Created
November 27, 2020 18:57
-
-
Save Auscitte/e8fa2fa5f5ed61f4ef272aadb05f98db to your computer and use it in GitHub Desktop.
basesrv::ServerDllInitialization() decompiled by snowman plugin for radare2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| struct s0 { | |
| struct s0* f0; | |
| signed char[3] pad4; | |
| struct s0* f4; | |
| signed char[1] pad6; | |
| uint16_t f6; | |
| struct s0* f8; | |
| signed char[3] pad12; | |
| struct s0* f12; | |
| signed char[3] pad16; | |
| struct s0* f16; | |
| }; | |
| struct s1 { | |
| signed char[48] pad48; | |
| int64_t f48; | |
| signed char[648] pad704; | |
| int32_t f704; | |
| }; | |
| struct s9 { | |
| signed char[8] pad8; | |
| struct s0* f8; | |
| signed char[15] pad24; | |
| struct s0* f24; | |
| signed char[9] pad34; | |
| uint16_t f34; | |
| signed char[4] pad40; | |
| struct s0* f40; | |
| signed char[13] pad54; | |
| int16_t f54; | |
| int16_t f56; | |
| int16_t f58; | |
| signed char[260] pad320; | |
| struct s0* f320; | |
| signed char[47] pad368; | |
| struct s10* f368; | |
| signed char[6] pad376; | |
| struct s0* f376; | |
| signed char[2015] pad2392; | |
| unsigned char f2392; | |
| unsigned char f2393; | |
| signed char[6] pad2400; | |
| int16_t f2400; | |
| signed char[6] pad2408; | |
| int64_t f2408; | |
| unsigned char f2416; | |
| signed char[443] pad2860; | |
| int32_t f2860; | |
| int32_t f2864; | |
| unsigned char f2868; | |
| signed char[3] pad2872; | |
| int16_t f2872; | |
| signed char[8] pad2882; | |
| uint16_t f2882; | |
| signed char[4] pad2888; | |
| struct s0* f2888; | |
| signed char[7] pad2896; | |
| struct s9* f2896; | |
| signed char[2] pad2906; | |
| uint16_t f2906; | |
| signed char[4] pad2912; | |
| struct s0* f2912; | |
| }; | |
| struct s58 { | |
| signed char[2] pad2; | |
| struct s0* f2; | |
| }; | |
| struct s59 { | |
| signed char[2] pad2; | |
| struct s0* f2; | |
| }; | |
| struct s60 { | |
| signed char[32] pad32; | |
| int64_t f32; | |
| }; | |
| struct s61 { | |
| signed char[4] pad4; | |
| uint16_t f4; | |
| }; | |
| struct s55 { | |
| signed char[32] pad32; | |
| int16_t f32; | |
| signed char[2] pad36; | |
| int32_t f36; | |
| int64_t f40; | |
| int64_t f48; | |
| signed char[8] pad64; | |
| int32_t f64; | |
| signed char[4] pad72; | |
| int64_t f72; | |
| int64_t f80; | |
| signed char[8] pad96; | |
| struct s9* f96; | |
| }; | |
| int64_t ServerDllInitialization(struct s55* rcx) { | |
| void* rsp2; | |
| struct s0** rbp3; | |
| void* rsp4; | |
| uint64_t rax5; | |
| uint64_t v6; | |
| struct s1* rax7; | |
| int64_t r15_8; | |
| int64_t v9; | |
| int32_t eax10; | |
| int1_t zf11; | |
| struct s1* rax12; | |
| int32_t eax13; | |
| int32_t eax14; | |
| int32_t eax15; | |
| void* rsp16; | |
| uint64_t rcx17; | |
| int64_t rax18; | |
| struct s0* r8_19; | |
| struct s0** rdx20; | |
| struct s0* r9_21; | |
| void* rsp22; | |
| signed char al23; | |
| signed char al24; | |
| int32_t eax25; | |
| void* rcx26; | |
| int1_t zf27; | |
| void* rsp28; | |
| struct s9* rcx29; | |
| struct s9* rax30; | |
| int32_t eax31; | |
| struct s9* rcx32; | |
| struct s0* rax33; | |
| struct s9* rbx34; | |
| struct s0* r8_35; | |
| struct s0* rdx36; | |
| struct s9* rcx37; | |
| struct s0* rax38; | |
| struct s9* rbx39; | |
| struct s0* r8_40; | |
| struct s0* rdx41; | |
| struct s9* rcx42; | |
| uint32_t eax43; | |
| uint16_t v44; | |
| struct s58* r8_45; | |
| uint16_t v46; | |
| struct s0* rax47; | |
| struct s9* rbx48; | |
| struct s0* r8_49; | |
| struct s0* rdx50; | |
| struct s9* rcx51; | |
| uint32_t eax52; | |
| uint16_t v53; | |
| struct s59* r8_54; | |
| uint16_t v55; | |
| struct s0* rax56; | |
| struct s9* rbx57; | |
| struct s0* r8_58; | |
| struct s0* rdx59; | |
| struct s9* rcx60; | |
| struct s0* rax61; | |
| struct s9* rbx62; | |
| struct s0* r8_63; | |
| struct s0* rdx64; | |
| int32_t eax65; | |
| struct s9* rax66; | |
| uint32_t eax67; | |
| struct s9* rcx68; | |
| uint32_t eax69; | |
| int32_t eax70; | |
| void* rsp71; | |
| struct s9* rax72; | |
| uint64_t r9_73; | |
| int32_t eax74; | |
| int32_t eax75; | |
| int32_t eax76; | |
| struct s9* rax77; | |
| int32_t eax78; | |
| void* rsp79; | |
| void* r9_80; | |
| int64_t rdx81; | |
| int64_t v82; | |
| int32_t eax83; | |
| void* rsp84; | |
| int64_t rax85; | |
| int64_t v86; | |
| int32_t eax87; | |
| int32_t eax88; | |
| struct s9* rax89; | |
| struct s9* rax90; | |
| int16_t v91; | |
| int64_t v92; | |
| struct s9* rax93; | |
| int64_t rcx94; | |
| int64_t rax95; | |
| int32_t eax96; | |
| int64_t rcx97; | |
| struct s60* rax98; | |
| int32_t eax99; | |
| int1_t zf100; | |
| int64_t rcx101; | |
| int64_t rax102; | |
| int32_t eax103; | |
| int1_t zf104; | |
| int32_t eax105; | |
| struct s0* v106; | |
| int32_t eax107; | |
| struct s0* v108; | |
| int32_t eax109; | |
| struct s0* v110; | |
| int32_t eax111; | |
| int1_t zf112; | |
| int32_t eax113; | |
| int32_t eax114; | |
| int32_t eax115; | |
| int32_t eax116; | |
| int1_t zf117; | |
| int32_t eax118; | |
| void* rsp119; | |
| int32_t eax120; | |
| int1_t zf121; | |
| int32_t eax122; | |
| int32_t eax123; | |
| struct s9* rax124; | |
| unsigned char cl125; | |
| int32_t v126; | |
| struct s9* rax127; | |
| int32_t eax128; | |
| int32_t eax129; | |
| int32_t eax130; | |
| int1_t zf131; | |
| int64_t v132; | |
| void* rsp133; | |
| int32_t eax134; | |
| int32_t eax135; | |
| int1_t zf136; | |
| int64_t v137; | |
| int32_t eax138; | |
| int32_t eax139; | |
| int1_t zf140; | |
| int64_t v141; | |
| void* rsp142; | |
| int32_t eax143; | |
| int32_t eax144; | |
| int1_t zf145; | |
| int64_t v146; | |
| struct s0* v147; | |
| int32_t eax148; | |
| int32_t eax149; | |
| int64_t rsi150; | |
| void* r8_151; | |
| int32_t ebx152; | |
| int32_t eax153; | |
| void* rsp154; | |
| uint16_t r8d155; | |
| struct s61* v156; | |
| uint32_t eax157; | |
| uint32_t ecx158; | |
| struct s62* v159; | |
| uint32_t v160; | |
| int64_t rdx161; | |
| int32_t eax162; | |
| void* rsp163; | |
| int32_t eax164; | |
| int64_t rcx165; | |
| int64_t rcx166; | |
| int64_t rcx167; | |
| int64_t rcx168; | |
| int64_t rcx169; | |
| int64_t rcx170; | |
| void* rsp171; | |
| int64_t rcx172; | |
| int64_t rcx173; | |
| struct s9* rbx174; | |
| int32_t eax175; | |
| rsp2 = <void*>(<int64_t>(__zero_stack_offset()) - 8 - 8 - 8 - 8 - 8); | |
| rbp3 = <struct s0**>(<int64_t>(rsp2) - 0xde0); | |
| rsp4 = <void*>(<int64_t>(rsp2) - 0xee0); | |
| rax5 = g180010050; | |
| v6 = rax5 ^ <uint64_t>(rsp4); | |
| rax7 = g60; | |
| *<int16_t*>(&r15_8) = <int16_t>(0); | |
| *<int32_t*>(<int64_t>(&r15_8) + 4) = 0; | |
| g180010958 = rax7->f704; | |
| v9 = 0; | |
| eax10 = <int32_t>(RtlGetCurrentServiceSessionId()); | |
| zf11 = g180010958 == eax10; | |
| g180010a50 = eax10; | |
| rax12 = g60; | |
| if (zf11) { | |
| } | |
| g180010908 = rax12->f48; | |
| eax13 = <int32_t>(RtlCreateTagHeap()); | |
| g180010918 = rcx->f96; | |
| g180010910 = eax13; | |
| eax14 = <int32_t>(RtlCreateTagHeap()); | |
| rcx->f32 = <int16_t>(0); | |
| g180010920 = eax14; | |
| rcx->f40 = 0x18000c1f0; | |
| rcx->f48 = 0x18000d130; | |
| rcx->f72 = <int64_t>(fun_180003eb0); | |
| rcx->f80 = <int64_t>(fun_180003cf0); | |
| rcx->f36 = 29; | |
| rcx->f64 = 8; | |
| eax15 = <int32_t>(RtlInitializeCriticalSection(0x1800109a0)); | |
| rsp16 = <void*>(<uint64_t>(rsp4) - 8 + 8 - 8 + 8 - 8 + 8 - 8 + 8); | |
| if (eax15 < 0) { | |
| addr_0x18000233d_4: | |
| rcx17 = v6 ^ <uint64_t>(rsp16); | |
| rax18 = fun_180004490(rcx17, rcx17); | |
| return rax18; | |
| } else { | |
| r8_19 = <struct s0*>(rbp3 + 32); | |
| rdx20 = <struct s0**>(0x18000c1e0); | |
| *<int32_t*>(&r9_21) = 0; | |
| *<int32_t*>(&r9_21 + 4) = 0; | |
| RtlExpandEnvironmentStrings_U(); | |
| rsp22 = <void*>(<uint64_t>(rsp16) - 8 + 8); | |
| if (0) | |
| goto addr_0x180004f72_6; | |
| if (0) { | |
| fun_180004618(); | |
| } | |
| rdx20 = rbp3 + 0x80; | |
| al23 = <signed char>(RtlCreateUnicodeString(0x180010930, rdx20, r8_19)); | |
| rsp22 = <void*>(<uint64_t>(rsp22) - 8 + 8); | |
| if (!al23) | |
| goto addr_0x180004f72_6; | |
| r8_19 = <struct s0*>(0x18000d118); | |
| wcscat_s(rbp3 + 0x80, 0x190, 0x18000d118); | |
| rdx20 = rbp3 + 0x80; | |
| al24 = <signed char>(RtlCreateUnicodeString(0x180010940, rdx20, 0x18000d118)); | |
| rsp22 = <void*>(<uint64_t>(rsp22) - 8 + 8 - 8 + 8); | |
| if (!al24) | |
| goto addr_0x180004f72_6; | |
| eax25 = g180010958; | |
| rcx26 = <void*>(rbp3 + 0x3a0); | |
| zf27 = eax25 == g180010a50; | |
| if (zf27) { | |
| wcscpy_s(rcx26, 0x100, "\\"); | |
| rsp28 = <void*>(<uint64_t>(rsp22) - 8 + 8); | |
| } else { | |
| swprintf_s(rcx26, 0x100, "%", "\\"); | |
| rsp28 = <void*>(<uint64_t>(rsp22) - 8 + 8); | |
| } | |
| swprintf_s(rbp3 + 0x7a0, 0x100, "%", "\\"); | |
| r9_21 = <struct s0*>(0x18000cee0); | |
| fun_180003ae4(rbp3 + 0x5a0, 0x100, "%", 0x18000cee0); | |
| RtlInitUnicodeString(rbp3 - 0x68, rbp3 + 0x3a0, "%", 0x18000cee0); | |
| RtlInitUnicodeString(rbp3 - 48, rbp3 + 0x5a0, "%", 0x18000cee0); | |
| RtlInitUnicodeString(rbp3 - 32, rbp3 + 0x7a0, "%", 0x18000cee0); | |
| *<int32_t*>(&rdx20) = g180010920; | |
| *<int32_t*>(<int64_t>(&rdx20) + 4) = 0; | |
| *<uint32_t*>(&r8_19) = 0xb68; | |
| *<int32_t*>(&r8_19 + 4) = 0; | |
| rcx29 = g180010918; | |
| rax30 = <struct s9*>(RtlAllocateHeap(rcx29, rdx20, 0xb68, 0x18000cee0)); | |
| rsp22 = <void*>(<uint64_t>(rsp28) - 8 + 8 - 8 + 8 - 8 + 8 - 8 + 8 - 8 + 8 - 8 + 8); | |
| g180010950 = rax30; | |
| if (!rax30) | |
| goto addr_0x180004f72_6; | |
| rcx->f96 = rax30; | |
| rdx20 = &rax30->f320; | |
| *<int32_t*>(&r9_21) = 0; | |
| *<int32_t*>(&r9_21 + 4) = 0; | |
| rax30->f2896 = rax30; | |
| rax30->f2864 = -1; | |
| rax30->f2872 = <int16_t>(0); | |
| *<uint32_t*>(&r8_19) = 48; | |
| *<int32_t*>(&r8_19 + 4) = 0; | |
| eax31 = <int32_t>(NtQuerySystemInformation(3, rdx20, 48)); | |
| rsp22 = <void*>(<uint64_t>(rsp22) - 8 + 8); | |
| if (eax31 < 0) | |
| goto addr_0x180004f77_16; | |
| __asm__("movups xmm0, [rip+0xef83]"); | |
| *<int32_t*>(&rdx20) = g180010920; | |
| *<int32_t*>(<int64_t>(&rdx20) + 4) = 0; | |
| rcx32 = g180010918; | |
| __asm__("movups [rax], xmm0"); | |
| *<uint32_t*>(&r8_19) = <uint32_t>(g180010932); | |
| *<int32_t*>(&r8_19 + 4) = 0; | |
| rax33 = <struct s0*>(RtlAllocateHeap(rcx32, rdx20, r8_19)); | |
| rsp22 = <void*>(<uint64_t>(rsp22) - 8 + 8); | |
| if (!rax33) | |
| goto addr_0x180004f72_6; | |
| rbx34 = g180010950; | |
| *<uint32_t*>(&r8_35) = <uint32_t>(g180010932); | |
| *<int32_t*>(&r8_35 + 4) = 0; | |
| rdx36 = rbx34->f8; | |
| fun_1800048c1(rax33, rdx36, r8_35, 0); | |
| *<int32_t*>(&rdx20) = g180010920; | |
| *<int32_t*>(<int64_t>(&rdx20) + 4) = 0; | |
| rcx37 = g180010918; | |
| rbx34->f8 = rax33; | |
| __asm__("movups xmm0, [rip+0xef36]"); | |
| __asm__("movups [rbx+0x10], xmm0"); | |
| *<uint32_t*>(&r8_19) = <uint32_t>(g180010942); | |
| *<int32_t*>(&r8_19 + 4) = 0; | |
| rax38 = <struct s0*>(RtlAllocateHeap(rcx37, rdx20, r8_19)); | |
| rsp22 = <void*>(<uint64_t>(rsp22) - 8 + 8 - 8 + 8); | |
| if (!rax38) | |
| goto addr_0x180004f72_6; | |
| rbx39 = g180010950; | |
| *<uint32_t*>(&r8_40) = <uint32_t>(g180010942); | |
| *<int32_t*>(&r8_40 + 4) = 0; | |
| rdx41 = rbx39->f24; | |
| fun_1800048c1(rax38, rdx41, r8_40, 0); | |
| *<int32_t*>(&rdx20) = g180010920; | |
| *<int32_t*>(<int64_t>(&rdx20) + 4) = 0; | |
| rcx42 = g180010918; | |
| rbx39->f24 = rax38; //here is SystemDirectory is copied | |
| rbx39->f2408 = 0; | |
| rbx39->f2400 = <int16_t>(0); | |
| __asm__("movups xmm0, [rbp-0x68]"); | |
| __asm__("movups [rbx+0x20], xmm0"); | |
| eax43 = <uint32_t>(v44); | |
| rbx39->f34 = <uint16_t>(*<int16_t*>(&eax43) + 2); | |
| *<uint32_t*>(&r8_45) = <uint32_t>(v46); | |
| *<int32_t*>(<int64_t>(&r8_45) + 4) = 0; | |
| r8_19 = <struct s0*>(&r8_45->f2); | |
| rax47 = <struct s0*>(RtlAllocateHeap(rcx42, rdx20)); | |
| rsp22 = <void*>(<uint64_t>(rsp22) - 8 + 8 - 8 + 8); | |
| if (!rax47) | |
| goto addr_0x180004f72_6; | |
| rbx48 = g180010950; | |
| *<uint32_t*>(&r8_49) = <uint32_t>(rbx48->f34); | |
| *<int32_t*>(&r8_49 + 4) = 0; | |
| rdx50 = rbx48->f40; | |
| fun_1800048c1(rax47, rdx50, r8_49, 0); | |
| *<int32_t*>(&rdx20) = g180010920; | |
| *<int32_t*>(<int64_t>(&rdx20) + 4) = 0; | |
| rcx51 = g180010918; | |
| rbx48->f40 = rax47; | |
| __asm__("movups xmm0, [rbp-0x20]"); | |
| __asm__("movups [rbx+0xb40], xmm0"); | |
| eax52 = <uint32_t>(v53); | |
| rbx48->f2882 = <uint16_t>(*<int16_t*>(&eax52) + 2); | |
| *<uint32_t*>(&r8_54) = <uint32_t>(v55); | |
| *<int32_t*>(<int64_t>(&r8_54) + 4) = 0; | |
| r8_19 = <struct s0*>(&r8_54->f2); | |
| rax56 = <struct s0*>(RtlAllocateHeap(rcx51, rdx20)); | |
| rsp22 = <void*>(<uint64_t>(rsp22) - 8 + 8 - 8 + 8); | |
| if (!rax56) | |
| goto addr_0x180004f72_6; | |
| rbx57 = g180010950; | |
| *<uint32_t*>(&r8_58) = <uint32_t>(rbx57->f2882); | |
| *<int32_t*>(&r8_58 + 4) = 0; | |
| rdx59 = rbx57->f2888; | |
| fun_1800048c1(rax56, rdx59, r8_58, 0); | |
| *<int32_t*>(&rdx20) = g180010920; | |
| *<int32_t*>(<int64_t>(&rdx20) + 4) = 0; | |
| rcx60 = g180010918; | |
| rbx57->f2888 = rax56; | |
| __asm__("movups xmm0, [rbp-0x30]"); | |
| __asm__("movups [rbx+0xb58], xmm0"); | |
| rbx57->f2906 = 2; | |
| r8_19 = <struct s0*>(2); | |
| rax61 = <struct s0*>(RtlAllocateHeap(rcx60, rdx20)); | |
| rsp22 = <void*>(<uint64_t>(rsp22) - 8 + 8 - 8 + 8); | |
| if (!rax61) | |
| goto addr_0x180004f72_6; | |
| rbx62 = g180010950; | |
| *<uint32_t*>(&r8_63) = <uint32_t>(rbx62->f2906); | |
| *<int32_t*>(&r8_63 + 4) = 0; | |
| rdx64 = rbx62->f2912; | |
| fun_1800048c1(rax61, rdx64, r8_63, 0); | |
| rbx62->f2912 = rax61; | |
| rbx62->f2416 = 0; | |
| g180010968 = <struct s0*>(rbp3 + 0x2d8); | |
| g180010960 = 0xc80000; | |
| eax65 = <int32_t>(RtlQueryRegistryValuesEx(3, 0x18000cef4, 0x18000c170)); | |
| if (eax65 < 0) { | |
| rax66 = g180010950; | |
| rax66->f54 = <int16_t>(0); | |
| } else { | |
| eax67 = <uint32_t>(g180010970); | |
| rcx68 = g180010950; | |
| rcx68->f54 = *<int16_t*>(&eax67); | |
| eax69 = <uint32_t>(g180010972); | |
| rcx68->f56 = *<int16_t*>(&eax69); | |
| } | |
| *<int32_t*>(&r9_21) = 0; | |
| *<int32_t*>(&r9_21 + 4) = 0; | |
| r8_19 = <struct s0*>(0x18000c100); | |
| eax70 = <int32_t>(RtlQueryRegistryValuesEx(3, 0x18000cef4, 0x18000c100)); | |
| rsp71 = <void*>(<uint64_t>(rsp22) - 8 + 8 - 8 + 8 - 8 + 8); | |
| if (eax70 < 0) { | |
| rax72 = g180010950; | |
| rax72->f58 = 0; | |
| } else { | |
| *<uint32_t*>(&r9_73) = <uint32_t>(*<uint16_t*>(&g180010960)); | |
| *<int32_t*>(<int64_t>(&r9_73) + 4) = 0; | |
| r8_19 = g180010968; | |
| r9_21 = <struct s0*>(r9_73 >> 1); | |
| wcsncpy_s(); | |
| rsp71 = <void*>(<uint64_t>(rsp71) - 8 + 8); | |
| } | |
| *<int32_t*>(&rdx20) = 0; | |
| *<int32_t*>(<int64_t>(&rdx20) + 4) = 0; | |
| eax74 = <int32_t>(RtlInitUnicodeStringEx(0x180010960)); | |
| rsp22 = <void*>(<uint64_t>(rsp71) - 8 + 8); | |
| if (eax74 < 0) | |
| goto addr_0x180004f77_16; | |
| *<int32_t*>(&r9_21) = 0; | |
| *<int32_t*>(&r9_21 + 4) = 0; | |
| rdx20 = <struct s0**>(0x1800109e0); | |
| *<uint32_t*>(&r8_19) = 64; | |
| *<int32_t*>(&r8_19 + 4) = 0; | |
| eax75 = <int32_t>(NtQuerySystemInformation()); | |
| rsp22 = <void*>(<uint64_t>(rsp22) - 8 + 8); | |
| if (eax75 < 0) | |
| goto addr_0x180004f77_16; | |
| eax76 = fun_180002b20(); | |
| rsp22 = <void*>(<uint64_t>(rsp22) - 8 + 8); | |
| if (eax76 < 0) | |
| goto addr_0x180004f77_16; | |
| rax77 = g180010950; | |
| __asm__("xorps xmm0, xmm0"); | |
| rax77->f2392 = 0; | |
| __asm__("movdqu [rbp-0x80], xmm0"); | |
| eax78 = <int32_t>(NtOpenKey(rbp3 - 16, 0x20019, <uint64_t>(rsp22) + 96)); | |
| rsp79 = <void*>(<uint64_t>(rsp22) - 8 + 8); | |
| if (eax78 >= 0) { | |
| r9_80 = <void*>(rbp3 + 0x80); | |
| rdx81 = <int64_t>("$"); | |
| eax83 = <int32_t>(NtQueryValueKey(v82, "$", 2, r9_80)); | |
| rsp84 = <void*>(<uint64_t>(rsp79) - 8 + 8); | |
| if (eax83 >= 0) { | |
| rax85 = v86; | |
| if (*<int32_t*>(&rax85) != 4) { | |
| if (*<int32_t*>(&rax85) == 1 && ((rdx81 = <int64_t>("y"), eax87 = <int32_t>(_wcsicmp(rbp3 + 0x8c, "y", 2, r9_80)), rsp84 = <void*>(<uint64_t>(rsp84) - 8 + 8), eax87 == 0) || (rdx81 = <int64_t>("1"), eax88 = <int32_t>(_wcsicmp(rbp3 + 0x8c, "1", 2, r9_80)), rsp84 = <void*>(<uint64_t>(rsp84) - 8 + 8), !eax88))) { | |
| rax89 = g180010950; | |
| rax89->f2392 = 1; | |
| } | |
| } else { | |
| rax90 = g180010950; | |
| rax90->f2392 = <unsigned char>(<uint1_t>(!!v91)); | |
| } | |
| } | |
| NtClose(v92, rdx81, 2, r9_80); | |
| rsp79 = <void*>(<uint64_t>(rsp84) - 8 + 8); | |
| } | |
| rax93 = g180010950; | |
| *<int32_t*>(&r9_21) = 0; | |
| *<int32_t*>(&r9_21 + 4) = 0; | |
| rax93->f2393 = 0; | |
| RtlQueryRegistryValuesEx(2, "S", 0x18000c040); | |
| *<int32_t*>(&rdx20) = g180010910; | |
| *<int32_t*>(<int64_t>(&rdx20) + 4) = 0; | |
| *<uint32_t*>(&r8_19) = 0x400; | |
| *<int32_t*>(&r8_19 + 4) = 0; | |
| rcx94 = g180010908; | |
| rax95 = <int64_t>(RtlAllocateHeap(rcx94, rdx20, 0x400)); | |
| rsp22 = <void*>(<uint64_t>(rsp79) - 8 + 8 - 8 + 8); | |
| if (!rax95) | |
| goto addr_0x180004f72_6; | |
| *<int32_t*>(&rdx20) = 1; | |
| *<int32_t*>(<int64_t>(&rdx20) + 4) = 0; | |
| eax96 = <int32_t>(RtlCreateSecurityDescriptor(rax95, 1, 0x400)); | |
| rsp22 = <void*>(<uint64_t>(rsp22) - 8 + 8); | |
| if (eax96 < 0) | |
| goto addr_0x180004f77_16; | |
| *<int32_t*>(&rdx20) = g180010910; | |
| *<int32_t*>(<int64_t>(&rdx20) + 4) = 0; | |
| *<uint32_t*>(&r8_19) = 40; | |
| *<int32_t*>(&r8_19 + 4) = 0; | |
| rcx97 = g180010908; | |
| rax98 = <struct s60*>(RtlAllocateHeap(rcx97, rdx20, 40)); | |
| rsp22 = <void*>(<uint64_t>(rsp22) - 8 + 8); | |
| if (!rax98) | |
| goto addr_0x180004f72_6; | |
| *<int32_t*>(&rdx20) = 1; | |
| *<int32_t*>(<int64_t>(&rdx20) + 4) = 0; | |
| eax99 = <int32_t>(RtlCreateSecurityDescriptor(rax98, 1, 40)); | |
| rsp22 = <void*>(<uint64_t>(rsp22) - 8 + 8); | |
| if (eax99 < 0) | |
| goto addr_0x180004f77_16; | |
| zf100 = g180010a94 == 0; | |
| if (zf100) | |
| goto addr_0x180001d7f_43; | |
| } | |
| *<int32_t*>(&rdx20) = g180010910; | |
| *<int32_t*>(<int64_t>(&rdx20) + 4) = 0; | |
| *<uint32_t*>(&r8_19) = 40; | |
| *<int32_t*>(&r8_19 + 4) = 0; | |
| rcx101 = g180010908; | |
| rax102 = <int64_t>(RtlAllocateHeap(rcx101, rdx20, 40)); | |
| rsp22 = <void*>(<uint64_t>(rsp22) - 8 + 8); | |
| v9 = rax102; | |
| r15_8 = rax102; | |
| if (!rax102) { | |
| addr_0x180004f72_6: | |
| goto addr_0x180004f77_16; | |
| } else { | |
| *<int32_t*>(&rdx20) = 1; | |
| *<int32_t*>(<int64_t>(&rdx20) + 4) = 0; | |
| eax103 = <int32_t>(RtlCreateSecurityDescriptor(rax102, 1, 40)); | |
| rsp22 = <void*>(<uint64_t>(rsp22) - 8 + 8); | |
| if (eax103 < 0) | |
| goto addr_0x180004f77_16; | |
| zf104 = g180010a94 == 0; | |
| if (!zf104) | |
| goto addr_0x180004e1d_47; | |
| } | |
| addr_0x180001d7f_43: | |
| addr_0x180001d84_48: | |
| r9_21 = <struct s0*>(rbp3 + 0xffffffffffffffb8); | |
| r8_19 = <struct s0*>(rbp3 + 0xfffffffffffffff8); | |
| rdx20 = rbp3; | |
| eax105 = fun_180003290(rbp3 - 64, rdx20, r8_19, r9_21); | |
| rsp22 = <void*>(<uint64_t>(rsp22) - 8 + 8); | |
| if (eax105 < 0) | |
| goto addr_0x180004f77_16; | |
| r8_19 = v106; | |
| *<int32_t*>(&r9_21) = 0; | |
| *<int32_t*>(&r9_21 + 4) = 0; | |
| *<signed char*>(&rdx20) = 1; | |
| eax107 = <int32_t>(RtlSetDaclSecurityDescriptor(rax95, rdx20, r8_19)); | |
| rsp22 = <void*>(<uint64_t>(rsp22) - 8 + 8); | |
| if (eax107 < 0) | |
| goto addr_0x180004f77_16; | |
| *<int32_t*>(&r9_21) = 0; | |
| *<int32_t*>(&r9_21 + 4) = 0; | |
| r8_19 = v108; | |
| *<signed char*>(&rdx20) = 1; | |
| eax109 = <int32_t>(RtlSetSaclSecurityDescriptor(rax95, rdx20, r8_19)); | |
| rsp22 = <void*>(<uint64_t>(rsp22) - 8 + 8); | |
| if (eax109 < 0) | |
| goto addr_0x180004f77_16; | |
| *<int32_t*>(&r9_21) = 0; | |
| *<int32_t*>(&r9_21 + 4) = 0; | |
| r8_19 = v110; | |
| *<signed char*>(&rdx20) = 1; | |
| eax111 = <int32_t>(RtlSetDaclSecurityDescriptor(rax98, rdx20, r8_19)); | |
| rsp22 = <void*>(<uint64_t>(rsp22) - 8 + 8); | |
| if (eax111 < 0) | |
| goto addr_0x180004f77_16; | |
| zf112 = g180010a94 == 0; | |
| if (!zf112) { | |
| r8_19 = <struct s0*>(0); | |
| *<int32_t*>(&r9_21) = 0; | |
| *<int32_t*>(&r9_21 + 4) = 0; | |
| *<signed char*>(&rdx20) = 1; | |
| eax113 = <int32_t>(RtlSetDaclSecurityDescriptor(r15_8, rdx20, 0)); | |
| rsp22 = <void*>(<uint64_t>(rsp22) - 8 + 8); | |
| if (eax113 < 0) | |
| goto addr_0x180004f77_16; | |
| } | |
| r8_19 = <struct s0*>(<uint64_t>(rsp22) + 96); | |
| *<int32_t*>(&rdx20) = 0xf000f; | |
| *<int32_t*>(<int64_t>(&rdx20) + 4) = 0; | |
| eax114 = <int32_t>(NtCreateDirectoryObject(0x180010978, 0xf000f, r8_19)); | |
| rsp22 = <void*>(<uint64_t>(rsp22) - 8 + 8); | |
| if (eax114 < 0) | |
| goto addr_0x180004f77_16; | |
| r8_19 = <struct s0*>(<uint64_t>(rsp22) + 96); | |
| *<int32_t*>(&rdx20) = 0xf000f; | |
| *<int32_t*>(<int64_t>(&rdx20) + 4) = 0; | |
| eax115 = <int32_t>(NtCreateDirectoryObject()); | |
| rsp22 = <void*>(<uint64_t>(rsp22) - 8 + 8); | |
| if (eax115 < 0) | |
| goto addr_0x180004f77_16; | |
| eax116 = g180010958; | |
| zf117 = eax116 == g180010a50; | |
| if (zf117) { | |
| *<int32_t*>(&r9_21) = 0; | |
| *<int32_t*>(&r9_21 + 4) = 0; | |
| *<uint32_t*>(&r8_19) = 0; | |
| *<int32_t*>(&r8_19 + 4) = 0; | |
| *<int32_t*>(&rdx20) = 5; | |
| *<int32_t*>(<int64_t>(&rdx20) + 4) = 0; | |
| eax118 = <int32_t>(NtSetInformationObject()); | |
| rsp22 = <void*>(<uint64_t>(rsp22) - 8 + 8); | |
| if (eax118 < 0) | |
| goto addr_0x180004f77_16; | |
| eax116 = g180010958; | |
| if (!eax116) | |
| goto addr_0x180001ea6_60; | |
| } else { | |
| addr_0x180001ea6_60: | |
| goto addr_0x180001ea8_61; | |
| } | |
| swprintf_s(rbp3 + 0x9a0, 0x100, "%", "\\"); | |
| RtlInitUnicodeString(rbp3 + 72, rbp3 + 0x9a0, "%", "\\"); | |
| rsp119 = <void*>(<uint64_t>(rsp22) - 8 + 8 - 8 + 8); | |
| r9_21 = <struct s0*>(0x18000c020); | |
| eax120 = <int32_t>(NtCreateSymbolicLinkObject(rbp3 - 0x70, 0xf0001, <uint64_t>(rsp119) + 96, 0x18000c020)); | |
| rsp16 = <void*>(<uint64_t>(rsp119) - 8 + 8); | |
| if (eax120 >= 0) | |
| goto addr_0x180004ec8_64; | |
| addr_0x180002325_65: | |
| goto addr_0x18000233d_4; | |
| addr_0x180004ec8_64: | |
| NtClose(); | |
| rsp22 = <void*>(<uint64_t>(rsp16) - 8 + 8); | |
| eax116 = g180010958; | |
| addr_0x180001ea8_61: | |
| zf121 = g180010a94 == 0; | |
| if (!(zf121 || eax116)) { | |
| r8_19 = <struct s0*>(<uint64_t>(rsp22) + 96); | |
| *<int32_t*>(&rdx20) = 0xf000f; | |
| *<int32_t*>(<int64_t>(&rdx20) + 4) = 0; | |
| eax122 = <int32_t>(NtCreateDirectoryObject()); | |
| rsp22 = <void*>(<uint64_t>(rsp22) - 8 + 8); | |
| if (eax122 < 0) | |
| goto addr_0x180004f77_16; | |
| } | |
| *<int32_t*>(&r9_21) = 4; | |
| *<int32_t*>(&r9_21 + 4) = 0; | |
| r8_19 = <struct s0*>(rbp3 + 0xffffffffffffffa8); | |
| eax123 = <int32_t>(NtQueryInformationProcess()); | |
| rsp22 = <void*>(<uint64_t>(rsp22) - 8 + 8); | |
| if (eax123 < 0) { | |
| rax124 = g180010950; | |
| cl125 = 0; | |
| rax124->f2868 = 0; | |
| } else { | |
| if (!v126) { | |
| cl125 = 0; | |
| } else { | |
| cl125 = 1; | |
| } | |
| rax127 = g180010950; | |
| rax127->f2868 = cl125; | |
| } | |
| if (cl125 == 1 && (*<int32_t*>(&rdx20) = 0x80000000, *<int32_t*>(<int64_t>(&rdx20) + 4) = 0, eax128 = <int32_t>(RtlInitializeCriticalSectionAndSpinCount(0x180010a20, 0x80000000, r8_19)), rsp22 = <void*>(<uint64_t>(rsp22) - 8 + 8), eax128 < 0) || (r9_21 = <struct s0*>(0x18000c020), r8_19 = <struct s0*>(<uint64_t>(rsp22) + 96), *<int32_t*>(&rdx20) = 0xf0001, *<int32_t*>(<int64_t>(&rdx20) + 4) = 0, eax129 = <int32_t>(NtCreateSymbolicLinkObject(rbp3 - 0x70, 0xf0001, r8_19, 0x18000c020)), rsp22 = <void*>(<uint64_t>(rsp22) - 8 + 8), eax129 < 0)) { | |
| addr_0x180004f77_16: | |
| RtlDeleteCriticalSection(0x1800109a0, rdx20, r8_19, r9_21); | |
| rsp16 = <void*>(<uint64_t>(rsp22) - 8 + 8); | |
| } else { | |
| eax130 = g180010a50; | |
| zf131 = g180010958 == eax130; | |
| if (zf131) { | |
| NtClose(v132, 0xf0001, r8_19, 0x18000c020); | |
| rsp22 = <void*>(<uint64_t>(rsp22) - 8 + 8); | |
| } | |
| RtlInitUnicodeString(rbp3 + 56, rbp3 + 0x3a0, r8_19, 0x18000c020); | |
| rsp133 = <void*>(<uint64_t>(rsp22) - 8 + 8); | |
| r9_21 = <struct s0*>(rbp3 + 56); | |
| r8_19 = <struct s0*>(<uint64_t>(rsp133) + 96); | |
| *<int32_t*>(&rdx20) = 0xf0001; | |
| *<int32_t*>(<int64_t>(&rdx20) + 4) = 0; | |
| eax134 = <int32_t>(NtCreateSymbolicLinkObject(rbp3 - 0x70, 0xf0001, r8_19, r9_21)); | |
| rsp22 = <void*>(<uint64_t>(rsp133) - 8 + 8); | |
| if (eax134 < 0) | |
| goto addr_0x180004f77_16; else | |
| goto addr_0x180001fd9_79; | |
| } | |
| addr_0x180002323_80: | |
| goto addr_0x180002325_65; | |
| addr_0x180001fd9_79: | |
| eax135 = g180010a50; | |
| zf136 = g180010958 == eax135; | |
| if (zf136) { | |
| NtClose(v137, 0xf0001, r8_19, r9_21); | |
| rsp22 = <void*>(<uint64_t>(rsp22) - 8 + 8); | |
| } | |
| r9_21 = <struct s0*>(rbp3 + 0xffffffffffffffe0); | |
| r8_19 = <struct s0*>(<uint64_t>(rsp22) + 96); | |
| *<int32_t*>(&rdx20) = 0xf0001; | |
| *<int32_t*>(<int64_t>(&rdx20) + 4) = 0; | |
| eax138 = <int32_t>(NtCreateSymbolicLinkObject(rbp3 - 0x70, 0xf0001, r8_19, r9_21)); | |
| rsp22 = <void*>(<uint64_t>(rsp22) - 8 + 8); | |
| if (eax138 < 0) | |
| goto addr_0x180004f77_16; | |
| eax139 = g180010a50; | |
| zf140 = g180010958 == eax139; | |
| if (zf140) { | |
| NtClose(v141, 0xf0001, r8_19, r9_21); | |
| rsp22 = <void*>(<uint64_t>(rsp22) - 8 + 8); | |
| } | |
| RtlInitUnicodeString(rbp3 - 0x68, "S", r8_19, r9_21); | |
| RtlInitUnicodeString(rbp3 + 56, "\\", r8_19, r9_21); | |
| rsp142 = <void*>(<uint64_t>(rsp22) - 8 + 8 - 8 + 8); | |
| r9_21 = <struct s0*>(rbp3 + 56); | |
| r8_19 = <struct s0*>(<uint64_t>(rsp142) + 96); | |
| *<int32_t*>(&rdx20) = 0xf0001; | |
| *<int32_t*>(<int64_t>(&rdx20) + 4) = 0; | |
| eax143 = <int32_t>(NtCreateSymbolicLinkObject(rbp3 - 0x70, 0xf0001, r8_19, r9_21)); | |
| rsp22 = <void*>(<uint64_t>(rsp142) - 8 + 8); | |
| if (eax143 < 0) | |
| goto addr_0x180004f77_16; | |
| eax144 = g180010a50; | |
| zf145 = g180010958 == eax144; | |
| if (zf145) { | |
| NtClose(v146, 0xf0001, r8_19, r9_21); | |
| rsp22 = <void*>(<uint64_t>(rsp22) - 8 + 8); | |
| } | |
| rdx20 = <struct s0**>(0x18000cf58); | |
| RtlInitUnicodeString(rbp3 - 0x68, 0x18000cf58, r8_19, r9_21); | |
| *<int32_t*>(&r9_21) = 0; | |
| *<int32_t*>(&r9_21 + 4) = 0; | |
| r8_19 = v147; | |
| *<signed char*>(&rdx20) = 1; | |
| eax148 = <int32_t>(RtlSetDaclSecurityDescriptor(rax95, 0x18000cf01, r8_19)); | |
| rsp22 = <void*>(<uint64_t>(rsp22) - 8 + 8 - 8 + 8); | |
| if (eax148 < 0) | |
| goto addr_0x180004f77_16; | |
| r8_19 = <struct s0*>(<uint64_t>(rsp22) + 96); | |
| *<int32_t*>(&rdx20) = 0xf000f; | |
| *<int32_t*>(<int64_t>(&rdx20) + 4) = 0; | |
| eax149 = <int32_t>(NtCreateDirectoryObject(0x180010980, 0xf000f, r8_19)); | |
| rsp22 = <void*>(<uint64_t>(rsp22) - 8 + 8); | |
| if (eax149 < 0) | |
| goto addr_0x180004f77_16; | |
| rsi150 = rax98->f32; | |
| r8_151 = <void*>(rbp3 - 80); | |
| ebx152 = 0; | |
| eax153 = <int32_t>(RtlGetAce(rsi150)); | |
| rsp154 = <void*>(<uint64_t>(rsp22) - 8 + 8); | |
| if (eax153 >= 0) { | |
| do { | |
| r8d155 = v156->f4; | |
| v156->f4 = 0; | |
| eax157 = 4; | |
| do { | |
| ecx158 = r8d155 & eax157; | |
| if (eax157 == <uint32_t>(*<uint16_t*>(&ecx158))) { | |
| v159->f4 = v159->f4 | 0x100004; | |
| } | |
| eax157 = v160; | |
| } while (eax157); | |
| ++ebx152; | |
| r8_151 = <void*>(rbp3 - 80); | |
| *<int32_t*>(&rdx161) = ebx152; | |
| *<int32_t*>(<int64_t>(&rdx161) + 4) = 0; | |
| eax162 = <int32_t>(RtlGetAce(rsi150, rdx161, r8_151)); | |
| rsp154 = <void*>(<uint64_t>(rsp154) - 8 + 8); | |
| } while (eax162 >= 0); | |
| } | |
| RtlAppendUnicodeToString(rbp3 + 16, "\\", r8_151); | |
| RtlAppendUnicodeStringToString(rbp3 + 16, rbp3 - 32, r8_151); | |
| rsp163 = <void*>(<uint64_t>(rsp154) - 8 + 8 - 8 + 8); | |
| r9_21 = <struct s0*>(rbp3 + 88); | |
| r8_19 = <struct s0*>(<uint64_t>(rsp163) + 96); | |
| *<int32_t*>(&rdx20) = 0x1f01ff; | |
| *<int32_t*>(<int64_t>(&rdx20) + 4) = 0; | |
| eax164 = <int32_t>(NtCreateFile(0x1800109c8, 0x1f01ff, r8_19, r9_21)); | |
| rsp22 = <void*>(<uint64_t>(rsp163) - 8 + 8); | |
| if (eax164 < 0) | |
| goto addr_0x180004f77_16; | |
| rcx165 = g180010908; | |
| RtlFreeHeap(rcx165); | |
| rcx166 = g180010908; | |
| RtlFreeHeap(rcx166); | |
| rcx167 = g180010908; | |
| RtlFreeHeap(rcx167); | |
| rcx168 = g180010908; | |
| RtlFreeHeap(rcx168); | |
| rcx169 = g180010908; | |
| RtlFreeHeap(rcx169); | |
| rcx170 = g180010908; | |
| RtlFreeHeap(rcx170); | |
| rsp171 = <void*>(<uint64_t>(rsp22) - 8 + 8 - 8 + 8 - 8 + 8 - 8 + 8 - 8 + 8 - 8 + 8); | |
| if (0) { | |
| rcx172 = g180010908; | |
| RtlFreeHeap(rcx172); | |
| rsp171 = <void*>(<uint64_t>(rsp171) - 8 + 8); | |
| } | |
| if (v9) { | |
| rcx173 = g180010908; | |
| RtlFreeHeap(rcx173); | |
| rsp171 = <void*>(<uint64_t>(rsp171) - 8 + 8); | |
| } | |
| RtlInitializeCriticalSection(0x180010680); | |
| RtlInitializeCriticalSection(0x1800106c0); | |
| rbx174 = g180010950; | |
| eax175 = <int32_t>(RtlInitializeCriticalSection(0x180010620)); | |
| rsp16 = <void*>(<uint64_t>(rsp171) - 8 + 8 - 8 + 8 - 8 + 8); | |
| if (eax175 >= 0) { | |
| g180010648 = <struct s0*>(&rbx174->f376); | |
| } | |
| goto addr_0x180002323_80; | |
| addr_0x180004e1d_47: | |
| goto addr_0x180001d84_48; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What the heck is this? The answer is here.