Code:
76A61000 > . F62D817C DD kernel32.GetSystemInfo
76A61004 > . 7B1D807C DD kernel32.LoadLibraryA
76A61008 > . 2E98807C DD kernel32.InterlockedExchange
76A6100C > . 7EAC807C DD kernel32.FreeLibrary
76A61010 > . 40AE807C DD kernel32.GetProcAddress
76A61014 > . 5D49847C DD kernel32.SetUnhandledExceptionFilter
76A61018 > . CA3F867C DD kernel32.UnhandledExceptionFilter
76A6101C > . 95DE807C DD kernel32.GetCurrentProcess
76A61020 > . 1A1E807C DD kernel32.TerminateProcess
76A61024 > . E917807C DD kernel32.GetSystemTimeAsFileTime
76A61028 > . C099807C DD kernel32.GetCurrentProcessId
76A6102C > . D097807C DD kernel32.GetCurrentThreadId
76A61030 > . 4A93807C DD kernel32.GetTickCount
76A61034 > . C7A4807C DD kernel32.QueryPerformanceCounter
76A61038 > . 21FE907C DD ntdll.RtlGetLastWin32Error
76A6103C > . 3613817C DD kernel32.DisableThreadLibraryCalls
76A61040 > . 16BC807C DD kernel32.OpenFileMappingA
76A61044 > . A5B9807C DD kernel32.MapViewOfFile
76A61048 > . 14BA807C DD kernel32.UnmapViewOfFile
76A6104C > . 281A807C DD kernel32.CreateFileA
76A61050 > . E79B807C DD kernel32.CloseHandle
76A61054 > . 61AC807C DD kernel32.GetProcessHeap
76A61058 > . 30FE907C DD ntdll.RtlSetLastWin32Error
76A6105C > . CF99807C DD kernel32.LocalFree
76A61060 > . 2D9A807C DD kernel32.LocalAlloc
76A61064 > . 989C807C DD kernel32.MultiByteToWideChar
76A61068 > . 74A1807C DD kernel32.WideCharToMultiByte
76A6106C > . D021807C DD kernel32.ReadProcessMemory
76A61070 > . A92A817C DD kernel32.RaiseException
76A61074 > . D803837C DD kernel32.SetProcessWorkingSetSize
76A61078 > . 4C21867C DD kernel32.GetProcessWorkingSetSize
76A6107C > . A1BE807C DD kernel32.lstrcpyA
76A61080 > . 56BE807C DD kernel32.lstrlenA
76A61084 > . 2DFF907C DD ntdll.RtlFreeHeap
76A61088 > . C400917C DD ntdll.RtlAllocateHeap
76A6108C . 00000000 DD 00000000
76A61090 > . C5AB927C DD ntdll.RtlUnwind
76A61094 > . 4AFE907C DD ntdll.wcslen
76A61098 > . 8249917C DD ntdll.wcschr
76A6109C > . 642E917C DD ntdll._stricmp
76A610A0 > . A948927C DD ntdll.atoi
76A610A4 > . EECF907C DD ntdll.ZwClose
76A610A8 > . 1EDE907C DD ntdll.ZwStopProfile
76A610AC > . 0A19977C DD ntdll._snprintf
76A610B0 > . 6FFB927C DD ntdll.DbgPrint
76A610B4 > . E870927C DD ntdll.RtlUnicodeToOemN
76A610B8 > . 6D9A927C DD ntdll.RtlAdjustPrivilege
76A610BC > . BAEC907C DD ntdll.RtlMultiByteToUnicodeN
76A610C0 > . 6ECF907C DD ntdll.ZwAllocateVirtualMemory
76A610C4 > . 6ED1907C DD ntdll.ZwCreateProfile
76A610C8 > . CEDC907C DD ntdll.ZwSetIntervalProfile
76A610CC > . 0EDE907C DD ntdll.ZwStartProfile
76A610D0 > . 7EDF907C DD ntdll.ZwWriteFile
76A610D4 > . 9EDC907C DD ntdll.ZwSetInformationProcess
76A610D8 > . FED7907C DD ntdll.ZwQueryInformationProcess
76A610DC > . 7ED9907C DD ntdll.ZwQueryVirtualMemory
76A610E0 > . 2ED9907C DD ntdll.ZwQuerySystemInformation
76A610E4 > . 2DF6907C DD ntdll.RtlNtStatusToDosError
76A610E8 . 00000000 DD 00000000
76A610EC . 863BA676 DD 3ba1ea5.76A63B86 ; Entry address
76A610F0 00 DB 00
76A610F1 00 DB 00
76A610F2 00 DB 00
76A610F3 00 DB 00
76A610F4 AD DB AD
76A610F5 . 5B 43 42 00 ASCII "[CB",0
76A610F9 00 DB 00
76A610FA 00 DB 00
76A610FB 00 DB 00
76A610FC 02 DB 02
76A610FD 00 DB 00
76A610FE 00 DB 00
76A610FF 00 DB 00
76A61100 22 DB 22 ; CHAR '"'
76A61101 00 DB 00
76A61102 00 DB 00
76A61103 00 DB 00
76A61104 98 DB 98
76A61105 14 DB 14
76A61106 00 DB 00
76A61107 00 DB 00
76A61108 98 DB 98
76A61109 08 DB 08
76A6110A 00 DB 00
76A6110B 00 DB 00
76A6110C 00 DB 00
76A6110D 00 DB 00
76A6110E 00 DB 00
76A6110F 00 DB 00
76A61110 FF DB FF
76A61111 FF DB FF
76A61112 FF DB FF
76A61113 FF DB FF
76A61114 . 1816A676 DD 3ba1ea5.76A61618
76A61118 . 2616A676 DD 3ba1ea5.76A61626
76A6111C FF DB FF
76A6111D FF DB FF
76A6111E FF DB FF
76A6111F FF DB FF
76A61120 . 5616A676 DD 3ba1ea5.76A61656
76A61124 . 6416A676 DD 3ba1ea5.76A61664
76A61128 FF DB FF
76A61129 FF DB FF
76A6112A FF DB FF
76A6112B FF DB FF
76A6112C . 611BA676 DD 3ba1ea5.76A61B61
76A61130 . 6F1BA676 DD 3ba1ea5.76A61B6F
76A61134 FF DB FF
76A61135 FF DB FF
76A61136 FF DB FF
76A61137 FF DB FF
76A61138 . 991BA676 DD 3ba1ea5.76A61B99
76A6113C . A71BA676 DD 3ba1ea5.76A61BA7
76A61140 FF DB FF
76A61141 FF DB FF
76A61142 FF DB FF
76A61143 FF DB FF
76A61144 . EC1DA676 DD 3ba1ea5.76A61DEC
76A61148 . FA1DA676 DD 3ba1ea5.76A61DFA
76A6114C . 70 72 6F 66 69>ASCII "profile.out",0
76A61158 . 73 74 61 72 74>ASCII "start secondary "
76A61168 . 70 72 6F 66 69>ASCII "profile %wZ fail"
76A61178 . 65 64 20 2D 20>ASCII "ed - status %lx
"
76A61188 . 00 ASCII 0
76A61189 00 DB 00
76A6118A 00 DB 00
76A6118B 00 DB 00
76A6118C . 73 74 61 72 74>ASCII "start profile %w"
76A6119C . 5A 20 66 61 69>ASCII "Z failed - statu"
76A611AC . 73 20 25 6C 78>ASCII "s %lx
",0
76A611B3 00 DB 00
76A611B4 . 52 74 6C 49 6E>ASCII "RtlInitializePro"
76A611C4 . 66 69 6C 65 20>ASCII "file : secondary"
76A611D4 . 20 61 6C 6C 6F>ASCII " alloc VM failed"
76A611E4 . 20 25 6C 78 0A>ASCII " %lx
",0
76A611EA 00 DB 00
76A611EB 00 DB 00
76A611EC . 63 72 65 61 74>ASCII "create profile %"
76A611FC . 77 5A 20 66 61>ASCII "wZ failed - stat"
76A6120C . 75 73 20 25 6C>ASCII "us %lx
",0
76A61214 . 52 74 6C 49 6E>ASCII "RtlInitializePro"
76A61224 . 66 69 6C 65 20>ASCII "file : alloc VM "
76A61234 . 66 61 69 6C 65>ASCII "failed %lx
",0
76A61240 . 55 6E 61 62 6C>ASCII "Unable to increa"
76A61250 . 73 65 20 71 75>ASCII "se quota privile"
76A61260 . 67 65 20 28 73>ASCII "ge (status=0x%lx"
76A61270 . 29 0A 00 ASCII ")
",0
76A61273 00 DB 00
76A61274 . 45 6E 61 62 6C>ASCII "Enable system pr"
76A61284 . 6F 66 69 6C 65>ASCII "ofile privilege "
76A61294 . 66 61 69 6C 65>ASCII "failed - status "
76A612A4 . 30 78 25 6C 78>ASCII "0x%lx
",0
76A612AB 00 DB 00
76A612AC . 71 75 65 72 79>ASCII "query system inf"
76A612BC . 6F 20 66 61 69>ASCII "o failed status "
76A612CC . 2D 20 25 6C 78>ASCII "- %lx
",0
76A612D3 00 DB 00
76A612D4 . 25 64 2C 25 77>ASCII "%d,%wZ,Unknown ("
76A612E4 . 25 70 29 0A 00>ASCII "%p)
",0
76A612E9 00 DB 00
76A612EA 00 DB 00
76A612EB 00 DB 00
76A612EC . 09 DB 09
76A612ED . 25 70 3A 25 64>ASCII "%p:%d, %d"
76A612F6 . 2C 20 2D 2D 0A>ASCII ", --
",0
76A612FC . 09 DB 09
76A612FD . 25 70 3A 25 64>ASCII "%p:%d, %d"
76A61306 . 2C 20 25 32 2E>ASCII ", %2.2d.%3.3d
",0
76A61315 00 DB 00
76A61316 00 DB 00
76A61317 00 DB 00
76A61318 . 09 25 70 3A 25>ASCII " %p:%d
",0
76A61320 . 25 64 2C 25 64>ASCII "%d,%d, -- ,%wZ,%"
76A61330 . 73 20 28 25 30>ASCII "s (%08lx)
",0
76A6133B 00 DB 00
76A6133C . 25 64 2C 25 64>ASCII "%d,%d,%2.2d.%3.3"
76A6134C . 64 2C 25 77 5A>ASCII "d,%wZ,%s (%08lx)"
76A6135C . 0A 00 ASCII "
",0
76A6135E 00 DB 00
76A6135F 00 DB 00
76A61360 . 25 64 2C 25 77>ASCII "%d,%wZ,%s (%08lx"
76A61370 . 29 0A 00 ASCII ")
",0
76A61373 00 DB 00
76A61374 . 25 64 2C 25 77>ASCII "%d,%wZ,Total%s
",0
76A61384 . 20 28 4E 4F 20>ASCII " (NO SYMBOLS)",0
76A61392 00 DB 00
76A61393 00 DB 00
76A61394 . 4F 76 65 72 66>ASCII "Overflowed the m"
76A613A4 . 61 78 69 6D 75>ASCII "aximum number of"
76A613B4 . 20 6D 6F 64 75>ASCII " modules: %d
",0
76A613C2 00 DB 00
76A613C3 00 DB 00
76A613C4 . 4E 6F 20 53 79>ASCII "No Symbol Found",0
76A613D4 00 DB 00
76A613D5 00 DB 00
76A613D6 00 DB 00
76A613D7 00 DB 00
76A613D8 FF DB FF
76A613D9 FF DB FF
76A613DA FF DB FF
76A613DB FF DB FF
76A613DC . 9631A676 DD 3ba1ea5.76A63196
76A613E0 . 9A31A676 DD 3ba1ea5.76A6319A
76A613E4 . 20 09 00 ASCII " ",0
76A613E7 00 DB 00
76A613E8 . 50 72 6F 66 69>ASCII "ProfileStartupPa"
76A613F8 . 72 61 6D 65 74>ASCII "rameters",0
76A61401 00 DB 00
76A61402 00 DB 00
76A61403 00 DB 00
76A61404 00 DB 00
76A61405 00 DB 00
76A61406 00 DB 00
76A61407 00 DB 00
76A61408 FF DB FF
76A61409 FF DB FF
76A6140A FF DB FF
76A6140B FF DB FF
76A6140C . 6635A676 DD 3ba1ea5.76A63566
76A61410 . 7435A676 DD 3ba1ea5.76A63574
76A61414 FF DB FF
76A61415 FF DB FF
76A61416 FF DB FF
76A61417 FF DB FF
76A61418 . 8535A676 DD 3ba1ea5.76A63585
76A6141C . 9335A676 DD 3ba1ea5.76A63593
76A61420 FF DB FF
76A61421 FF DB FF
76A61422 FF DB FF
76A61423 FF DB FF
76A61424 . 6936A676 DD 3ba1ea5.76A63669
76A61428 . 7736A676 DD 3ba1ea5.76A63677
76A6142C . 8050A676 DD 3ba1ea5.76A65080
76A61430 . D050A676 DD 3ba1ea5.76A650D0
76A61434 00 DB 00
76A61435 00 DB 00
76A61436 00 DB 00
76A61437 00 DB 00
76A61438 00 DB 00
76A61439 00 DB 00
76A6143A 00 DB 00
76A6143B 00 DB 00
76A6143C 00 DB 00
76A6143D 00 DB 00
76A6143E 00 DB 00
76A6143F 00 DB 00
76A61440 . 69 6D 61 67 65>ASCII "imagehlp.dll",0
76A6144D 5A DB 5A ; CHAR 'Z'
76A6144E 00 DB 00
76A6144F 00 DB 00
76A61450 48 DB 48 ; CHAR 'H'
76A61451 00 DB 00
76A61452 00 DB 00
76A61453 00 DB 00
76A61454 00 DB 00
76A61455 00 DB 00
76A61456 00 DB 00
76A61457 00 DB 00
76A61458 00 DB 00
76A61459 00 DB 00
76A6145A 00 DB 00
76A6145B 00 DB 00
76A6145C 00 DB 00
76A6145D 00 DB 00
76A6145E 00 DB 00
76A6145F 00 DB 00
76A61460 00 DB 00
76A61461 00 DB 00
76A61462 00 DB 00
76A61463 00 DB 00
76A61464 00 DB 00
76A61465 00 DB 00
76A61466 00 DB 00
76A61467 00 DB 00
76A61468 00 DB 00
76A61469 00 DB 00
76A6146A 00 DB 00
76A6146B 00 DB 00
76A6146C 00 DB 00
76A6146D 00 DB 00
76A6146E 00 DB 00
76A6146F 00 DB 00
76A61470 00 DB 00
76A61471 00 DB 00
76A61472 00 DB 00
76A61473 00 DB 00
76A61474 00 DB 00
76A61475 00 DB 00
76A61476 00 DB 00
76A61477 00 DB 00
76A61478 00 DB 00
76A61479 00 DB 00
76A6147A 00 DB 00
76A6147B 00 DB 00
76A6147C 00 DB 00
76A6147D 00 DB 00
76A6147E 00 DB 00
76A6147F 00 DB 00
76A61480 00 DB 00
76A61481 00 DB 00
76A61482 00 DB 00
76A61483 00 DB 00
76A61484 00 DB 00
76A61485 00 DB 00
76A61486 00 DB 00
76A61487 00 DB 00
76A61488 00 DB 00
76A61489 00 DB 00
76A6148A 00 DB 00
76A6148B 00 DB 00
76A6148C . 2050A676 DD 3ba1ea5.76A65020
76A61490 . C014A676 DD 3ba1ea5.76A614C0
76A61494 02 DB 02
76A61495 00 DB 00
76A61496 00 DB 00
76A61497 00 DB 00
76A61498 52 DB 52 ; CHAR 'R'
76A61499 53 DB 53 ; CHAR 'S'
76A6149A 44 DB 44 ; CHAR 'D'
76A6149B 53 DB 53 ; CHAR 'S'
76A6149C FD DB FD
76A6149D D7 DB D7
76A6149E 3C DB 3C ; CHAR '<'
76A6149F AF DB AF
76A614A0 1A DB 1A
76A614A1 F2 DB F2
76A614A2 79 DB 79 ; CHAR 'y'
76A614A3 4E DB 4E ; CHAR 'N'
76A614A4 AF DB AF
76A614A5 DF DB DF
76A614A6 AB DB AB
76A614A7 0B DB 0B
76A614A8 08 DB 08
76A614A9 9A DB 9A
76A614AA BB DB BB
76A614AB BC DB BC
76A614AC 01 DB 01
76A614AD 00 DB 00
76A614AE 00 DB 00
76A614AF 00 DB 00
76A614B0 . 70 73 61 70 69>ASCII "psapi.pdb",0
76A614BA 00 DB 00
76A614BB 00 DB 00
76A614BC 00 DB 00
76A614BD 00 DB 00
76A614BE 00 DB 00
76A614BF 00 DB 00
76A614C0 E0 DB E0
76A614C1 3D DB 3D ; CHAR '='
76A614C2 00 DB 00
76A614C3 00 DB 00
76A614C4 . 20 3F 00 ASCII " ?",0
76A614C7 00 DB 00
76A614C8 00 DB 00
76A614C9 00 DB 00
76A614CA 00 DB 00
76A614CB 00 DB 00
76A614CC 00 DB 00
76A614CD 00 DB 00
76A614CE 00 DB 00
76A614CF 00 DB 00
76A614D0 00 DB 00
76A614D1 00 DB 00
76A614D2 00 DB 00
76A614D3 00 DB 00
76A614D4 00 DB 00
76A614D5 Ú$ 8BFF MOV EDI,EDI
76A614D7 ³. 55 PUSH EBP
76A614D8 ³. 8BEC MOV EBP,ESP
76A614DA ³. 83EC 0C SUB ESP,0C
76A614DD ³. 53 PUSH EBX
76A614DE ³. 56 PUSH ESI
76A614DF ³. 57 PUSH EDI
76A614E0 ³. 8B3D 6010A676 MOV EDI,DWORD PTR DS:[<&KERNEL32.LocalAl>; kernel32.LocalAlloc
76A614E6 ³. B8 20050000 MOV EAX,520
76A614EB ³. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
76A614EE ³. 50 PUSH EAX
76A614EF ³.EB 3C JMP SHORT 3ba1ea5.76A6152D
76A614F1 ³> 8D45 F4 ÚLEA EAX,DWORD PTR SS:[EBP-C]
76A614F4 ³. 50 ³PUSH EAX ; ÚpReqsize
76A614F5 ³. FF75 FC ³PUSH DWORD PTR SS:[EBP-4] ; ³Bufsize
76A614F8 ³. 53 ³PUSH EBX ; ³Buffer
76A614F9 ³. 6A 0B ³PUSH 0B ; ³InfoType = SystemModuleInfo
76A614FB ³. FF15 E010A676 ³CALL DWORD PTR DS:[<&ntdll.NtQuerySyste>; ÀZwQuerySystemInformation
76A61501 ³. 85C0 ³TEST EAX,EAX
76A61503 ³. 8B33 ³MOV ESI,DWORD PTR DS:[EBX]
76A61505 ³. 8945 F8 ³MOV DWORD PTR SS:[EBP-8],EAX
76A61508 ³.7D 34 ³JGE SHORT 3ba1ea5.76A6153E
76A6150A ³. 53 ³PUSH EBX ; ÚhMemory
76A6150B ³. FF15 5C10A676 ³CALL DWORD PTR DS:[<&KERNEL32.LocalFree>; ÀLocalFree
76A61511 ³. B8 040000C0 ³MOV EAX,C0000004
76A61516 ³. 3945 F8 ³CMP DWORD PTR SS:[EBP-8],EAX
76A61519 ³.75 6A ³JNZ SHORT 3ba1ea5.76A61585
76A6151B ³. 69F6 1C010000 ³IMUL ESI,ESI,11C
76A61521 ³. 83C6 04 ³ADD ESI,4
76A61524 ³. 3B75 FC ³CMP ESI,DWORD PTR SS:[EBP-4]
76A61527 ³.76 59 ³JBE SHORT 3ba1ea5.76A61582
76A61529 ³. 8975 FC ³MOV DWORD PTR SS:[EBP-4],ESI
76A6152C ³. 56 ³PUSH ESI
76A6152D ³> 6A 00 PUSH 0
76A6152F ³. FFD7 ³CALL EDI
76A61531 ³. 8BD8 ³MOV EBX,EAX
76A61533 ³. 85DB ³TEST EBX,EBX
76A61535 ³.75 BA ÀJNZ SHORT 3ba1ea5.76A614F1
76A61537 ³. 68 AA050000 PUSH 5AA
76A6153C ³.EB 51 JMP SHORT 3ba1ea5.76A6158F
76A6153E ³> 33C0 XOR EAX,EAX
76A61540 ³. 85F6 TEST ESI,ESI
76A61542 ³.76 15 JBE SHORT 3ba1ea5.76A61559
76A61544 ³. 8D4B 0C LEA ECX,DWORD PTR DS:[EBX+C]
76A61547 ³> 8B11 ÚMOV EDX,DWORD PTR DS:[ECX]
76A61549 ³. 3B55 08 ³CMP EDX,DWORD PTR SS:[EBP+8]
76A6154C ³.74 16 ³JE SHORT 3ba1ea5.76A61564
76A6154E ³. 40 ³INC EAX
76A6154F ³. 81C1 1C010000 ³ADD ECX,11C
76A61555 ³. 3BC6 ³CMP EAX,ESI
76A61557 ³.72 EE ÀJB SHORT 3ba1ea5.76A61547
76A61559 ³> 53 PUSH EBX ; ÚhMemory
76A6155A ³. FF15 5C10A676 CALL DWORD PTR DS:[<&KERNEL32.LocalFree>>; ÀLocalFree
76A61560 ³. 6A 06 PUSH 6
76A61562 ³.EB 2B JMP SHORT 3ba1ea5.76A6158F
76A61564 ³> 8B7D 0C MOV EDI,DWORD PTR SS:[EBP+C]
76A61567 ³. 69C0 1C010000 IMUL EAX,EAX,11C
76A6156D ³. 6A 47 PUSH 47
76A6156F ³. 59 POP ECX
76A61570 ³. 8D7418 04 LEA ESI,DWORD PTR DS:[EAX+EBX+4]
76A61574 ³. 53 PUSH EBX ; ÚhMemory
76A61575 ³. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>; ³
76A61577 ³. FF15 5C10A676 CALL DWORD PTR DS:[<&KERNEL32.LocalFree>>; ÀLocalFree
76A6157D ³. 33C0 XOR EAX,EAX
76A6157F ³. 40 INC EAX
76A61580 ³.EB 15 JMP SHORT 3ba1ea5.76A61597
76A61582 ³> 50 PUSH EAX
76A61583 ³.EB 03 JMP SHORT 3ba1ea5.76A61588
76A61585 ³> FF75 F8 PUSH DWORD PTR SS:[EBP-8]
76A61588 ³> FF15 E410A676 CALL DWORD PTR DS:[<&ntdll.RtlNtStatusTo>; ntdll.RtlNtStatusToDosError
76A6158E ³. 50 PUSH EAX ; ÚError
76A6158F ³> FF15 5810A676 CALL DWORD PTR DS:[<&KERNEL32.SetLastErr>; ÀSetLastError
76A61595 ³. 33C0 XOR EAX,EAX
76A61597 ³> 5F POP EDI
76A61598 ³. 5E POP ESI
76A61599 ³. 5B POP EBX
76A6159A ³. C9 LEAVE
76A6159B À. C2 0800 RETN 8
76A6159E CC INT3
76A6159F CC INT3
76A615A0 CC INT3
76A615A1 CC INT3
76A615A2 CC INT3
76A615A3 > $ 6A 1C PUSH 1C
76A615A5 . 68 1011A676 PUSH 3ba1ea5.76A61110
76A615AA . E8 69270000 CALL 3ba1ea5.76A63D18
76A615AF . BB 20050000 MOV EBX,520
76A615B4 > 53 PUSH EBX ; ÚSize
76A615B5 . 6A 00 PUSH 0 ; ³Flags = LMEM_FIXED
76A615B7 . FF15 6010A676 CALL DWORD PTR DS:[<&KERNEL32.LocalAlloc>; ÀLocalAlloc
76A615BD . 8BF0 MOV ESI,EAX
76A615BF . 8975 E4 MOV DWORD PTR SS:[EBP-1C],ESI
76A615C2 . 85F6 TEST ESI,ESI
76A615C4 .75 0A JNZ SHORT 3ba1ea5.76A615D0
76A615C6 . 68 AA050000 PUSH 5AA
76A615CB .E9 E8000000 JMP 3ba1ea5.76A616B8
76A615D0 > 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
76A615D3 . 50 PUSH EAX ; ÚpReqsize
76A615D4 . 53 PUSH EBX ; ³Bufsize
76A615D5 . 56 PUSH ESI ; ³Buffer
76A615D6 . 6A 0B PUSH 0B ; ³InfoType = SystemModuleInfo
76A615D8 . FF15 E010A676 CALL DWORD PTR DS:[<&ntdll.NtQuerySystem>; ÀZwQuerySystemInformation
76A615DE . 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
76A615E1 . 8B3E MOV EDI,DWORD PTR DS:[ESI]
76A615E3 . 85C0 TEST EAX,EAX
76A615E5 .0F8C 9B000000 JL 3ba1ea5.76A61686
76A615EB . 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
76A615EE . C1E8 02 SHR EAX,2
76A615F1 . 33C9 XOR ECX,ECX
76A615F3 > 3BCF CMP ECX,EDI
76A615F5 .73 40 JNB SHORT 3ba1ea5.76A61637
76A615F7 . 3BC8 CMP ECX,EAX
76A615F9 .74 3C JE SHORT 3ba1ea5.76A61637
76A615FB . 8365 FC 00 AND DWORD PTR SS:[EBP-4],0
76A615FF . 8BD1 MOV EDX,ECX
76A61601 . 69D2 1C010000 IMUL EDX,EDX,11C
76A61607 . 8B5432 0C MOV EDX,DWORD PTR DS:[EDX+ESI+C]
76A6160B . 8B5D 08 MOV EBX,DWORD PTR SS:[EBP+8]
76A6160E . 89148B MOV DWORD PTR DS:[EBX+ECX*4],EDX
76A61611 . 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
76A61615 . 41 INC ECX
76A61616 .EB DB JMP SHORT 3ba1ea5.76A615F3
76A61618 . 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
76A6161B . 8B00 MOV EAX,DWORD PTR DS:[EAX]
76A6161D . 8B00 MOV EAX,DWORD PTR DS:[EAX]
76A6161F . 8945 DC MOV DWORD PTR SS:[EBP-24],EAX
76A61622 . 33C0 XOR EAX,EAX
76A61624 . 40 INC EAX
76A61625 . C3 RETN
76A61626 . 8B65 E8 MOV ESP,DWORD PTR SS:[EBP-18]
76A61629 . FF75 E4 PUSH DWORD PTR SS:[EBP-1C] ; ÚhMemory
76A6162C . FF15 5C10A676 CALL DWORD PTR DS:[<&KERNEL32.LocalFree>>; ÀLocalFree
76A61632 . FF75 DC PUSH DWORD PTR SS:[EBP-24]
76A61635 .EB 3C JMP SHORT 3ba1ea5.76A61673
76A61637 > 33DB XOR EBX,EBX
76A61639 . 43 INC EBX
76A6163A . 895D FC MOV DWORD PTR SS:[EBP-4],EBX
76A6163D . 8BC7 MOV EAX,EDI
76A6163F . C1E0 02 SHL EAX,2
76A61642 . 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10]
76A61645 . 8901 MOV DWORD PTR DS:[ECX],EAX
76A61647 . 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
76A6164B . 56 PUSH ESI ; ÚhMemory
76A6164C . FF15 5C10A676 CALL DWORD PTR DS:[<&KERNEL32.LocalFree>>; ÀLocalFree
76A61652 . 8BC3 MOV EAX,EBX
76A61654 .EB 6A JMP SHORT 3ba1ea5.76A616C0
76A61656 . 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
76A61659 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
76A6165B . 8B00 MOV EAX,DWORD PTR DS:[EAX]
76A6165D . 8945 D8 MOV DWORD PTR SS:[EBP-28],EAX
76A61660 . 33C0 XOR EAX,EAX
76A61662 . 40 INC EAX
76A61663 . C3 RETN
76A61664 . 8B65 E8 MOV ESP,DWORD PTR SS:[EBP-18]
76A61667 . FF75 E4 PUSH DWORD PTR SS:[EBP-1C] ; ÚhMemory
76A6166A . FF15 5C10A676 CALL DWORD PTR DS:[<&KERNEL32.LocalFree>>; ÀLocalFree
76A61670 . FF75 D8 PUSH DWORD PTR SS:[EBP-28]
76A61673 > FF15 E410A676 CALL DWORD PTR DS:[<&ntdll.RtlNtStatusTo>; ntdll.RtlNtStatusToDosError
76A61679 . 50 PUSH EAX ; ÚError
76A6167A . FF15 5810A676 CALL DWORD PTR DS:[<&KERNEL32.SetLastErr>; ÀSetLastError
76A61680 . 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
76A61684 .EB 38 JMP SHORT 3ba1ea5.76A616BE
76A61686 > 56 PUSH ESI ; ÚhMemory
76A61687 . FF15 5C10A676 CALL DWORD PTR DS:[<&KERNEL32.LocalFree>>; ÀLocalFree
76A6168D . B8 040000C0 MOV EAX,C0000004
76A61692 . 3945 E0 CMP DWORD PTR SS:[EBP-20],EAX
76A61695 .75 17 JNZ SHORT 3ba1ea5.76A616AE
76A61697 . 69FF 1C010000 IMUL EDI,EDI,11C
76A6169D . 83C7 04 ADD EDI,4
76A616A0 . 3BFB CMP EDI,EBX
76A616A2 .77 03 JA SHORT 3ba1ea5.76A616A7
76A616A4 . 50 PUSH EAX
76A616A5 .EB 0A JMP SHORT 3ba1ea5.76A616B1
76A616A7 > 8BDF MOV EBX,EDI
76A616A9 .E9 06FFFFFF JMP 3ba1ea5.76A615B4
76A616AE > FF75 E0 PUSH DWORD PTR SS:[EBP-20]
76A616B1 > FF15 E410A676 CALL DWORD PTR DS:[<&ntdll.RtlNtStatusTo>; ntdll.RtlNtStatusToDosError
76A616B7 . 50 PUSH EAX ; ÚError
76A616B8 > FF15 5810A676 CALL DWORD PTR DS:[<&KERNEL32.SetLastErr>; ÀSetLastError
76A616BE > 33C0 XOR EAX,EAX
76A616C0 > E8 8E260000 CALL 3ba1ea5.76A63D53
76A616C5 . C2 0C00 RETN 0C
76A616C8 CC INT3
76A616C9 CC INT3
76A616CA CC INT3
76A616CB CC INT3
76A616CC CC INT3
76A616CD >Ú$ 8BFF MOV EDI,EDI
76A616CF ³. 55 PUSH EBP
76A616D0 ³. 8BEC MOV EBP,ESP
76A616D2 ³. 81EC 20010000 SUB ESP,120
76A616D8 ³. A1 2050A676 MOV EAX,DWORD PTR DS:[76A65020]
76A616DD ³. 57 PUSH EDI
76A616DE ³. 8B7D 0C MOV EDI,DWORD PTR SS:[EBP+C]
76A616E1 ³. 8D8D E0FEFFFF LEA ECX,DWORD PTR SS:[EBP-120]
76A616E7 ³. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
76A616EA ³. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
76A616ED ³. 51 PUSH ECX ; ÚArg2
76A616EE ³. 50 PUSH EAX ; ³Arg1
76A616EF ³. E8 E1FDFFFF CALL 3ba1ea5.76A614D5 ; À3ba1ea5.76A614D5
76A616F4 ³. 85C0 TEST EAX,EAX
76A616F6 ³.74 3E JE SHORT 3ba1ea5.76A61736
76A616F8 ³. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
76A616FE ³. 8D48 01 LEA ECX,DWORD PTR DS:[EAX+1]
76A61701 ³> 8A10 ÚMOV DL,BYTE PTR DS:[EAX]
76A61703 ³. 40 ³INC EAX
76A61704 ³. 84D2 ³TEST DL,DL
76A61706 ³.75 F9 ÀJNZ SHORT 3ba1ea5.76A61701
76A61708 ³. 2BC1 SUB EAX,ECX
76A6170A ³. 8D50 01 LEA EDX,DWORD PTR DS:[EAX+1]
76A6170D ³. 3955 10 CMP DWORD PTR SS:[EBP+10],EDX
76A61710 ³. 8BC2 MOV EAX,EDX
76A61712 ³.73 03 JNB SHORT 3ba1ea5.76A61717
76A61714 ³. 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
76A61717 ³> 53 PUSH EBX
76A61718 ³. 56 PUSH ESI
76A61719 ³. 8BC8 MOV ECX,EAX
76A6171B ³. 8BD9 MOV EBX,ECX
76A6171D ³. C1E9 02 SHR ECX,2
76A61720 ³. 8DB5 FCFEFFFF LEA ESI,DWORD PTR SS:[EBP-104]
76A61726 ³. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
76A61728 ³. 8BCB MOV ECX,EBX
76A6172A ³. 83E1 03 AND ECX,3
76A6172D ³. 3BC2 CMP EAX,EDX
76A6172F ³. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
76A61731 ³. 5E POP ESI
76A61732 ³. 5B POP EBX
76A61733 ³.75 01 JNZ SHORT 3ba1ea5.76A61736
76A61735 ³. 48 DEC EAX
76A61736 ³> 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
76A61739 ³. 5F POP EDI
76A6173A ³. E8 BA240000 CALL 3ba1ea5.76A63BF9
76A6173F ³. C9 LEAVE
76A61740 À. C2 0C00 RETN 0C
76A61743 CC INT3
76A61744 CC INT3
76A61745 CC INT3
76A61746 CC INT3
76A61747 CC INT3
76A61748 >Ú$ 8BFF MOV EDI,EDI
76A6174A ³. 55 PUSH EBP
76A6174B ³. 8BEC MOV EBP,ESP
76A6174D ³. 81EC 20010000 SUB ESP,120
76A61753 ³. A1 2050A676 MOV EAX,DWORD PTR DS:[76A65020]
76A61758 ³. 57 PUSH EDI
76A61759 ³. 8B7D 0C MOV EDI,DWORD PTR SS:[EBP+C]
76A6175C ³. 8D8D E0FEFFFF LEA ECX,DWORD PTR SS:[EBP-120]
76A61762 ³. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
76A61765 ³. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
76A61768 ³. 51 PUSH ECX ; ÚArg2
76A61769 ³. 50 PUSH EAX ; ³Arg1
76A6176A ³. E8 66FDFFFF CALL 3ba1ea5.76A614D5 ; À3ba1ea5.76A614D5
76A6176F ³. 85C0 TEST EAX,EAX
76A61771 ³.74 42 JE SHORT 3ba1ea5.76A617B5
76A61773 ³. 53 PUSH EBX
76A61774 ³. 56 PUSH ESI
76A61775 ³. 0FB7B5 FAFEFFF>MOVZX ESI,WORD PTR SS:[EBP-106]
76A6177C ³. 8DB435 FCFEFFF>LEA ESI,DWORD PTR SS:[EBP+ESI-104]
76A61783 ³. 8BC6 MOV EAX,ESI
76A61785 ³. 8D48 01 LEA ECX,DWORD PTR DS:[EAX+1]
76A61788 ³> 8A10 ÚMOV DL,BYTE PTR DS:[EAX]
76A6178A ³. 40 ³INC EAX
76A6178B ³. 84D2 ³TEST DL,DL
76A6178D ³.75 F9 ÀJNZ SHORT 3ba1ea5.76A61788
76A6178F ³. 2BC1 SUB EAX,ECX
76A61791 ³. 8D50 01 LEA EDX,DWORD PTR DS:[EAX+1]
76A61794 ³. 3955 10 CMP DWORD PTR SS:[EBP+10],EDX
76A61797 ³. 8BC2 MOV EAX,EDX
76A61799 ³.73 03 JNB SHORT 3ba1ea5.76A6179E
76A6179B ³. 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
76A6179E ³> 8BC8 MOV ECX,EAX
76A617A0 ³. 8BD9 MOV EBX,ECX
76A617A2 ³. C1E9 02 SHR ECX,2
76A617A5 ³. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
76A617A7 ³. 8BCB MOV ECX,EBX
76A617A9 ³. 83E1 03 AND ECX,3
76A617AC ³. 3BC2 CMP EAX,EDX
76A617AE ³. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
76A617B0 ³. 5E POP ESI
76A617B1 ³. 5B POP EBX
76A617B2 ³.75 01 JNZ SHORT 3ba1ea5.76A617B5
76A617B4 ³. 48 DEC EAX
76A617B5 ³> 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
76A617B8 ³. 5F POP EDI
76A617B9 ³. E8 3B240000 CALL 3ba1ea5.76A63BF9
76A617BE ³. C9 LEAVE
76A617BF À. C2 0C00 RETN 0C
76A617C2 CC INT3
76A617C3 CC INT3
76A617C4 CC INT3
76A617C5 CC INT3
76A617C6 CC INT3
76A617C7 > 8BFF MOV EDI,EDI
76A617C9 Ú. 55 PUSH EBP
76A617CA ³. 8BEC MOV EBP,ESP
76A617CC ³. 53 PUSH EBX
76A617CD ³. 57 PUSH EDI
76A617CE ³. 8B7D 10 MOV EDI,DWORD PTR SS:[EBP+10]
76A617D1 ³. 57 PUSH EDI ; ÚSize
76A617D2 ³. 6A 00 PUSH 0 ; ³Flags = LMEM_FIXED
76A617D4 ³. FF15 6010A676 CALL DWORD PTR DS:[<&KERNEL32.LocalAlloc>; ÀLocalAlloc
76A617DA ³. 8BD8 MOV EBX,EAX
76A617DC ³. 85DB TEST EBX,EBX
76A617DE ³.74 38 JE SHORT 3ba1ea5.76A61818
76A617E0 ³. 56 PUSH ESI
76A617E1 ³. 57 PUSH EDI ; ÚArg3
76A617E2 ³. 53 PUSH EBX ; ³Arg2
76A617E3 ³. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; ³Arg1
76A617E6 ³. E8 E2FEFFFF CALL 3ba1ea5.GetDeviceDriverFileNameA ; ÀGetDeviceDriverFileNameA
76A617EB ³. 8BF0 MOV ESI,EAX
76A617ED ³. 85F6 TEST ESI,ESI
76A617EF ³.74 1B JE SHORT 3ba1ea5.76A6180C
76A617F1 ³. 3BF7 CMP ESI,EDI
76A617F3 ³.73 03 JNB SHORT 3ba1ea5.76A617F8
76A617F5 ³. 8D46 01 LEA EAX,DWORD PTR DS:[ESI+1]
76A617F8 ³> 57 PUSH EDI ; ÚWideBufSize
76A617F9 ³. FF75 0C PUSH DWORD PTR SS:[EBP+C] ; ³WideCharBuf
76A617FC ³. 50 PUSH EAX ; ³StringSize
76A617FD ³. 53 PUSH EBX ; ³StringToMap
76A617FE ³. 6A 00 PUSH 0 ; ³Options = 0
76A61800 ³. 6A 00 PUSH 0 ; ³CodePage = CP_ACP
76A61802 ³. FF15 6410A676 CALL DWORD PTR DS:[<&KERNEL32.MultiByteT>; ÀMultiByteToWideChar
76A61808 ³. 85C0 TEST EAX,EAX
76A6180A ³.75 02 JNZ SHORT 3ba1ea5.76A6180E
76A6180C ³> 33F6 XOR ESI,ESI
76A6180E ³> 53 PUSH EBX ; ÚhMemory
76A6180F ³. FF15 5C10A676 CALL DWORD PTR DS:[<&KERNEL32.LocalFree>>; ÀLocalFree
76A61815 ³. 8BC6 MOV EAX,ESI
76A61817 ³. 5E POP ESI
76A61818 ³> 5F POP EDI
76A61819 ³. 5B POP EBX
76A6181A ³. 5D POP EBP
76A6181B À. C2 0C00 RETN 0C
76A6181E CC INT3
76A6181F CC INT3
76A61820 CC INT3
76A61821 CC INT3
76A61822 CC INT3
76A61823 > 8BFF MOV EDI,EDI
76A61825 Ú. 55 PUSH EBP
76A61826 ³. 8BEC MOV EBP,ESP
76A61828 ³. 53 PUSH EBX
76A61829 ³. 57 PUSH EDI
76A6182A ³. 8B7D 10 MOV EDI,DWORD PTR SS:[EBP+10]
76A6182D ³. 57 PUSH EDI ; ÚSize
76A6182E ³. 6A 00 PUSH 0 ; ³Flags = LMEM_FIXED
76A61830 ³. FF15 6010A676 CALL DWORD PTR DS:[<&KERNEL32.LocalAlloc>; ÀLocalAlloc
76A61836 ³. 8BD8 MOV EBX,EAX
76A61838 ³. 85DB TEST EBX,EBX
76A6183A ³.74 38 JE SHORT 3ba1ea5.76A61874
76A6183C ³. 56 PUSH ESI
76A6183D ³. 57 PUSH EDI ; ÚArg3
76A6183E ³. 53 PUSH EBX ; ³Arg2
76A6183F ³. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; ³Arg1
76A61842 ³. E8 01FFFFFF CALL 3ba1ea5.GetDeviceDriverBaseNameA ; ÀGetDeviceDriverBaseNameA
76A61847 ³. 8BF0 MOV ESI,EAX
76A61849 ³. 85F6 TEST ESI,ESI
76A6184B ³.74 1B JE SHORT 3ba1ea5.76A61868
76A6184D ³. 3BF7 CMP ESI,EDI
76A6184F ³.73 03 JNB SHORT 3ba1ea5.76A61854
76A61851 ³. 8D46 01 LEA EAX,DWORD PTR DS:[ESI+1]
76A61854 ³> 57 PUSH EDI ; ÚWideBufSize
76A61855 ³. FF75 0C PUSH DWORD PTR SS:[EBP+C] ; ³WideCharBuf
76A61858 ³. 50 PUSH EAX ; ³StringSize
76A61859 ³. 53 PUSH EBX ; ³StringToMap
76A6185A ³. 6A 00 PUSH 0 ; ³Options = 0
76A6185C ³. 6A 00 PUSH 0 ; ³CodePage = CP_ACP
76A6185E ³. FF15 6410A676 CALL DWORD PTR DS:[<&KERNEL32.MultiByteT>; ÀMultiByteToWideChar
76A61864 ³. 85C0 TEST EAX,EAX
76A61866 ³.75 02 JNZ SHORT 3ba1ea5.76A6186A
76A61868 ³> 33F6 XOR ESI,ESI
76A6186A ³> 53 PUSH EBX ; ÚhMemory
76A6186B ³. FF15 5C10A676 CALL DWORD PTR DS:[<&KERNEL32.LocalFree>>; ÀLocalFree
76A61871 ³. 8BC6 MOV EAX,ESI
76A61873 ³. 5E POP ESI
76A61874 ³> 5F POP EDI
76A61875 ³. 5B POP EBX
76A61876 ³. 5D POP EBP
76A61877 À. C2 0C00 RETN 0C
76A6187A CC INT3
76A6187B CC INT3
76A6187C CC INT3
76A6187D CC INT3
76A6187E CC INT3
76A6187F >Ú$ 8BFF MOV EDI,EDI
76A61881 ³. 55 PUSH EBP
76A61882 ³. 8BEC MOV EBP,ESP
76A61884 ³. 81EC 1C020000 SUB ESP,21C
76A6188A ³. A1 2050A676 MOV EAX,DWORD PTR DS:[76A65020]
76A6188F ³. 8B55 10 MOV EDX,DWORD PTR SS:[EBP+10]
76A61892 ³. 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C]
76A61895 ³. 57 PUSH EDI
76A61896 ³. 8B7D 14 MOV EDI,DWORD PTR SS:[EBP+14]
76A61899 ³. 85FF TEST EDI,EDI
76A6189B ³. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
76A6189E ³. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
76A618A1 ³. 8995 E8FDFFFF MOV DWORD PTR SS:[EBP-218],EDX
76A618A7 ³.75 04 JNZ SHORT 3ba1ea5.76A618AD
76A618A9 ³. 6A 7A PUSH 7A
76A618AB ³.EB 29 JMP SHORT 3ba1ea5.76A618D6
76A618AD ³> 8D95 E4FDFFFF LEA EDX,DWORD PTR SS:[EBP-21C]
76A618B3 ³. 52 PUSH EDX
76A618B4 ³. 68 10020000 PUSH 210
76A618B9 ³. 8D95 ECFDFFFF LEA EDX,DWORD PTR SS:[EBP-214]
76A618BF ³. 52 PUSH EDX
76A618C0 ³. 6A 02 PUSH 2
76A618C2 ³. 51 PUSH ECX
76A618C3 ³. 50 PUSH EAX
76A618C4 ³. FF15 DC10A676 CALL DWORD PTR DS:[<&ntdll.NtQueryVirtua>; ntdll.ZwQueryVirtualMemory
76A618CA ³. 85C0 TEST EAX,EAX
76A618CC ³.7D 12 JGE SHORT 3ba1ea5.76A618E0
76A618CE ³. 50 PUSH EAX
76A618CF ³. FF15 E410A676 CALL DWORD PTR DS:[<&ntdll.RtlNtStatusTo>; ntdll.RtlNtStatusToDosError
76A618D5 ³. 50 PUSH EAX ; ÚError
76A618D6 ³> FF15 5810A676 CALL DWORD PTR DS:[<&KERNEL32.SetLastErr>; ÀSetLastError
76A618DC ³. 33C0 XOR EAX,EAX
76A618DE ³.EB 53 JMP SHORT 3ba1ea5.76A61933
76A618E0 ³> 53 PUSH EBX
76A618E1 ³. 0FB79D ECFDFFF>MOVZX EBX,WORD PTR SS:[EBP-214]
76A618E8 ³. D1EB SHR EBX,1
76A618EA ³. 8D43 01 LEA EAX,DWORD PTR DS:[EBX+1]
76A618ED ³. 3BF8 CMP EDI,EAX
76A618EF ³. 56 PUSH ESI
76A618F0 ³. 8BF3 MOV ESI,EBX
76A618F2 ³.73 09 JNB SHORT 3ba1ea5.76A618FD
76A618F4 ³. 8D77 FF LEA ESI,DWORD PTR DS:[EDI-1]
76A618F7 ³. 8BDF MOV EBX,EDI
76A618F9 ³. 6A 7A PUSH 7A
76A618FB ³.EB 02 JMP SHORT 3ba1ea5.76A618FF
76A618FD ³> 6A 00 PUSH 0 ; ÚError = ERROR_SUCCESS
76A618FF ³> FF15 5810A676 CALL DWORD PTR DS:[<&KERNEL32.SetLastErr>; ÀSetLastError
76A61905 ³. 8BBD E8FDFFFF MOV EDI,DWORD PTR SS:[EBP-218]
76A6190B ³. 8D0436 LEA EAX,DWORD PTR DS:[ESI+ESI]
76A6190E ³. 8BB5 F0FDFFFF MOV ESI,DWORD PTR SS:[EBP-210]
76A61914 ³. 8BC8 MOV ECX,EAX
76A61916 ³. 8BD1 MOV EDX,ECX
76A61918 ³. C1E9 02 SHR ECX,2
76A6191B ³. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
76A6191D ³. 8BCA MOV ECX,EDX
76A6191F ³. 83E1 03 AND ECX,3
76A61922 ³. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
76A61924 ³. 8B8D E8FDFFFF MOV ECX,DWORD PTR SS:[EBP-218]
76A6192A ³. 66:832408 00 AND WORD PTR DS:[EAX+ECX],0
76A6192F ³. 5E POP ESI
76A61930 ³. 8BC3 MOV EAX,EBX
76A61932 ³. 5B POP EBX
76A61933 ³> 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
76A61936 ³. 5F POP EDI
76A61937 ³. E8 BD220000 CALL 3ba1ea5.76A63BF9
76A6193C ³. C9 LEAVE
76A6193D À. C2 1000 RETN 10
76A61940 CC INT3
76A61941 CC INT3
76A61942 CC INT3
76A61943 CC INT3
76A61944 CC INT3
76A61945 > 8BFF MOV EDI,EDI
76A61947 Ú. 55 PUSH EBP
76A61948 ³. 8BEC MOV EBP,ESP
76A6194A ³. 53 PUSH EBX
76A6194B ³. 56 PUSH ESI
76A6194C ³. 8B75 14 MOV ESI,DWORD PTR SS:[EBP+14]
76A6194F ³. 57 PUSH EDI
76A61950 ³. 8D0436 LEA EAX,DWORD PTR DS:[ESI+ESI]
76A61953 ³. 50 PUSH EAX ; ÚSize
76A61954 ³. 33FF XOR EDI,EDI ; ³
76A61956 ³. 57 PUSH EDI ; ³Flags => LMEM_FIXED
76A61957 ³. FF15 6010A676 CALL DWORD PTR DS:[<&KERNEL32.LocalAlloc>; ÀLocalAlloc
76A6195D ³. 8BD8 MOV EBX,EAX
76A6195F ³. 3BDF CMP EBX,EDI
76A61961 ³.75 04 JNZ SHORT 3ba1ea5.76A61967
76A61963 ³. 33C0 XOR EAX,EAX
76A61965 ³.EB 36 JMP SHORT 3ba1ea5.76A6199D
76A61967 ³> 56 PUSH ESI ; ÚArg4
76A61968 ³. 53 PUSH EBX ; ³Arg3
76A61969 ³. FF75 0C PUSH DWORD PTR SS:[EBP+C] ; ³Arg2
76A6196C ³. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; ³Arg1
76A6196F ³. E8 0BFFFFFF CALL 3ba1ea5.GetMappedFileNameW ; ÀGetMappedFileNameW
76A61974 ³. 3BC6 CMP EAX,ESI
76A61976 ³. 8945 14 MOV DWORD PTR SS:[EBP+14],EAX
76A61979 ³.73 01 JNB SHORT 3ba1ea5.76A6197C
76A6197B ³. 40 INC EAX
76A6197C ³> 57 PUSH EDI ; ÚpDefaultCharUsed
76A6197D ³. 57 PUSH EDI ; ³pDefaultChar
76A6197E ³. 56 PUSH ESI ; ³MultiByteCount
76A6197F ³. FF75 10 PUSH DWORD PTR SS:[EBP+10] ; ³MultiByteStr
76A61982 ³. 50 PUSH EAX ; ³WideCharCount
76A61983 ³. 53 PUSH EBX ; ³WideCharStr
76A61984 ³. 57 PUSH EDI ; ³Options
76A61985 ³. 57 PUSH EDI ; ³CodePage
76A61986 ³. FF15 6810A676 CALL DWORD PTR DS:[<&KERNEL32.WideCharTo>; ÀWideCharToMultiByte
76A6198C ³. 85C0 TEST EAX,EAX
76A6198E ³.75 03 JNZ SHORT 3ba1ea5.76A61993
76A61990 ³. 897D 14 MOV DWORD PTR SS:[EBP+14],EDI
76A61993 ³> 53 PUSH EBX ; ÚhMemory
76A61994 ³. FF15 5C10A676 CALL DWORD PTR DS:[<&KERNEL32.LocalFree>>; ÀLocalFree
76A6199A ³. 8B45 14 MOV EAX,DWORD PTR SS:[EBP+14]
76A6199D ³> 5F POP EDI
76A6199E ³. 5E POP ESI
76A6199F ³. 5B POP EBX
76A619A0 ³. 5D POP EBP
76A619A1 À. C2 1000 RETN 10
76A619A4 CC INT3
76A619A5 CC INT3
76A619A6 CC INT3
76A619A7 CC INT3
76A619A8 CC INT3
76A619A9 Ú$ 8BFF MOV EDI,EDI
76A619AB ³. 55 PUSH EBP
76A619AC ³. 8BEC MOV EBP,ESP
76A619AE ³. 83EC 24 SUB ESP,24
76A619B1 ³. 57 PUSH EDI
76A619B2 ³. 33FF XOR EDI,EDI
76A619B4 ³. 57 PUSH EDI ; ÚpReqsize => NULL
76A619B5 ³. 6A 18 PUSH 18 ; ³Bufsize = 18 (24.)
76A619B7 ³. 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24] ; ³
76A619BA ³. 50 PUSH EAX ; ³Buffer
76A619BB ³. 57 PUSH EDI ; ³InfoClass => 0
76A619BC ³. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; ³hProcess
76A619BF ³. FF15 D810A676 CALL DWORD PTR DS:[<&ntdll.NtQueryInform>; ÀZwQueryInformationProcess
76A619C5 ³. 3BC7 CMP EAX,EDI
76A619C7 ³.7D 15 JGE SHORT 3ba1ea5.76A619DE
76A619C9 ³. 50 PUSH EAX
76A619CA ³. FF15 E410A676 CALL DWORD PTR DS:[<&ntdll.RtlNtStatusTo>; ntdll.RtlNtStatusToDosError
76A619D0 ³. 50 PUSH EAX ; ÚError
76A619D1 ³. FF15 5810A676 CALL DWORD PTR DS:[<&KERNEL32.SetLastErr>; ÀSetLastError
76A619D7 ³. 33C0 XOR EAX,EAX
76A619D9 ³.E9 9D000000 JMP 3ba1ea5.76A61A7B
76A619DE ³> 397D 0C CMP DWORD PTR SS:[EBP+C],EDI
76A619E1 ³. 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
76A619E4 ³. 53 PUSH EBX
76A619E5 ³. 56 PUSH ESI
76A619E6 ³. 8B35 6C10A676 MOV ESI,DWORD PTR DS:[<&KERNEL32.ReadPro>; kernel32.ReadProcessMemory
76A619EC ³. 8BD8 MOV EBX,EAX
76A619EE ³.75 14 JNZ SHORT 3ba1ea5.76A61A04
76A619F0 ³. 57 PUSH EDI ; ÚpBytesRead
76A619F1 ³. 6A 04 PUSH 4 ; ³BytesToRead = 4
76A619F3 ³. 8D4D 0C LEA ECX,DWORD PTR SS:[EBP+C] ; ³
76A619F6 ³. 51 PUSH ECX ; ³Buffer
76A619F7 ³. 83C0 08 ADD EAX,8 ; ³
76A619FA ³. 50 PUSH EAX ; ³pBaseAddress
76A619FB ³. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; ³hProcess
76A619FE ³. FFD6 CALL ESI ; ÀReadProcessMemory
76A61A00 ³. 85C0 TEST EAX,EAX
76A61A02 ³.74 73 JE SHORT 3ba1ea5.76A61A77
76A61A04 ³> 57 PUSH EDI
76A61A05 ³. 6A 04 PUSH 4
76A61A07 ³. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
76A61A0A ³. 50 PUSH EAX
76A61A0B ³. 83C3 0C ADD EBX,0C
76A61A0E ³. 53 PUSH EBX
76A61A0F ³. FF75 08 PUSH DWORD PTR SS:[EBP+8]
76A61A12 ³. FFD6 CALL ESI
76A61A14 ³. 85C0 TEST EAX,EAX
76A61A16 ³.74 5F JE SHORT 3ba1ea5.76A61A77
76A61A18 ³. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
76A61A1B ³. 3BC7 CMP EAX,EDI
76A61A1D ³.74 50 JE SHORT 3ba1ea5.76A61A6F
76A61A1F ³. 57 PUSH EDI
76A61A20 ³. 8D58 14 LEA EBX,DWORD PTR DS:[EAX+14]
76A61A23 ³. 6A 04 PUSH 4
76A61A25 ³. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
76A61A28 ³. 50 PUSH EAX
76A61A29 ³. 53 PUSH EBX
76A61A2A ³. FF75 08 PUSH DWORD PTR SS:[EBP+8]
76A61A2D ³. FFD6 CALL ESI
76A61A2F ³. 85C0 TEST EAX,EAX
76A61A31 ³.74 44 JE SHORT 3ba1ea5.76A61A77
76A61A33 ³. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
76A61A36 ³. 897D FC MOV DWORD PTR SS:[EBP-4],EDI
76A61A39 ³.EB 30 JMP SHORT 3ba1ea5.76A61A6B
76A61A3B ³> 57 ÚPUSH EDI
76A61A3C ³. 6A 50 ³PUSH 50
76A61A3E ³. FF75 10 ³PUSH DWORD PTR SS:[EBP+10]
76A61A41 ³. 83C0 F8 ³ADD EAX,-8
76A61A44 ³. 50 ³PUSH EAX
76A61A45 ³. FF75 08 ³PUSH DWORD PTR SS:[EBP+8]
76A61A48 ³. FFD6 ³CALL ESI
76A61A4A ³. 85C0 ³TEST EAX,EAX
76A61A4C ³.74 29 ³JE SHORT 3ba1ea5.76A61A77
76A61A4E ³. 8B45 10 ³MOV EAX,DWORD PTR SS:[EBP+10]
76A61A51 ³. 8B48 18 ³MOV ECX,DWORD PTR DS:[EAX+18]
76A61A54 ³. 3B4D 0C ³CMP ECX,DWORD PTR SS:[EBP+C]
76A61A57 ³.74 27 ³JE SHORT 3ba1ea5.76A61A80
76A61A59 ³. FF45 FC ³INC DWORD PTR SS:[EBP-4]
76A61A5C ³. 817D FC 102700>³CMP DWORD PTR SS:[EBP-4],2710
76A61A63 ³. 8B40 08 ³MOV EAX,DWORD PTR DS:[EAX+8]
76A61A66 ³. 8945 F8 ³MOV DWORD PTR SS:[EBP-8],EAX
76A61A69 ³.77 04 ³JA SHORT 3ba1ea5.76A61A6F
76A61A6B ³> 3BC3 CMP EAX,EBX
76A61A6D ³.75 CC ÀJNZ SHORT 3ba1ea5.76A61A3B
76A61A6F ³> 6A 06 PUSH 6 ; ÚError = ERROR_INVALID_HANDLE
76A61A71 ³. FF15 5810A676 CALL DWORD PTR DS:[<&KERNEL32.SetLastErr>; ÀSetLastError
76A61A77 ³> 33C0 XOR EAX,EAX
76A61A79 ³> 5E POP ESI
76A61A7A ³. 5B POP EBX
76A61A7B ³> 5F POP EDI
76A61A7C ³. C9 LEAVE
76A61A7D ³. C2 0C00 RETN 0C
76A61A80 ³> 33C0 XOR EAX,EAX
76A61A82 ³. 40 INC EAX
76A61A83 À.EB F4 JMP SHORT 3ba1ea5.76A61A79
76A61A85 CC INT3
76A61A86 CC INT3
76A61A87 CC INT3
76A61A88 CC INT3
76A61A89 CC INT3
76A61A8A > $ 68 88000000 PUSH 88
76A61A8F . 68 2811A676 PUSH 3ba1ea5.76A61128
76A61A94 . E8 7F220000 CALL 3ba1ea5.76A63D18
76A61A99 . 33DB XOR EBX,EBX
76A61A9B . 53 PUSH EBX ; ÚpReqsize => NULL
76A61A9C . 6A 18 PUSH 18 ; ³Bufsize = 18 (24.)
76A61A9E . 8D45 B8 LEA EAX,DWORD PTR SS:[EBP-48] ; ³
76A61AA1 . 50 PUSH EAX ; ³Buffer
76A61AA2 . 53 PUSH EBX ; ³InfoClass => 0
76A61AA3 . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; ³hProcess
76A61AA6 . FF15 D810A676 CALL DWORD PTR DS:[<&ntdll.NtQueryInform>; ÀZwQueryInformationProcess
76A61AAC . 3BC3 CMP EAX,EBX
76A61AAE .7D 0D JGE SHORT 3ba1ea5.76A61ABD
76A61AB0 . 50 PUSH EAX
76A61AB1 > FF15 E410A676 CALL DWORD PTR DS:[<&ntdll.RtlNtStatusTo>; ntdll.RtlNtStatusToDosError
76A61AB7 . 50 PUSH EAX
76A61AB8 .E9 9C000000 JMP 3ba1ea5.76A61B59
76A61ABD > 8B45 BC MOV EAX,DWORD PTR SS:[EBP-44]
76A61AC0 . 3BC3 CMP EAX,EBX
76A61AC2 .75 07 JNZ SHORT 3ba1ea5.76A61ACB
76A61AC4 . 68 0D000080 PUSH 8000000D
76A61AC9 .EB E6 JMP SHORT 3ba1ea5.76A61AB1
76A61ACB > 53 PUSH EBX ; ÚpBytesRead
76A61ACC . 6A 04 PUSH 4 ; ³BytesToRead = 4
76A61ACE . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24] ; ³
76A61AD1 . 51 PUSH ECX ; ³Buffer
76A61AD2 . 83C0 0C ADD EAX,0C ; ³
76A61AD5 . 50 PUSH EAX ; ³pBaseAddress
76A61AD6 . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; ³hProcess
76A61AD9 . 8B35 6C10A676 MOV ESI,DWORD PTR DS:[<&KERNEL32.ReadPro>; ³kernel32.ReadProcessMemory
76A61ADF . FFD6 CALL ESI ; ÀReadProcessMemory
76A61AE1 . 85C0 TEST EAX,EAX
76A61AE3 .0F84 D5000000 JE 3ba1ea5.76A61BBE
76A61AE9 . 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
76A61AEC . 83C0 14 ADD EAX,14
76A61AEF . 8945 D8 MOV DWORD PTR SS:[EBP-28],EAX
76A61AF2 . 53 PUSH EBX ; ÚpBytesRead
76A61AF3 . 6A 04 PUSH 4 ; ³BytesToRead = 4
76A61AF5 . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20] ; ³
76A61AF8 . 51 PUSH ECX ; ³Buffer
76A61AF9 . 50 PUSH EAX ; ³pBaseAddress
76A61AFA . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; ³hProcess
76A61AFD . FFD6 CALL ESI ; ÀReadProcessMemory
76A61AFF . 85C0 TEST EAX,EAX
76A61B01 .0F84 B7000000 JE 3ba1ea5.76A61BBE
76A61B07 . 8B7D 10 MOV EDI,DWORD PTR SS:[EBP+10]
76A61B0A . C1EF 02 SHR EDI,2
76A61B0D . 895D E4 MOV DWORD PTR SS:[EBP-1C],EBX
76A61B10 . 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
76A61B13 > 3B45 D8 CMP EAX,DWORD PTR SS:[EBP-28]
76A61B16 .74 6A JE SHORT 3ba1ea5.76A61B82
76A61B18 . 83C0 F8 ADD EAX,-8
76A61B1B . 53 PUSH EBX
76A61B1C . 6A 50 PUSH 50
76A61B1E . 8D8D 68FFFFFF LEA ECX,DWORD PTR SS:[EBP-98]
76A61B24 . 51 PUSH ECX
76A61B25 . 50 PUSH EAX
76A61B26 . FF75 08 PUSH DWORD PTR SS:[EBP+8]
76A61B29 . FFD6 CALL ESI
76A61B2B . 85C0 TEST EAX,EAX
76A61B2D .0F84 8B000000 JE 3ba1ea5.76A61BBE
76A61B33 . 397D E4 CMP DWORD PTR SS:[EBP-1C],EDI
76A61B36 .73 13 JNB SHORT 3ba1ea5.76A61B4B
76A61B38 . 895D FC MOV DWORD PTR SS:[EBP-4],EBX
76A61B3B . 8B45 80 MOV EAX,DWORD PTR SS:[EBP-80]
76A61B3E . 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C]
76A61B41 . 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C]
76A61B44 . 890491 MOV DWORD PTR DS:[ECX+EDX*4],EAX
76A61B47 . 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
76A61B4B > FF45 E4 INC DWORD PTR SS:[EBP-1C]
76A61B4E . 817D E4 102700>CMP DWORD PTR SS:[EBP-1C],2710
76A61B55 .76 20 JBE SHORT 3ba1ea5.76A61B77
76A61B57 . 6A 06 PUSH 6 ; ÚError = ERROR_INVALID_HANDLE
76A61B59 > FF15 5810A676 CALL DWORD PTR DS:[<&KERNEL32.SetLastErr>; ÀSetLastError
76A61B5F .EB 5D JMP SHORT 3ba1ea5.76A61BBE
76A61B61 . 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
76A61B64 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
76A61B66 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
76A61B68 . 8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX
76A61B6B . 33C0 XOR EAX,EAX
76A61B6D . 40 INC EAX
76A61B6E . C3 RETN
76A61B6F . 8B65 E8 MOV ESP,DWORD PTR SS:[EBP-18]
76A61B72 . FF75 D4 PUSH DWORD PTR SS:[EBP-2C]
76A61B75 .EB 36 JMP SHORT 3ba1ea5.76A61BAD
76A61B77 > 8B85 70FFFFFF MOV EAX,DWORD PTR SS:[EBP-90]
76A61B7D . 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
76A61B80 .EB 91 JMP SHORT 3ba1ea5.76A61B13
76A61B82 > 33C0 XOR EAX,EAX
76A61B84 . 40 INC EAX
76A61B85 . 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
76A61B88 . 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C]
76A61B8B . C1E1 02 SHL ECX,2
76A61B8E . 8B55 14 MOV EDX,DWORD PTR SS:[EBP+14]
76A61B91 . 890A MOV DWORD PTR DS:[EDX],ECX
76A61B93 . 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
76A61B97 .EB 27 JMP SHORT 3ba1ea5.76A61BC0
76A61B99 . 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
76A61B9C . 8B00 MOV EAX,DWORD PTR DS:[EAX]
76A61B9E . 8B00 MOV EAX,DWORD PTR DS:[EAX]
76A61BA0 . 8945 D0 MOV DWORD PTR SS:[EBP-30],EAX
76A61BA3 . 33C0 XOR EAX,EAX
76A61BA5 . 40 INC EAX
76A61BA6 . C3 RETN
76A61BA7 . 8B65 E8 MOV ESP,DWORD PTR SS:[EBP-18]
76A61BAA . FF75 D0 PUSH DWORD PTR SS:[EBP-30]
76A61BAD > FF15 E410A676 CALL DWORD PTR DS:[<&ntdll.RtlNtStatusTo>; ntdll.RtlNtStatusToDosError
76A61BB3 . 50 PUSH EAX ; ÚError
76A61BB4 . FF15 5810A676 CALL DWORD PTR DS:[<&KERNEL32.SetLastErr>; ÀSetLastError
76A61BBA . 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
76A61BBE > 33C0 XOR EAX,EAX
76A61BC0 > E8 8E210000 CALL 3ba1ea5.76A63D53
76A61BC5 . C2 1000 RETN 10
76A61BC8 CC INT3
76A61BC9 CC INT3
76A61BCA CC INT3
76A61BCB CC INT3
76A61BCC CC INT3
76A61BCD >Ú$ 8BFF MOV EDI,EDI
76A61BCF ³. 55 PUSH EBP
76A61BD0 ³. 8BEC MOV EBP,ESP
76A61BD2 ³. 83EC 50 SUB ESP,50
76A61BD5 ³. 8D45 B0 LEA EAX,DWORD PTR SS:[EBP-50]
76A61BD8 ³. 50 PUSH EAX ; ÚArg3
76A61BD9 ³. FF75 0C PUSH DWORD PTR SS:[EBP+C] ; ³Arg2
76A61BDC ³. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; ³Arg1
76A61BDF ³. E8 C5FDFFFF CALL 3ba1ea5.76A619A9 ; À3ba1ea5.76A619A9
76A61BE4 ³. 85C0 TEST EAX,EAX
76A61BE6 ³.74 59 JE SHORT 3ba1ea5.76A61C41
76A61BE8 ³. 56 PUSH ESI
76A61BE9 ³. 0FB775 D4 MOVZX ESI,WORD PTR SS:[EBP-2C]
76A61BED ³. 57 PUSH EDI
76A61BEE ³. 8B7D 14 MOV EDI,DWORD PTR SS:[EBP+14]
76A61BF1 ³. 03FF ADD EDI,EDI
76A61BF3 ³. 46 INC ESI
76A61BF4 ³. 46 INC ESI
76A61BF5 ³. 3BFE CMP EDI,ESI
76A61BF7 ³.73 02 JNB SHORT 3ba1ea5.76A61BFB
76A61BF9 ³. 8BF7 MOV ESI,EDI
76A61BFB ³> 53 PUSH EBX
76A61BFC ³. 8B5D 10 MOV EBX,DWORD PTR SS:[EBP+10]
76A61BFF ³. 6A 00 PUSH 0 ; ÚpBytesRead = NULL
76A61C01 ³. 56 PUSH ESI ; ³BytesToRead
76A61C02 ³. 53 PUSH EBX ; ³Buffer
76A61C03 ³. FF75 D8 PUSH DWORD PTR SS:[EBP-28] ; ³pBaseAddress
76A61C06 ³. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; ³hProcess
76A61C09 ³. FF15 6C10A676 CALL DWORD PTR DS:[<&KERNEL32.ReadProces>; ÀReadProcessMemory
76A61C0F ³. 85C0 TEST EAX,EAX
76A61C11 ³.74 2B JE SHORT 3ba1ea5.76A61C3E
76A61C13 ³. 0FB745 D4 MOVZX EAX,WORD PTR SS:[EBP-2C]
76A61C17 ³. 40 INC EAX
76A61C18 ³. 40 INC EAX
76A61C19 ³. 3BF0 CMP ESI,EAX
76A61C1B ³.75 02 JNZ SHORT 3ba1ea5.76A61C1F
76A61C1D ³. 4E DEC ESI
76A61C1E ³. 4E DEC ESI
76A61C1F ³> 3BF7 CMP ESI,EDI
76A61C21 ³.73 0B JNB SHORT 3ba1ea5.76A61C2E
76A61C23 ³. 8BC6 MOV EAX,ESI
76A61C25 ³. D1E8 SHR EAX,1
76A61C27 ³. 66:832443 00 AND WORD PTR DS:[EBX+EAX*2],0
76A61C2C ³.EB 0C JMP SHORT 3ba1ea5.76A61C3A
76A61C2E ³> 85FF TEST EDI,EDI
76A61C30 ³.76 08 JBE SHORT 3ba1ea5.76A61C3A