_RtlAllocateHeap(0x0, 0x0, 0xffffffff, 0xffffffffffffffff)
rdi = rax
var = rax & rax
if (!var) goto 0x180004f72 //unlikely
loc_0x1800019d7:
rbx = qword [pdb.BaseSrvpStaticServerData] //[0x180010950:8]=-1
rcx = rax //void *s1
r8d = word [0x180010932] //[0x180010932:2]=0 ; size_t n
rdx = qword [rbx + 8] //const void *s2
pdb.memcpy ()
//void *memcpy(-1, -1, -1)
edx = dword [pdb.BaseSrvSharedTag] //[0x180010920:4]=-1
rcx = qword [pdb.BaseSrvSharedHeap] //[0x180010918:8]=-1
qword [rbx + 8] = rdi
xmm0 = xmmword [pdb.BaseSrvWindowsSystemDirectory] //[0x180010940:16]=-1
xmmword [rbx + 0x10] = xmm0
r8d = word [0x180010942] //[0x180010942:2]=0
qword [ ; [0x18000ca70:8]=0xef26 reloc.ntdll.dll_RtlAllocateHeap ; "&\xef" ; reloc.ntdll.dll_RtlAll
.__imp_RtlAllocateHeap(0x0, 0x0, 0xffffffff, 0xffffffffffffffff)
rdi = rax
var = rax & rax
if (!var) goto 0x180004f72 //likely
loc_0x180001a28:
rbx = qword [pdb.BaseSrvpStaticServerData] //[0x180010950:8]=-1
rcx = rax //void *s1
r8d = word [0x180010942] //[0x180010942:2]=0 ; size_t n
rdx = qword [rbx + 0x18] //const void *s2
pdb.memcpy ()
//void *memcpy(-1, -1, -1)
edx = dword [pdb.BaseSrvSharedTag] //[0x180010920:4]=-1
rcx = qword [pdb.BaseSrvSharedHeap] //[0x180010918:8]=-1
qword [rbx + 0x18] = rdi
qword [rbx + 0x968] = r12
dword [rbx + 0x960] = r12d
xmm0 = xmmword [DestinationString]
xmmword [rbx + 0x20] = xmm0
eax = word [DestinationString]
ax += 2
word [rbx + 0x22] = ax
r8d = word [DestinationString]
r8 += 2
qword [ ; [0x18000ca70:8]=0xef26 reloc.ntdll.dll_RtlAllocateHeap ; "&\xef" ; reloc.ntdll.dll_RtlAll
.__imp_RtlAllocateHeap(0x0, 0x0, 0xffffffff, 0xffffffffffffffff)
rdi = rax
var = rax & rax
if (!var) goto 0x180004f72 //unlikely
loc_0x180001a91:
rbx = qword [pdb.BaseSrvpStaticServerData] //[0x180010950:8]=-1
rcx = rax //void *s1
r8d = word [rbx + 0x22] //size_t n
rdx = qword [rbx + 0x28] //const void *s2
pdb.memcpy ()
//void *memcpy(-1, -1, -1)
edx = dword [pdb.BaseSrvSharedTag] //[0x180010920:4]=-1
rcx = qword [pdb.BaseSrvSharedHeap] //[0x180010918:8]=-1
qword [rbx + 0x28] = rdi
xmm0 = xmmword [var_20h_2]
xmmword [rbx + 0xb40] = xmm0
eax = word [var_20h_2]
ax += 2
word [rbx + 0xb42] = ax
r8d = word [var_20h_2]
r8 += 2
qword [ ; [0x18000ca70:8]=0xef26 reloc.ntdll.dll_RtlAllocateHeap ; "&\xef" ; reloc.ntdll.dll_RtlAll
.__imp_RtlAllocateHeap(0x0, 0x0, 0xffffffff, 0xffffffffffffffff)
rdi = rax
var = rax & rax
if (!var) goto 0x180004f72 //unlikely
loc_0x180001aef:
rbx = qword [pdb.BaseSrvpStaticServerData] //[0x180010950:8]=-1
rcx = rax //void *s1
r8d = word [rbx + 0xb42] //size_t n
rdx = qword [rbx + 0xb48] //const void *s2
pdb.memcpy ()
//void *memcpy(-1, -1, -1)
edx = dword [pdb.BaseSrvSharedTag] //[0x180010920:4]=-1
rcx = qword [pdb.BaseSrvSharedHeap] //[0x180010918:8]=-1
qword [rbx + 0xb48] = rdi
xmm0 = xmmword [var_30h]
xmmword [rbx + 0xb58] = xmm0
eax = word [var_30h]
ax += 2
word [rbx + 0xb5a] = ax
r8d = word [var_30h]
r8 += 2
qword [ ; [0x18000ca70:8]=0xef26 reloc.ntdll.dll_RtlAllocateHeap ; "&\xef" ; reloc.ntdll.dll_RtlAll
.__imp_RtlAllocateHeap(0x0, 0x0, 0xffffffff, 0xffffffffffffffff)
rdi = rax
var = rax & rax
if (!var) goto 0x180004f72 //unlikely
loc_0x180001b56:
rbx = qword [pdb.BaseSrvpStaticServerData] //[0x180010950:8]=-1
rcx = rax //void *s1
r8d = word [rbx + 0xb5a] //size_t n
rdx = qword [rbx + 0xb60] //const void *s2
pdb.memcpy ()
//void *memcpy(-1, -1, -1)
qword [rbx + 0xb60] = rdi
rax = var_2d8h
byte [rbx + 0x970] = r12b
r8 = rip + pdb.BaseServerRegistryConfigurationTable1 //0x18000c170 ; u(cstr 0x18000d390) "CSDVersion"
r9d = 0
qword [0x180010968] = rax //[0x180010968:8]=0
rdx = rip + pdb.___C__11LOCGONAA___AA__AA //0x18000cef4
dword [pdb.BaseSrvCSDString] = 0xc80000 //[0x180010960:4]=0
qword [ReturnLength] = r12
ecx = r9 + 3
qword [ ; [0x18000ca80:8]=0xef54 reloc.ntdll.dll_RtlQueryRegistryValuesEx ; "T\xef" ; reloc.ntdll.dll_RtlQueryRegistr
.__imp_RtlQueryRegistryValuesEx(0x0, 0x0, 0x18000cef4, 0x3)
var = eax & eax
js 0x180004d06 //unlikely
{
loc_0x180004d06:
//CODE XREF from sym.BASESRV.dll_ServerDllInitialization @ 0x180001bbc
rax = qword [pdb.BaseSrvpStaticServerData] //[0x180010950:8]=-1
dword [rax + 0x36] = r12d
goto 0x180001bdf
do
{
loc_0x180001bdf:
//CODE XREF from sym.BASESRV.dll_ServerDllInitialization @ 0x180004d11
r9d = 0
qword [ReturnLength] = r12
r8 = rip + pdb.BaseServerRegistryConfigurationTable //0x18000c100 ; u(cstr 0x18000d390) "CSDVersion"
rdx = rip + pdb.___C__11LOCGONAA___AA__AA //0x18000cef4
ecx = r9 + 3
qword [ ; [0x18000ca80:8]=0xef54 reloc.ntdll.dll_RtlQueryRegistryValuesEx ; "T\xef" ; reloc.ntdll.dll_RtlQuer
.__imp_RtlQueryRegistryValuesEx(0x0, 0x0, 0x18000cef4, 0x3)
var = eax & eax
js 0x180004d16 //unlikely
} while (?);
} while (?);
}
return;
}
@Auscitte
Copy link
Author

Auscitte commented Jul 3, 2021

What the heck is this? The answer is here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment