最新Shark
.reload /i Shark=FFFFD20A00B57080 < FFFFD20A00B57080 - 00020000 >
.reload /i Shark.sys=FFFFD20A00B79000 < FFFFD20A00B79000 - 00020000 >
[SHARK] < 00000000000055F0 > BuildNumber
[SHARK] < FFFFD209FACFB040 > PsInitialSystemProcess
[SHARK] < 0000000000000002 > NumberProcessors
[SHARK] < FFFFF8026C2D7ED0 > KeEnterCriticalRegion
[SHARK] < FFFFF8026C258740 > KeLeaveCriticalRegion
[SHARK] < FFFFF8026C2A73B0 > ExAcquireSpinLockShared
[SHARK] < FFFFF8026C32AB40 > ExReleaseSpinLockShared
[SHARK] < FFFFF8026C2023A0 > DbgPrint
[SHARK] < FFFFF8026C259AF0 > KeWaitForSingleObject
[SHARK] < FFFFF8026C41BBB0 > RtlCompareMemory
[SHARK] < FFFFF8026C41B670 > RtlRestoreContext
[SHARK] < FFFFF8026C2D8140 > ExQueueWorkItem
[SHARK] < FFFFF8026CA6B810 > ExFreePoolWithTag
[SHARK] < FFFFF8026C412B70 > KeBugCheckEx
[SHARK] < FFFFF8026C32A060 > ExInterlockedRemoveHeadList
[SHARK] < FFFFF8026C329B10 > ExAcquireRundownProtection
[SHARK] < FFFFF8026C32EC40 > ExReleaseRundownProtection
[SHARK] < FFFFF8026C2B2A90 > ExWaitForRundownProtectionRelease
[SHARK] < FFFFD20A00B955C0 > Block
[SHARK] < 00000000000000C0 > SizeCmpAppendDllSection
[SHARK] < 0000000000000001 > BtcEnable
[SHARK] < FFFFD20A00B95F48 > OriginalCmpAppendDllSection
[SHARK] < 00000000000007B0 > OffsetEntryPoint
[SHARK] < 000000000001A000 > SizeINITKDBG
[SHARK] < FFFFD20A00B99000 > INITKDBG
[SHARK] < FFFFF8026C2D8140 > ntoskrnl.exe!ExReleaseResourceAndLeavePriorityRegion
[SHARK] < FFFFF8026C25B890 > ntoskrnl.exe!ExTryAcquireCacheAwarePushLockSharedEx
[SHARK] < FFFFF8026C7F2DD0 > ntoskrnl.exe!IoCreateSynchronizationEvent + 2c0
[SHARK] < FFFFF8026C22ECD0 > ntoskrnl.exe!ExConvertExclusiveToSharedLite
[SHARK] < FFFFF8026C808FE0 > MmAllocateIndependentPages
[SHARK] < FFFFF8026C96C940 > MmFreeIndependentPages
[SHARK] < FFFFF8026C3B1250 > MmSetPageProtection
[SHARK] < FFFFAEF1403F82A8 > test independent page < FFFFE2807F055000 - 00001000 >
[SHARK] < FFFFF8026C3E2ED0 > KiScbQueueScanWorker
[SHARK] < FFFFF8026C3E2F21 > KiScbQueueScanWorker end
[SHARK] < FFFFF8026CE00020 > PsInvertedFunctionTable
[SHARK] < 000000008D806955 > BranchKey[10]
[SHARK] < 00000000D0006DF1 > BranchKey[0]
[SHARK] < 00000000B0006C10 > BranchKey[1]
[SHARK] < 0000000090006A2F > BranchKey[2]
[SHARK] < 00000000510069C6 > BranchKey[3]
[SHARK] < 000000002D00698A > BranchKey[4]
[SHARK] < 0000000000007848 > BranchKey[5]
[SHARK] < 0000000000000000 > BranchKey[6]
[SHARK] < 00000000C0007485 > BranchKey[7]
[SHARK] < 00000000FC006AE3 > BranchKey[8]
[SHARK] < 00000000800070C3 > BranchKey[9]
[SHARK] < 0000000058C06968 > BranchKey[11]
[SHARK] < FFFFF8026C416FAC > KiStartSystemThread
[SHARK] < FFFFF8026C35B5C0 > PspSystemThreadStartup
[SHARK] < FFFFF8026CD06CD0 > KiWaitNever
[SHARK] < FFFFF8026CD06E30 > KiWaitAlways
[SHARK] < FFFFF8026C44D630 > MmIsNonPagedSystemAddressValid
[SHARK] < FFFFF8026CC11698 > PoolBigPageTable
[SHARK] < FFFFF8026CC11690 > PoolBigPageTableSize
[SHARK] < 0000000000407000 > NumberOfPtes
[SHARK] < FFFFAEF140000000 > BasePte
[SHARK] < FFFFF8026C386040 > MmIsAddressValid
[SHARK] < FFFFF8026C305C10 > RtlLookupFunctionEntry
[SHARK] < FFFFF8026C302790 > RtlVirtualUnwind
[SHARK] < FFFFF8026C2D8140 > ExQueueWorkItem
[SHARK] < FFFFD20A00B8BB10 > CaptureContext
[SHARK] < FFFFD20A00B810B0 > FreeWorker
[SHARK] < FFFFD20A00B7EEA0 > ClearCallback
[SHARK] < 0000000000000564 > OffsetSameThreadPassive
[SHARK] < 0000000000000001 > BigPool < FFFFD209FC890000 - 00008000 >
[SHARK] < 0000000000000001 > scan < FFFFD209FB380000 - 0002a000 > < 29B83DEFF9729667, DF65DBC0C394DA32, 5957DA50C614BE33, E1CFDE10FC158E0A...>
[SHARK] < 0000000000000001 > scan < FFFFD209FA702000 - 00063000 > < 9704F809AC5AF71C, A7AECD5875C7A314, E3B0BD6BFF4A6F3A, 7CBAB5BBB8CD9BD3...>
[SHARK] < 0000000000000001 > scan < FFFFD20A00B99000 - 0001a000 > < CCCCCCCCCCCCCCCC, CCCCCCCCCCCCCCCC, 56535508244C8948, 4156415541544157...>
[SHARK] < 0000000000000001 > SystemPtes < FFFFAEF140000000 - FFFFAEF142038000 >
[SHARK] < FFFFD20A00B78000 > shark load success旧版Shark
[Shark] load
[Shark] < 00000000000055F0 > BuildNumber
[Shark] < FFFFD209FACFB040 > PsInitialSystemProcess
[Shark] < 0000000000000002 > NumberProcessors
[Shark] < FFFFF8026C2D7ED0 > KeEnterCriticalRegion
[Shark] < FFFFF8026C258740 > KeLeaveCriticalRegion
[Shark] < FFFFF8026C2A73B0 > ExAcquireSpinLockShared
[Shark] < FFFFF8026C32AB40 > ExReleaseSpinLockShared
[Shark] < FFFFF8026C2023A0 > DbgPrint
[Shark] < FFFFF8026C41BBB0 > RtlCompareMemory
[Shark] < FFFFF8026C41B670 > RtlRestoreContext
[Shark] < FFFFF8026C2D8140 > ExQueueWorkItem
[Shark] < FFFFF8026CA6B810 > ExFreePoolWithTag
[Shark] < FFFFF8026C412B70 > KeBugCheckEx
[Shark] < FFFFF8026C32A060 > ExInterlockedRemoveHeadList
[Shark] < FFFFF8026C329B10 > ExAcquireRundownProtection
[Shark] < FFFFF8026C32EC40 > ExReleaseRundownProtection
[Shark] < FFFFF8026C2B2A90 > ExWaitForRundownProtectionRelease
[Shark] < FFFFD20A00B58560 > PgBlock
[Shark] < 00000000000000C0 > SizeCmpAppendDllSection
[Shark] < 0000000000000001 > BtcEnable
[Shark] < FFFFD20A00B59950 > OriginalCmpAppendDllSection
[Shark] < 00000000000007B0 > OffsetEntryPoint
[Shark] < 000000000001A000 > SizeINITKDBG
[Shark] < FFFFD209FA702000 > INITKDBG
[Shark] < FFFFF8026C2D8140 > ntoskrnl.exe!ExReleaseResourceAndLeavePriorityRegion
[Shark] < FFFFF8026C25B890 > ntoskrnl.exe!ExTryAcquireCacheAwarePushLockSharedEx
[Shark] < FFFFF8026C7F2DD0 > ntoskrnl.exe!IoCreateSynchronizationEvent + 2c0
[Shark] < FFFFF8026C22ECD0 > ntoskrnl.exe!ExConvertExclusiveToSharedLite
[Shark] < FFFFF8026C808FE0 > MmAllocateIndependentPages
[Shark] < FFFFF8026C96C940 > MmFreeIndependentPages
[Shark] < FFFFF8026C3B1250 > MmSetPageProtection
[Shark] < FFFFF8026CE00020 > PsInvertedFunctionTable
[Shark] < 000000008D806955 > BranchKey[10]
[Shark] < 00000000D0006DF1 > BranchKey[0]
[Shark] < 00000000B0006C10 > BranchKey[1]
[Shark] < 0000000090006A2F > BranchKey[2]
[Shark] < 00000000510069C6 > BranchKey[3]
[Shark] < 000000002D00698A > BranchKey[4]
[Shark] < 0000000000007848 > BranchKey[5]
[Shark] < 0000000000000000 > BranchKey[6]
[Shark] < 00000000C0007485 > BranchKey[7]
[Shark] < 00000000FC006AE3 > BranchKey[8]
[Shark] < 00000000800070C3 > BranchKey[9]
[Shark] < 0000000058C06968 > BranchKey[11]
[Shark] < FFFFF8026C416FAC > KiStartSystemThread
[Shark] < FFFFF8026C35B5C0 > PspSystemThreadStartup
[Shark] < FFFFF8026CD06CD0 > KiWaitNever
[Shark] < FFFFF8026CD06E30 > KiWaitAlways
[Shark] < FFFFF8026C44D630 > MmIsNonPagedSystemAddressValid
[Shark] < FFFFF8026CC53D90 > SystemRegionTypeArray
[Shark] < FFFFF8026CC11698 > PoolBigPageTable
[Shark] < FFFFF8026CC11690 > PoolBigPageTableSize
[Shark] < FFFFAEFE40000000 > BasePte
[Shark] < 0000000080000000 > NumberOfPtes
[Shark] < FFFFF8026C305C10 > RtlLookupFunctionEntry
[Shark] < FFFFF8026C302790 > RtlVirtualUnwind
[Shark] < FFFFF8026C2D8140 > ExQueueWorkItem
[Shark] < FFFFD20A00B58780 > CaptureContext
[Shark] < FFFFD20A00B58AA0 > FreeWorker
[Shark] < FFFFD20A00B58B50 > ClearCallback
[Shark] < 0000000000000564 > OffsetSameThreadPassive
[Shark] < 0000000000000001 > BigPool < FFFFD209FC890000 - 00008000 >
[Shark] < 0000000000000001 > SystemPtes < FFFFAEFE40000000 - FFFFAF0240000000 >
[Shark] < FFFFD20A02204E40 > found noimage return address in worker thread stack
[Shark] - unload可以看到Shark旧版是找到了地址,但是确没有去处理,因为这块内存是被xor+btc加密的
我们可以通过硬件断点来找到调用地址
INITKDBG:0000000140ACCC24
INITKDBG:0000000140ACCC24 ; =============== S U B R O U T I N E =======================================
INITKDBG:0000000140ACCC24
INITKDBG:0000000140ACCC24 ; Attributes: bp-based frame fpd=57h
INITKDBG:0000000140ACCC24
INITKDBG:0000000140ACCC24 sub_140ACCC24 proc near ; CODE XREF: sub_1403E4170+372C↑p
INITKDBG:0000000140ACCC24 ; sub_1403E4170+3CDD↑p ...
INITKDBG:0000000140ACCC24
INITKDBG:0000000140ACCC24 var_D0 = dword ptr -0D0h
INITKDBG:0000000140ACCC24 var_C8 = dword ptr -0C8h
INITKDBG:0000000140ACCC24 var_B0 = qword ptr -0B0h
INITKDBG:0000000140ACCC24 var_A8 = qword ptr -0A8h
INITKDBG:0000000140ACCC24 var_A0 = qword ptr -0A0h
INITKDBG:0000000140ACCC24 var_98 = qword ptr -98h
INITKDBG:0000000140ACCC24 var_90 = qword ptr -90h
INITKDBG:0000000140ACCC24 var_88 = qword ptr -88h
INITKDBG:0000000140ACCC24 var_80 = qword ptr -80h
INITKDBG:0000000140ACCC24 var_78 = qword ptr -78h
INITKDBG:0000000140ACCC24 var_70 = qword ptr -70h
INITKDBG:0000000140ACCC24 var_68 = qword ptr -68h
INITKDBG:0000000140ACCC24 var_60 = qword ptr -60h
INITKDBG:0000000140ACCC24 var_58 = qword ptr -58h
INITKDBG:0000000140ACCC24 var_50 = qword ptr -50h
INITKDBG:0000000140ACCC24 var_48 = qword ptr -48h
INITKDBG:0000000140ACCC24 var_40 = qword ptr -40h
INITKDBG:0000000140ACCC24 arg_8 = dword ptr 18h
INITKDBG:0000000140ACCC24 arg_10 = dword ptr 20h
INITKDBG:0000000140ACCC24 arg_18 = qword ptr 28h
INITKDBG:0000000140ACCC24
INITKDBG:0000000140ACCC24 44 89 44 24 18 mov [rsp-8+arg_10], r8d
INITKDBG:0000000140ACCC29 89 54 24 10 mov [rsp-8+arg_8], edx
INITKDBG:0000000140ACCC2D 55 push rbp
INITKDBG:0000000140ACCC2E 53 push rbx
INITKDBG:0000000140ACCC2F 56 push rsi
INITKDBG:0000000140ACCC30 57 push rdi
INITKDBG:0000000140ACCC31 41 54 push r12
INITKDBG:0000000140ACCC33 41 55 push r13
INITKDBG:0000000140ACCC35 41 57 push r15
INITKDBG:0000000140ACCC37 48 8D 6C 24 D9 lea rbp, [rsp-27h]
INITKDBG:0000000140ACCC3C 48 81 EC C0 00 00 00 sub rsp, 0C0h
INITKDBG:0000000140ACCC43 44 8B DA mov r11d, edx
INITKDBG:0000000140ACCC46 48 8B F9 mov rdi, rcx
INITKDBG:0000000140ACCC49 41 83 F8 03 cmp r8d, 3
INITKDBG:0000000140ACCC4D 0F 84 18 03 00 00 jz loc_140ACCF6B
INITKDBG:0000000140ACCC53 44 8B A1 58 09 00 00 mov r12d, [rcx+958h]
INITKDBG:0000000140ACCC5A 33 DB xor ebx, ebx
INITKDBG:0000000140ACCC5C 44 8B D3 mov r10d, ebx
INITKDBG:0000000140ACCC5F 41 81 E4 00 00 00 10 and r12d, 10000000h
INITKDBG:0000000140ACCC66 75 07 jnz short loc_140ACCC6F
INITKDBG:0000000140ACCC68 44 8B 91 EC 08 00 00 mov r10d, [rcx+8ECh]
INITKDBG:0000000140ACCC6F
INITKDBG:0000000140ACCC6F loc_140ACCC6F: ; CODE XREF: sub_140ACCC24+42↑j
INITKDBG:0000000140ACCC6F 8B 81 D8 07 00 00 mov eax, [rcx+7D8h]
INITKDBG:0000000140ACCC75 89 45 7F mov dword ptr [rbp+57h+arg_18], eax
INITKDBG:0000000140ACCC78 0F 31 rdtsc
INITKDBG:0000000140ACCC7A 48 C1 E2 20 shl rdx, 20h
INITKDBG:0000000140ACCC7E 49 BD 01 20 00 04 80 00 10 70 mov r13, 7010008004002001h
INITKDBG:0000000140ACCC88 48 0B C2 or rax, rdx
INITKDBG:0000000140ACCC8B 48 8B C8 mov rcx, rax
INITKDBG:0000000140ACCC8E 48 8B D0 mov rdx, rax
INITKDBG:0000000140ACCC91 48 C1 C9 03 ror rcx, 3
INITKDBG:0000000140ACCC95 49 8B C5 mov rax, r13
INITKDBG:0000000140ACCC98 48 33 D1 xor rdx, rcx
INITKDBG:0000000140ACCC9B 48 F7 E2 mul rdx
INITKDBG:0000000140ACCC9E 4C 8B F8 mov r15, rax
INITKDBG:0000000140ACCCA1 48 89 55 BF mov [rbp+57h+var_98], rdx
INITKDBG:0000000140ACCCA5 44 33 FA xor r15d, edx
INITKDBG:0000000140ACCCA8 41 81 E7 FF 07 00 00 and r15d, 7FFh
INITKDBG:0000000140ACCCAF 0F 31 rdtsc
INITKDBG:0000000140ACCCB1 48 C1 E2 20 shl rdx, 20h
INITKDBG:0000000140ACCCB5 45 8D 47 01 lea r8d, [r15+1]
INITKDBG:0000000140ACCCB9 48 0B C2 or rax, rdx
INITKDBG:0000000140ACCCBC BE 01 00 00 00 mov esi, 1
INITKDBG:0000000140ACCCC1 48 8B C8 mov rcx, rax
INITKDBG:0000000140ACCCC4 48 8B D0 mov rdx, rax
INITKDBG:0000000140ACCCC7 48 C1 C9 03 ror rcx, 3
INITKDBG:0000000140ACCCCB 49 8B C5 mov rax, r13
INITKDBG:0000000140ACCCCE 48 33 D1 xor rdx, rcx
INITKDBG:0000000140ACCCD1 48 F7 E2 mul rdx
INITKDBG:0000000140ACCCD4 48 33 C2 xor rax, rdx
INITKDBG:0000000140ACCCD7 48 89 55 C7 mov [rbp+57h+var_90], rdx
INITKDBG:0000000140ACCCDB 33 D2 xor edx, edx
INITKDBG:0000000140ACCCDD 49 F7 F0 div r8
INITKDBG:0000000140ACCCE0 48 89 55 A7 mov [rbp+57h+var_B0], rdx
INITKDBG:0000000140ACCCE4 45 85 D2 test r10d, r10d
INITKDBG:0000000140ACCCE7 0F 84 A1 00 00 00 jz loc_140ACCD8E
INITKDBG:0000000140ACCCED 0F 31 rdtsc
INITKDBG:0000000140ACCCEF 48 C1 E2 20 shl rdx, 20h
INITKDBG:0000000140ACCCF3 48 0B C2 or rax, rdx
INITKDBG:0000000140ACCCF6 48 8B C8 mov rcx, rax
INITKDBG:0000000140ACCCF9 48 8B D0 mov rdx, rax
INITKDBG:0000000140ACCCFC 48 C1 C9 03 ror rcx, 3
INITKDBG:0000000140ACCD00 49 8B C5 mov rax, r13
INITKDBG:0000000140ACCD03 48 33 D1 xor rdx, rcx
INITKDBG:0000000140ACCD06 48 F7 E2 mul rdx
INITKDBG:0000000140ACCD09 33 C2 xor eax, edx
INITKDBG:0000000140ACCD0B 48 89 55 CF mov [rbp+57h+var_88], rdx
INITKDBG:0000000140ACCD0F 23 C6 and eax, esi
INITKDBG:0000000140ACCD11 83 CA FF or edx, 0FFFFFFFFh
INITKDBG:0000000140ACCD14 C1 E0 0C shl eax, 0Ch
INITKDBG:0000000140ACCD17 05 00 10 00 00 add eax, 1000h
INITKDBG:0000000140ACCD1C 44 03 F8 add r15d, eax
INITKDBG:0000000140ACCD1F 43 8D 04 1F lea eax, [r15+r11]
INITKDBG:0000000140ACCD23 48 8D 48 08 lea rcx, [rax+8]
INITKDBG:0000000140ACCD27 48 89 45 7F mov [rbp+57h+arg_18], rax
INITKDBG:0000000140ACCD2B 48 8B 87 10 02 00 00 mov rax, [rdi+210h]
INITKDBG:0000000140ACCD32 48 89 4D AF mov [rbp+57h+var_A8], rcx
INITKDBG:0000000140ACCD36 E8 75 26 00 00 call KeGuardDispatchICall
INITKDBG:0000000140ACCD3B 4C 8B E0 mov r12, rax
INITKDBG:0000000140ACCD3E 48 85 C0 test rax, rax
INITKDBG:0000000140ACCD41 74 78 jz short loc_140ACCDBB
INITKDBG:0000000140ACCD43 48 8B 55 7F mov rdx, [rbp+57h+arg_18]
INITKDBG:0000000140ACCD47 44 8D 46 3F lea r8d, [rsi+3Fh]
INITKDBG:0000000140ACCD4B 48 8B 87 20 02 00 00 mov rax, [rdi+220h]
INITKDBG:0000000140ACCD52 48 81 C2 FF 0F 00 00 add rdx, 0FFFh
INITKDBG:0000000140ACCD59 81 E2 00 F0 FF FF and edx, 0FFFFF000h
INITKDBG:0000000140ACCD5F 49 8B CC mov rcx, r12
INITKDBG:0000000140ACCD62 E8 49 26 00 00 call KeGuardDispatchICall
INITKDBG:0000000140ACCD67 84 C0 test al, al
INITKDBG:0000000140ACCD69 75 15 jnz short loc_140ACCD80
INITKDBG:0000000140ACCD6B 48 8B 87 18 02 00 00 mov rax, [rdi+218h]
INITKDBG:0000000140ACCD72 49 8B CC mov rcx, r12
INITKDBG:0000000140ACCD75 48 8B 55 7F mov rdx, [rbp+57h+arg_18]
INITKDBG:0000000140ACCD79 E8 32 26 00 00 call KeGuardDispatchICall
INITKDBG:0000000140ACCD7E EB 3B jmp short loc_140ACCDBB
INITKDBG:0000000140ACCD80 ; ---------------------------------------------------------------------------
INITKDBG:0000000140ACCD80
INITKDBG:0000000140ACCD80 loc_140ACCD80: ; CODE XREF: sub_140ACCC24+145↑j
INITKDBG:0000000140ACCD80 48 8B 45 AF mov rax, [rbp+57h+var_A8]
INITKDBG:0000000140ACCD84 49 89 04 24 mov [r12], rax
INITKDBG:0000000140ACCD88 49 83 C4 08 add r12, 8
INITKDBG:0000000140ACCD8C EB 28 jmp short loc_140ACCDB6
INITKDBG:0000000140ACCD8E ; ---------------------------------------------------------------------------
INITKDBG:0000000140ACCD8E
INITKDBG:0000000140ACCD8E loc_140ACCD8E: ; CODE XREF: sub_140ACCC24+C3↑j
INITKDBG:0000000140ACCD8E 48 8B 87 E8 00 00 00 mov rax, [rdi+0E8h]
INITKDBG:0000000140ACCD95 43 8D 14 1F lea edx, [r15+r11]
INITKDBG:0000000140ACCD99 44 8B 45 7F mov r8d, dword ptr [rbp+57h+arg_18]
INITKDBG:0000000140ACCD9D 41 F7 DC neg r12d
INITKDBG:0000000140ACCDA0 48 1B C9 sbb rcx, rcx
INITKDBG:0000000140ACCDA3 48 83 E1 C0 and rcx, 0FFFFFFFFFFFFFFC0h
INITKDBG:0000000140ACCDA7 48 81 C1 82 00 00 00 add rcx, 82h
INITKDBG:0000000140ACCDAE E8 FD 25 00 00 call KeGuardDispatchICall
INITKDBG:0000000140ACCDB3 4C 8B E0 mov r12, rax
INITKDBG:0000000140ACCDB6
INITKDBG:0000000140ACCDB6 loc_140ACCDB6: ; CODE XREF: sub_140ACCC24+168↑j
INITKDBG:0000000140ACCDB6 4D 85 E4 test r12, r12
INITKDBG:0000000140ACCDB9 75 0B jnz short loc_140ACCDC6
INITKDBG:0000000140ACCDBB
INITKDBG:0000000140ACCDBB loc_140ACCDBB: ; CODE XREF: sub_140ACCC24+11D↑j
INITKDBG:0000000140ACCDBB ; sub_140ACCC24+15A↑j
INITKDBG:0000000140ACCDBB 01 B7 E0 09 00 00 add [rdi+9E0h], esi
INITKDBG:0000000140ACCDC1 E9 9D 01 00 00 jmp loc_140ACCF63
INITKDBG:0000000140ACCDC6 ; ---------------------------------------------------------------------------
INITKDBG:0000000140ACCDC6
INITKDBG:0000000140ACCDC6 loc_140ACCDC6: ; CODE XREF: sub_140ACCC24+195↑j
INITKDBG:0000000140ACCDC6 48 8B 45 A7 mov rax, [rbp+57h+var_B0]
INITKDBG:0000000140ACCDCA 4D 8B C4 mov r8, r12
INITKDBG:0000000140ACCDCD 44 8B D8 mov r11d, eax
INITKDBG:0000000140ACCDD0 41 BA F8 FF FF FF mov r10d, 0FFFFFFF8h
INITKDBG:0000000140ACCDD6 83 F8 08 cmp eax, 8
INITKDBG:0000000140ACCDD9 72 39 jb short loc_140ACCE14
INITKDBG:0000000140ACCDDB 44 8B C8 mov r9d, eax
INITKDBG:0000000140ACCDDE 49 C1 E9 03 shr r9, 3
INITKDBG:0000000140ACCDE2
INITKDBG:0000000140ACCDE2 loc_140ACCDE2: ; CODE XREF: sub_140ACCC24+1EE↓j
INITKDBG:0000000140ACCDE2 0F 31 rdtsc
INITKDBG:0000000140ACCDE4 48 C1 E2 20 shl rdx, 20h
INITKDBG:0000000140ACCDE8 45 03 DA add r11d, r10d
INITKDBG:0000000140ACCDEB 48 0B C2 or rax, rdx
INITKDBG:0000000140ACCDEE 48 8B C8 mov rcx, rax
INITKDBG:0000000140ACCDF1 48 8B D0 mov rdx, rax
INITKDBG:0000000140ACCDF4 48 C1 C9 03 ror rcx, 3
INITKDBG:0000000140ACCDF8 49 8B C5 mov rax, r13
INITKDBG:0000000140ACCDFB 48 33 D1 xor rdx, rcx
INITKDBG:0000000140ACCDFE 48 F7 E2 mul rdx
INITKDBG:0000000140ACCE01 48 89 55 D7 mov [rbp+57h+var_80], rdx
INITKDBG:0000000140ACCE05 48 33 D0 xor rdx, rax
INITKDBG:0000000140ACCE08 49 89 10 mov [r8], rdx
INITKDBG:0000000140ACCE0B 49 83 C0 08 add r8, 8
INITKDBG:0000000140ACCE0F 4C 2B CE sub r9, rsi
INITKDBG:0000000140ACCE12 75 CE jnz short loc_140ACCDE2
INITKDBG:0000000140ACCE14
INITKDBG:0000000140ACCE14 loc_140ACCE14: ; CODE XREF: sub_140ACCC24+1B5↑j
INITKDBG:0000000140ACCE14 45 85 DB test r11d, r11d
INITKDBG:0000000140ACCE17 74 38 jz short loc_140ACCE51
INITKDBG:0000000140ACCE19 0F 31 rdtsc
INITKDBG:0000000140ACCE1B 48 C1 E2 20 shl rdx, 20h
INITKDBG:0000000140ACCE1F 48 0B C2 or rax, rdx
INITKDBG:0000000140ACCE22 48 8B C8 mov rcx, rax
INITKDBG:0000000140ACCE25 48 8B D0 mov rdx, rax
INITKDBG:0000000140ACCE28 48 C1 C9 03 ror rcx, 3
INITKDBG:0000000140ACCE2C 49 8B C5 mov rax, r13
INITKDBG:0000000140ACCE2F 48 33 D1 xor rdx, rcx
INITKDBG:0000000140ACCE32 48 F7 E2 mul rdx
INITKDBG:0000000140ACCE35 48 89 55 DF mov [rbp+57h+var_78], rdx
INITKDBG:0000000140ACCE39 48 33 D0 xor rdx, rax
INITKDBG:0000000140ACCE3C 41 83 C9 FF or r9d, 0FFFFFFFFh
INITKDBG:0000000140ACCE40
INITKDBG:0000000140ACCE40 loc_140ACCE40: ; CODE XREF: sub_140ACCC24+229↓j
INITKDBG:0000000140ACCE40 41 88 10 mov [r8], dl
INITKDBG:0000000140ACCE43 4C 03 C6 add r8, rsi
INITKDBG:0000000140ACCE46 48 C1 EA 08 shr rdx, 8
INITKDBG:0000000140ACCE4A 45 03 D9 add r11d, r9d
INITKDBG:0000000140ACCE4D 75 F1 jnz short loc_140ACCE40
INITKDBG:0000000140ACCE4F EB 04 jmp short loc_140ACCE55
INITKDBG:0000000140ACCE51 ; ---------------------------------------------------------------------------
INITKDBG:0000000140ACCE51
INITKDBG:0000000140ACCE51 loc_140ACCE51: ; CODE XREF: sub_140ACCC24+1F3↑j
INITKDBG:0000000140ACCE51 41 83 C9 FF or r9d, 0FFFFFFFFh
INITKDBG:0000000140ACCE55
INITKDBG:0000000140ACCE55 loc_140ACCE55: ; CODE XREF: sub_140ACCC24+22B↑j
INITKDBG:0000000140ACCE55 48 8B 55 A7 mov rdx, [rbp+57h+var_B0]
INITKDBG:0000000140ACCE59 44 8B 5D 6F mov r11d, [rbp+57h+arg_8]
INITKDBG:0000000140ACCE5D 44 2B FA sub r15d, edx
INITKDBG:0000000140ACCE60 8B C2 mov eax, edx
INITKDBG:0000000140ACCE62 48 89 45 AF mov [rbp+57h+var_A8], rax
INITKDBG:0000000140ACCE66 4F 8D 04 1C lea r8, [r12+r11]
INITKDBG:0000000140ACCE6A 4C 03 C0 add r8, rax
INITKDBG:0000000140ACCE6D 41 83 FF 08 cmp r15d, 8
INITKDBG:0000000140ACCE71 72 40 jb short loc_140ACCEB3
INITKDBG:0000000140ACCE73 41 8B C7 mov eax, r15d
INITKDBG:0000000140ACCE76 48 C1 E8 03 shr rax, 3
INITKDBG:0000000140ACCE7A 4C 8B D8 mov r11, rax
INITKDBG:0000000140ACCE7D
INITKDBG:0000000140ACCE7D loc_140ACCE7D: ; CODE XREF: sub_140ACCC24+289↓j
INITKDBG:0000000140ACCE7D 0F 31 rdtsc
INITKDBG:0000000140ACCE7F 48 C1 E2 20 shl rdx, 20h
INITKDBG:0000000140ACCE83 45 03 FA add r15d, r10d
INITKDBG:0000000140ACCE86 48 0B C2 or rax, rdx
INITKDBG:0000000140ACCE89 48 8B C8 mov rcx, rax
INITKDBG:0000000140ACCE8C 48 8B D0 mov rdx, rax
INITKDBG:0000000140ACCE8F 48 C1 C9 03 ror rcx, 3
INITKDBG:0000000140ACCE93 49 8B C5 mov rax, r13
INITKDBG:0000000140ACCE96 48 33 D1 xor rdx, rcx
INITKDBG:0000000140ACCE99 48 F7 E2 mul rdx
INITKDBG:0000000140ACCE9C 48 89 55 E7 mov [rbp+57h+var_70], rdx
INITKDBG:0000000140ACCEA0 48 33 D0 xor rdx, rax
INITKDBG:0000000140ACCEA3 49 89 10 mov [r8], rdx
INITKDBG:0000000140ACCEA6 49 83 C0 08 add r8, 8
INITKDBG:0000000140ACCEAA 4C 2B DE sub r11, rsi
INITKDBG:0000000140ACCEAD 75 CE jnz short loc_140ACCE7D
INITKDBG:0000000140ACCEAF 44 8B 5D 6F mov r11d, [rbp+57h+arg_8]
INITKDBG:0000000140ACCEB3
INITKDBG:0000000140ACCEB3 loc_140ACCEB3: ; CODE XREF: sub_140ACCC24+24D↑j
INITKDBG:0000000140ACCEB3 45 85 FF test r15d, r15d
INITKDBG:0000000140ACCEB6 74 32 jz short loc_140ACCEEA
INITKDBG:0000000140ACCEB8 0F 31 rdtsc
INITKDBG:0000000140ACCEBA 48 C1 E2 20 shl rdx, 20h
INITKDBG:0000000140ACCEBE 48 0B C2 or rax, rdx
INITKDBG:0000000140ACCEC1 48 8B C8 mov rcx, rax
INITKDBG:0000000140ACCEC4 48 8B D0 mov rdx, rax
INITKDBG:0000000140ACCEC7 48 C1 C9 03 ror rcx, 3
INITKDBG:0000000140ACCECB 49 8B C5 mov rax, r13
INITKDBG:0000000140ACCECE 48 33 D1 xor rdx, rcx
INITKDBG:0000000140ACCED1 48 F7 E2 mul rdx
INITKDBG:0000000140ACCED4 48 89 55 EF mov [rbp+57h+var_68], rdx
INITKDBG:0000000140ACCED8 48 33 D0 xor rdx, rax
INITKDBG:0000000140ACCEDB
INITKDBG:0000000140ACCEDB loc_140ACCEDB: ; CODE XREF: sub_140ACCC24+2C4↓j
INITKDBG:0000000140ACCEDB 41 88 10 mov [r8], dl
INITKDBG:0000000140ACCEDE 4C 03 C6 add r8, rsi
INITKDBG:0000000140ACCEE1 48 C1 EA 08 shr rdx, 8
INITKDBG:0000000140ACCEE5 45 03 F9 add r15d, r9d
INITKDBG:0000000140ACCEE8 75 F1 jnz short loc_140ACCEDB
INITKDBG:0000000140ACCEEA
INITKDBG:0000000140ACCEEA loc_140ACCEEA: ; CODE XREF: sub_140ACCC24+292↑j
INITKDBG:0000000140ACCEEA 48 8B 4D AF mov rcx, [rbp+57h+var_A8]
INITKDBG:0000000140ACCEEE 49 03 CC add rcx, r12
INITKDBG:0000000140ACCEF1 74 70 jz short loc_140ACCF63
INITKDBG:0000000140ACCEF3 8B 97 AC 07 00 00 mov edx, [rdi+7ACh]
INITKDBG:0000000140ACCEF9 4C 8B C1 mov r8, rcx
INITKDBG:0000000140ACCEFC 83 FA 08 cmp edx, 8
INITKDBG:0000000140ACCEFF 72 1D jb short loc_140ACCF1E
INITKDBG:0000000140ACCF01 44 8B FA mov r15d, edx
INITKDBG:0000000140ACCF04 49 C1 EF 03 shr r15, 3
INITKDBG:0000000140ACCF08
INITKDBG:0000000140ACCF08 loc_140ACCF08: ; CODE XREF: sub_140ACCC24+2F8↓j
INITKDBG:0000000140ACCF08 48 8B 07 mov rax, [rdi]
INITKDBG:0000000140ACCF0B 41 03 D2 add edx, r10d
INITKDBG:0000000140ACCF0E 49 89 00 mov [r8], rax
INITKDBG:0000000140ACCF11 48 83 C7 08 add rdi, 8
INITKDBG:0000000140ACCF15 49 83 C0 08 add r8, 8
INITKDBG:0000000140ACCF19 4C 2B FE sub r15, rsi
INITKDBG:0000000140ACCF1C 75 EA jnz short loc_140ACCF08
INITKDBG:0000000140ACCF1E
INITKDBG:0000000140ACCF1E loc_140ACCF1E: ; CODE XREF: sub_140ACCC24+2DB↑j
INITKDBG:0000000140ACCF1E 85 D2 test edx, edx
INITKDBG:0000000140ACCF20 74 11 jz short loc_140ACCF33
INITKDBG:0000000140ACCF22 4C 2B C7 sub r8, rdi
INITKDBG:0000000140ACCF25
INITKDBG:0000000140ACCF25 loc_140ACCF25: ; CODE XREF: sub_140ACCC24+30D↓j
INITKDBG:0000000140ACCF25 8A 07 mov al, [rdi]
INITKDBG:0000000140ACCF27 42 88 04 07 mov [rdi+r8], al
INITKDBG:0000000140ACCF2B 48 03 FE add rdi, rsi
INITKDBG:0000000140ACCF2E 41 03 D1 add edx, r9d
INITKDBG:0000000140ACCF31 75 F2 jnz short loc_140ACCF25
INITKDBG:0000000140ACCF33
INITKDBG:0000000140ACCF33 loc_140ACCF33: ; CODE XREF: sub_140ACCC24+2FC↑j
INITKDBG:0000000140ACCF33 8B 45 77 mov eax, [rbp+57h+arg_10]
INITKDBG:0000000140ACCF36 89 81 EC 08 00 00 mov [rcx+8ECh], eax
INITKDBG:0000000140ACCF3C 8B 81 58 09 00 00 mov eax, [rcx+958h]
INITKDBG:0000000140ACCF42 44 89 99 AC 07 00 00 mov [rcx+7ACh], r11d
INITKDBG:0000000140ACCF49 4C 89 A1 90 07 00 00 mov [rcx+790h], r12
INITKDBG:0000000140ACCF50 0F BA E0 1C bt eax, 1Ch
INITKDBG:0000000140ACCF54 72 0A jb short loc_140ACCF60
INITKDBG:0000000140ACCF56 0F BA E8 1D bts eax, 1Dh
INITKDBG:0000000140ACCF5A 89 81 58 09 00 00 mov [rcx+958h], eax
INITKDBG:0000000140ACCF60
INITKDBG:0000000140ACCF60 loc_140ACCF60: ; CODE XREF: sub_140ACCC24+330↑j
INITKDBG:0000000140ACCF60 48 8B D9 mov rbx, rcx
INITKDBG:0000000140ACCF63
INITKDBG:0000000140ACCF63 loc_140ACCF63: ; CODE XREF: sub_140ACCC24+19D↑j
INITKDBG:0000000140ACCF63 ; sub_140ACCC24+2CD↑j
INITKDBG:0000000140ACCF63 48 8B C3 mov rax, rbx
INITKDBG:0000000140ACCF66 E9 17 05 00 00 jmp loc_140ACD482
INITKDBG:0000000140ACCF6B ; ---------------------------------------------------------------------------
INITKDBG:0000000140ACCF6B
INITKDBG:0000000140ACCF6B loc_140ACCF6B: ; CODE XREF: sub_140ACCC24+29↑j
INITKDBG:0000000140ACCF6B 0F 31 rdtsc
INITKDBG:0000000140ACCF6D 48 C1 E2 20 shl rdx, 20h
INITKDBG:0000000140ACCF71 49 BD 01 20 00 04 80 00 10 70 mov r13, 7010008004002001h
INITKDBG:0000000140ACCF7B 48 0B C2 or rax, rdx
INITKDBG:0000000140ACCF7E 48 8B C8 mov rcx, rax
INITKDBG:0000000140ACCF81 48 8B D0 mov rdx, rax
INITKDBG:0000000140ACCF84 48 C1 C9 03 ror rcx, 3
INITKDBG:0000000140ACCF88 49 8B C5 mov rax, r13
INITKDBG:0000000140ACCF8B 48 33 D1 xor rdx, rcx
INITKDBG:0000000140ACCF8E 48 F7 E2 mul rdx
INITKDBG:0000000140ACCF91 4C 8B C8 mov r9, rax
INITKDBG:0000000140ACCF94 48 89 55 EF mov [rbp+57h+var_68], rdx
INITKDBG:0000000140ACCF98 44 33 CA xor r9d, edx
INITKDBG:0000000140ACCF9B 41 81 E1 FF 07 00 00 and r9d, 7FFh
INITKDBG:0000000140ACCFA2 0F 31 rdtsc
INITKDBG:0000000140ACCFA4 48 C1 E2 20 shl rdx, 20h
INITKDBG:0000000140ACCFA8 48 0B C2 or rax, rdx
INITKDBG:0000000140ACCFAB 48 8B C8 mov rcx, rax
INITKDBG:0000000140ACCFAE 48 8B D0 mov rdx, rax
INITKDBG:0000000140ACCFB1 48 C1 C9 03 ror rcx, 3
INITKDBG:0000000140ACCFB5 49 8B C5 mov rax, r13
INITKDBG:0000000140ACCFB8 48 33 D1 xor rdx, rcx
INITKDBG:0000000140ACCFBB 41 8D 49 01 lea ecx, [r9+1]
INITKDBG:0000000140ACCFBF 48 F7 E2 mul rdx
INITKDBG:0000000140ACCFC2 48 89 55 E7 mov [rbp+57h+var_70], rdx
INITKDBG:0000000140ACCFC6 48 33 C2 xor rax, rdx
INITKDBG:0000000140ACCFC9 33 D2 xor edx, edx
INITKDBG:0000000140ACCFCB 48 F7 F1 div rcx
INITKDBG:0000000140ACCFCE 48 89 55 AF mov [rbp+57h+var_A8], rdx
INITKDBG:0000000140ACCFD2 0F 31 rdtsc
INITKDBG:0000000140ACCFD4 48 C1 E2 20 shl rdx, 20h
INITKDBG:0000000140ACCFD8 BE 01 00 00 00 mov esi, 1
INITKDBG:0000000140ACCFDD 48 0B C2 or rax, rdx
INITKDBG:0000000140ACCFE0 48 8B C8 mov rcx, rax
INITKDBG:0000000140ACCFE3 4C 8B C0 mov r8, rax
INITKDBG:0000000140ACCFE6 48 C1 C9 03 ror rcx, 3
INITKDBG:0000000140ACCFEA 49 8B C5 mov rax, r13
INITKDBG:0000000140ACCFED 4C 33 C1 xor r8, rcx
INITKDBG:0000000140ACCFF0 49 F7 E0 mul r8
INITKDBG:0000000140ACCFF3 44 8B 87 D8 07 00 00 mov r8d, [rdi+7D8h]
INITKDBG:0000000140ACCFFA 33 C2 xor eax, edx
INITKDBG:0000000140ACCFFC 48 89 55 DF mov [rbp+57h+var_78], rdx
INITKDBG:0000000140ACD000 23 C6 and eax, esi
INITKDBG:0000000140ACD002 C1 E0 0C shl eax, 0Ch
INITKDBG:0000000140ACD005 05 00 10 00 00 add eax, 1000h
INITKDBG:0000000140ACD00A 41 03 C1 add eax, r9d
INITKDBG:0000000140ACD00D 89 45 7F mov dword ptr [rbp+57h+arg_18], eax
INITKDBG:0000000140ACD010 0F 31 rdtsc
INITKDBG:0000000140ACD012 48 C1 E2 20 shl rdx, 20h
INITKDBG:0000000140ACD016 48 0B C2 or rax, rdx
INITKDBG:0000000140ACD019 48 8B C8 mov rcx, rax
INITKDBG:0000000140ACD01C 48 8B D0 mov rdx, rax
INITKDBG:0000000140ACD01F 48 C1 C9 03 ror rcx, 3
INITKDBG:0000000140ACD023 49 8B C5 mov rax, r13
INITKDBG:0000000140ACD026 48 33 D1 xor rdx, rcx
INITKDBG:0000000140ACD029 48 F7 E2 mul rdx
INITKDBG:0000000140ACD02C 4C 8B E0 mov r12, rax
INITKDBG:0000000140ACD02F 48 89 55 D7 mov [rbp+57h+var_80], rdx
INITKDBG:0000000140ACD033 44 33 E2 xor r12d, edx
INITKDBG:0000000140ACD036 41 81 E4 FF 07 00 00 and r12d, 7FFh
INITKDBG:0000000140ACD03D 0F 31 rdtsc
INITKDBG:0000000140ACD03F 48 C1 E2 20 shl rdx, 20h
INITKDBG:0000000140ACD043 48 0B C2 or rax, rdx
INITKDBG:0000000140ACD046 48 8B C8 mov rcx, rax
INITKDBG:0000000140ACD049 48 8B D0 mov rdx, rax
INITKDBG:0000000140ACD04C 48 C1 C9 03 ror rcx, 3
INITKDBG:0000000140ACD050 49 8B C5 mov rax, r13
INITKDBG:0000000140ACD053 48 33 D1 xor rdx, rcx
INITKDBG:0000000140ACD056 41 8D 4C 24 01 lea ecx, [r12+1]
INITKDBG:0000000140ACD05B 48 F7 E2 mul rdx
INITKDBG:0000000140ACD05E 48 33 C2 xor rax, rdx
INITKDBG:0000000140ACD061 48 89 55 CF mov [rbp+57h+var_88], rdx
INITKDBG:0000000140ACD065 33 D2 xor edx, edx
INITKDBG:0000000140ACD067 48 F7 F1 div rcx
INITKDBG:0000000140ACD06A 48 8B 87 E8 00 00 00 mov rax, [rdi+0E8h]
INITKDBG:0000000140ACD071 8D 4E 41 lea ecx, [rsi+41h]
INITKDBG:0000000140ACD074 48 89 55 B7 mov [rbp+57h+var_A0], rdx
INITKDBG:0000000140ACD078 41 8D 54 24 20 lea edx, [r12+20h]
INITKDBG:0000000140ACD07D E8 2E 23 00 00 call KeGuardDispatchICall
INITKDBG:0000000140ACD082 33 DB xor ebx, ebx
INITKDBG:0000000140ACD084 48 89 45 A7 mov [rbp+57h+var_B0], rax
INITKDBG:0000000140ACD088 48 85 C0 test rax, rax
INITKDBG:0000000140ACD08B 75 0B jnz short loc_140ACD098
INITKDBG:0000000140ACD08D 01 B7 E0 09 00 00 add [rdi+9E0h], esi
INITKDBG:0000000140ACD093 E9 DE 03 00 00 jmp loc_140ACD476
INITKDBG:0000000140ACD098 ; ---------------------------------------------------------------------------
INITKDBG:0000000140ACD098
INITKDBG:0000000140ACD098 loc_140ACD098: ; CODE XREF: sub_140ACCC24+467↑j
INITKDBG:0000000140ACD098 4C 8B 5D B7 mov r11, [rbp+57h+var_A0]
INITKDBG:0000000140ACD09C 4C 8B C8 mov r9, rax
INITKDBG:0000000140ACD09F 45 8B D3 mov r10d, r11d
INITKDBG:0000000140ACD0A2 41 B8 F8 FF FF FF mov r8d, 0FFFFFFF8h
INITKDBG:0000000140ACD0A8 41 83 FB 08 cmp r11d, 8
INITKDBG:0000000140ACD0AC 72 39 jb short loc_140ACD0E7
INITKDBG:0000000140ACD0AE 45 8B FB mov r15d, r11d
INITKDBG:0000000140ACD0B1 49 C1 EF 03 shr r15, 3
INITKDBG:0000000140ACD0B5
INITKDBG:0000000140ACD0B5 loc_140ACD0B5: ; CODE XREF: sub_140ACCC24+4C1↓j
INITKDBG:0000000140ACD0B5 0F 31 rdtsc
INITKDBG:0000000140ACD0B7 48 C1 E2 20 shl rdx, 20h
INITKDBG:0000000140ACD0BB 45 03 D0 add r10d, r8d
INITKDBG:0000000140ACD0BE 48 0B C2 or rax, rdx
INITKDBG:0000000140ACD0C1 48 8B C8 mov rcx, rax
INITKDBG:0000000140ACD0C4 48 8B D0 mov rdx, rax
INITKDBG:0000000140ACD0C7 48 C1 C9 03 ror rcx, 3
INITKDBG:0000000140ACD0CB 49 8B C5 mov rax, r13
INITKDBG:0000000140ACD0CE 48 33 D1 xor rdx, rcx
INITKDBG:0000000140ACD0D1 48 F7 E2 mul rdx
INITKDBG:0000000140ACD0D4 48 89 55 C7 mov [rbp+57h+var_90], rdx
INITKDBG:0000000140ACD0D8 48 33 D0 xor rdx, rax
INITKDBG:0000000140ACD0DB 49 89 11 mov [r9], rdx
INITKDBG:0000000140ACD0DE 49 83 C1 08 add r9, 8
INITKDBG:0000000140ACD0E2 4C 2B FE sub r15, rsi
INITKDBG:0000000140ACD0E5 75 CE jnz short loc_140ACD0B5
INITKDBG:0000000140ACD0E7
INITKDBG:0000000140ACD0E7 loc_140ACD0E7: ; CODE XREF: sub_140ACCC24+488↑j
INITKDBG:0000000140ACD0E7 41 83 CF FF or r15d, 0FFFFFFFFh
INITKDBG:0000000140ACD0EB 45 85 D2 test r10d, r10d
INITKDBG:0000000140ACD0EE 74 32 jz short loc_140ACD122
INITKDBG:0000000140ACD0F0 0F 31 rdtsc
INITKDBG:0000000140ACD0F2 48 C1 E2 20 shl rdx, 20h
INITKDBG:0000000140ACD0F6 48 0B C2 or rax, rdx
INITKDBG:0000000140ACD0F9 48 8B C8 mov rcx, rax
INITKDBG:0000000140ACD0FC 48 8B D0 mov rdx, rax
INITKDBG:0000000140ACD0FF 48 C1 C9 03 ror rcx, 3
INITKDBG:0000000140ACD103 49 8B C5 mov rax, r13
INITKDBG:0000000140ACD106 48 33 D1 xor rdx, rcx
INITKDBG:0000000140ACD109 48 F7 E2 mul rdx
INITKDBG:0000000140ACD10C 48 89 55 BF mov [rbp+57h+var_98], rdx
INITKDBG:0000000140ACD110 48 33 D0 xor rdx, rax
INITKDBG:0000000140ACD113
INITKDBG:0000000140ACD113 loc_140ACD113: ; CODE XREF: sub_140ACCC24+4FC↓j
INITKDBG:0000000140ACD113 41 88 11 mov [r9], dl
INITKDBG:0000000140ACD116 4C 03 CE add r9, rsi
INITKDBG:0000000140ACD119 48 C1 EA 08 shr rdx, 8
INITKDBG:0000000140ACD11D 45 03 D7 add r10d, r15d
INITKDBG:0000000140ACD120 75 F1 jnz short loc_140ACD113
INITKDBG:0000000140ACD122
INITKDBG:0000000140ACD122 loc_140ACD122: ; CODE XREF: sub_140ACCC24+4CA↑j
INITKDBG:0000000140ACD122 41 8B C3 mov eax, r11d
INITKDBG:0000000140ACD125 45 2B E3 sub r12d, r11d
INITKDBG:0000000140ACD128 4C 8B 5D A7 mov r11, [rbp+57h+var_B0]
INITKDBG:0000000140ACD12C 4D 8D 4B 20 lea r9, [r11+20h]
INITKDBG:0000000140ACD130 4C 03 C8 add r9, rax
INITKDBG:0000000140ACD133 4A 8D 0C 18 lea rcx, [rax+r11]
INITKDBG:0000000140ACD137 48 89 4D B7 mov [rbp+57h+var_A0], rcx
INITKDBG:0000000140ACD13B 41 83 FC 08 cmp r12d, 8
INITKDBG:0000000140ACD13F 72 39 jb short loc_140ACD17A
INITKDBG:0000000140ACD141 45 8B D4 mov r10d, r12d
INITKDBG:0000000140ACD144 49 C1 EA 03 shr r10, 3
INITKDBG:0000000140ACD148
INITKDBG:0000000140ACD148 loc_140ACD148: ; CODE XREF: sub_140ACCC24+554↓j
INITKDBG:0000000140ACD148 0F 31 rdtsc
INITKDBG:0000000140ACD14A 48 C1 E2 20 shl rdx, 20h
INITKDBG:0000000140ACD14E 45 03 E0 add r12d, r8d
INITKDBG:0000000140ACD151 48 0B C2 or rax, rdx
INITKDBG:0000000140ACD154 48 8B C8 mov rcx, rax
INITKDBG:0000000140ACD157 48 8B D0 mov rdx, rax
INITKDBG:0000000140ACD15A 48 C1 C9 03 ror rcx, 3
INITKDBG:0000000140ACD15E 49 8B C5 mov rax, r13
INITKDBG:0000000140ACD161 48 33 D1 xor rdx, rcx
INITKDBG:0000000140ACD164 48 F7 E2 mul rdx
INITKDBG:0000000140ACD167 48 89 55 F7 mov [rbp+57h+var_60], rdx
INITKDBG:0000000140ACD16B 48 33 D0 xor rdx, rax
INITKDBG:0000000140ACD16E 49 89 11 mov [r9], rdx
INITKDBG:0000000140ACD171 49 83 C1 08 add r9, 8
INITKDBG:0000000140ACD175 4C 2B D6 sub r10, rsi
INITKDBG:0000000140ACD178 75 CE jnz short loc_140ACD148
INITKDBG:0000000140ACD17A
INITKDBG:0000000140ACD17A loc_140ACD17A: ; CODE XREF: sub_140ACCC24+51B↑j
INITKDBG:0000000140ACD17A 45 85 E4 test r12d, r12d
INITKDBG:0000000140ACD17D 74 32 jz short loc_140ACD1B1
INITKDBG:0000000140ACD17F 0F 31 rdtsc
INITKDBG:0000000140ACD181 48 C1 E2 20 shl rdx, 20h
INITKDBG:0000000140ACD185 48 0B C2 or rax, rdx
INITKDBG:0000000140ACD188 48 8B C8 mov rcx, rax
INITKDBG:0000000140ACD18B 48 8B D0 mov rdx, rax
INITKDBG:0000000140ACD18E 48 C1 C9 03 ror rcx, 3
INITKDBG:0000000140ACD192 49 8B C5 mov rax, r13
INITKDBG:0000000140ACD195 48 33 D1 xor rdx, rcx
INITKDBG:0000000140ACD198 48 F7 E2 mul rdx
INITKDBG:0000000140ACD19B 48 89 55 FF mov [rbp+57h+var_58], rdx
INITKDBG:0000000140ACD19F 48 33 D0 xor rdx, rax
INITKDBG:0000000140ACD1A2
INITKDBG:0000000140ACD1A2 loc_140ACD1A2: ; CODE XREF: sub_140ACCC24+58B↓j
INITKDBG:0000000140ACD1A2 41 88 11 mov [r9], dl
INITKDBG:0000000140ACD1A5 4C 03 CE add r9, rsi
INITKDBG:0000000140ACD1A8 48 C1 EA 08 shr rdx, 8
INITKDBG:0000000140ACD1AC 45 03 E7 add r12d, r15d
INITKDBG:0000000140ACD1AF 75 F1 jnz short loc_140ACD1A2
INITKDBG:0000000140ACD1B1
INITKDBG:0000000140ACD1B1 loc_140ACD1B1: ; CODE XREF: sub_140ACCC24+559↑j
INITKDBG:0000000140ACD1B1 4C 8B 65 B7 mov r12, [rbp+57h+var_A0]
INITKDBG:0000000140ACD1B5 4D 85 E4 test r12, r12
INITKDBG:0000000140ACD1B8 0F 84 B8 02 00 00 jz loc_140ACD476
INITKDBG:0000000140ACD1BE B9 20 00 00 00 mov ecx, 20h ; ' '
INITKDBG:0000000140ACD1C3 49 8B C4 mov rax, r12
INITKDBG:0000000140ACD1C6 8D 51 E4 lea edx, [rcx-1Ch]
INITKDBG:0000000140ACD1C9
INITKDBG:0000000140ACD1C9 loc_140ACD1C9: ; CODE XREF: sub_140ACCC24+5B2↓j
INITKDBG:0000000140ACD1C9 48 89 18 mov [rax], rbx
INITKDBG:0000000140ACD1CC 41 03 C8 add ecx, r8d
INITKDBG:0000000140ACD1CF 48 83 C0 08 add rax, 8
INITKDBG:0000000140ACD1D3 48 2B D6 sub rdx, rsi
INITKDBG:0000000140ACD1D6 75 F1 jnz short loc_140ACD1C9
INITKDBG:0000000140ACD1D8 85 C9 test ecx, ecx
INITKDBG:0000000140ACD1DA 74 0A jz short loc_140ACD1E6
INITKDBG:0000000140ACD1DC
INITKDBG:0000000140ACD1DC loc_140ACD1DC: ; CODE XREF: sub_140ACCC24+5C0↓j
INITKDBG:0000000140ACD1DC 88 18 mov [rax], bl
INITKDBG:0000000140ACD1DE 48 03 C6 add rax, rsi
INITKDBG:0000000140ACD1E1 41 03 CF add ecx, r15d
INITKDBG:0000000140ACD1E4 75 F6 jnz short loc_140ACD1DC
INITKDBG:0000000140ACD1E6
INITKDBG:0000000140ACD1E6 loc_140ACD1E6: ; CODE XREF: sub_140ACCC24+5B6↑j
INITKDBG:0000000140ACD1E6 8B 87 D8 07 00 00 mov eax, [rdi+7D8h]
INITKDBG:0000000140ACD1EC B9 00 00 00 01 mov ecx, 1000000h
INITKDBG:0000000140ACD1F1 89 45 77 mov [rbp+57h+arg_10], eax
INITKDBG:0000000140ACD1F4 BA 05 00 00 00 mov edx, 5
INITKDBG:0000000140ACD1F9 41 89 44 24 10 mov [r12+10h], eax
INITKDBG:0000000140ACD1FE 4D 89 5C 24 18 mov [r12+18h], r11
INITKDBG:0000000140ACD203 8B 87 58 09 00 00 mov eax, [rdi+958h]
INITKDBG:0000000140ACD209 85 C1 test ecx, eax
INITKDBG:0000000140ACD20B 74 07 jz short loc_140ACD214
INITKDBG:0000000140ACD20D BA 15 00 00 00 mov edx, 15h
INITKDBG:0000000140ACD212 EB 08 jmp short loc_140ACD21C
INITKDBG:0000000140ACD214 ; ---------------------------------------------------------------------------
INITKDBG:0000000140ACD214
INITKDBG:0000000140ACD214 loc_140ACD214: ; CODE XREF: sub_140ACCC24+5E7↑j
INITKDBG:0000000140ACD214 0B C1 or eax, ecx
INITKDBG:0000000140ACD216 89 87 58 09 00 00 mov [rdi+958h], eax
INITKDBG:0000000140ACD21C
INITKDBG:0000000140ACD21C loc_140ACD21C: ; CODE XREF: sub_140ACCC24+5EE↑j
INITKDBG:0000000140ACD21C 8B 4D 7F mov ecx, dword ptr [rbp+57h+arg_18]
INITKDBG:0000000140ACD21F 4C 8B C3 mov r8, rbx
INITKDBG:0000000140ACD222 03 4D 6F add ecx, [rbp+57h+arg_8]
INITKDBG:0000000140ACD225 48 8B 87 38 03 00 00 mov rax, [rdi+338h]
INITKDBG:0000000140ACD22C 44 8B C9 mov r9d, ecx
INITKDBG:0000000140ACD22F 89 54 24 28 mov [rsp+0F0h+var_C8], edx
INITKDBG:0000000140ACD233 48 83 CA FF or rdx, 0FFFFFFFFFFFFFFFFh
INITKDBG:0000000140ACD237 48 89 4D B7 mov [rbp+57h+var_A0], rcx
INITKDBG:0000000140ACD23B 48 8B CB mov rcx, rbx
INITKDBG:0000000140ACD23E 89 74 24 20 mov [rsp+0F0h+var_D0], esi
INITKDBG:0000000140ACD242 E8 69 21 00 00 call KeGuardDispatchICall
INITKDBG:0000000140ACD247 48 89 45 A7 mov [rbp+57h+var_B0], rax
INITKDBG:0000000140ACD24B 48 85 C0 test rax, rax
INITKDBG:0000000140ACD24E 0F 84 13 02 00 00 jz loc_140ACD467
INITKDBG:0000000140ACD254 8B 55 77 mov edx, [rbp+57h+arg_10]
INITKDBG:0000000140ACD257 48 8B 4D B7 mov rcx, [rbp+57h+var_A0]
INITKDBG:0000000140ACD25B 49 89 04 24 mov [r12], rax
INITKDBG:0000000140ACD25F 48 8B 87 40 03 00 00 mov rax, [rdi+340h]
INITKDBG:0000000140ACD266 E8 45 21 00 00 call KeGuardDispatchICall
INITKDBG:0000000140ACD26B 48 8B C8 mov rcx, rax
INITKDBG:0000000140ACD26E 48 85 C0 test rax, rax
INITKDBG:0000000140ACD271 0F 84 F0 01 00 00 jz loc_140ACD467
INITKDBG:0000000140ACD277 4C 8B 45 A7 mov r8, [rbp+57h+var_B0]
INITKDBG:0000000140ACD27B 44 8B CE mov r9d, esi
INITKDBG:0000000140ACD27E 8B 55 77 mov edx, [rbp+57h+arg_10]
INITKDBG:0000000140ACD281 49 89 44 24 08 mov [r12+8], rax
INITKDBG:0000000140ACD286 48 8B 87 48 03 00 00 mov rax, [rdi+348h]
INITKDBG:0000000140ACD28D E8 1E 21 00 00 call KeGuardDispatchICall
INITKDBG:0000000140ACD292 48 8B 55 B7 mov rdx, [rbp+57h+var_A0]
INITKDBG:0000000140ACD296 4C 8B C8 mov r9, rax
INITKDBG:0000000140ACD299 48 81 C2 FF 0F 00 00 add rdx, 0FFFh
INITKDBG:0000000140ACD2A0 48 89 45 A7 mov [rbp+57h+var_B0], rax
INITKDBG:0000000140ACD2A4 48 8B 87 20 02 00 00 mov rax, [rdi+220h]
INITKDBG:0000000140ACD2AB 81 E2 00 F0 FF FF and edx, 0FFFFF000h
INITKDBG:0000000140ACD2B1 41 B8 40 00 00 00 mov r8d, 40h ; '@'
INITKDBG:0000000140ACD2B7 49 8B C9 mov rcx, r9
INITKDBG:0000000140ACD2BA E8 F1 20 00 00 call KeGuardDispatchICall
INITKDBG:0000000140ACD2BF 84 C0 test al, al
INITKDBG:0000000140ACD2C1 0F 84 A0 01 00 00 jz loc_140ACD467
INITKDBG:0000000140ACD2C7 4C 8B 5D AF mov r11, [rbp+57h+var_A8]
INITKDBG:0000000140ACD2CB 41 BA F8 FF FF FF mov r10d, 0FFFFFFF8h
INITKDBG:0000000140ACD2D1 4C 8B 45 A7 mov r8, [rbp+57h+var_B0]
INITKDBG:0000000140ACD2D5 45 8B CB mov r9d, r11d
INITKDBG:0000000140ACD2D8 41 83 FB 08 cmp r11d, 8
INITKDBG:0000000140ACD2DC 72 3D jb short loc_140ACD31B
INITKDBG:0000000140ACD2DE 45 8B DB mov r11d, r11d
INITKDBG:0000000140ACD2E1 49 C1 EB 03 shr r11, 3
INITKDBG:0000000140ACD2E5
INITKDBG:0000000140ACD2E5 loc_140ACD2E5: ; CODE XREF: sub_140ACCC24+6F1↓j
INITKDBG:0000000140ACD2E5 0F 31 rdtsc
INITKDBG:0000000140ACD2E7 48 C1 E2 20 shl rdx, 20h
INITKDBG:0000000140ACD2EB 45 03 CA add r9d, r10d
INITKDBG:0000000140ACD2EE 48 0B C2 or rax, rdx
INITKDBG:0000000140ACD2F1 48 8B C8 mov rcx, rax
INITKDBG:0000000140ACD2F4 48 8B D0 mov rdx, rax
INITKDBG:0000000140ACD2F7 48 C1 C9 03 ror rcx, 3
INITKDBG:0000000140ACD2FB 49 8B C5 mov rax, r13
INITKDBG:0000000140ACD2FE 48 33 D1 xor rdx, rcx
INITKDBG:0000000140ACD301 48 F7 E2 mul rdx
INITKDBG:0000000140ACD304 48 89 55 07 mov [rbp+57h+var_50], rdx
INITKDBG:0000000140ACD308 48 33 D0 xor rdx, rax
INITKDBG:0000000140ACD30B 49 89 10 mov [r8], rdx
INITKDBG:0000000140ACD30E 49 83 C0 08 add r8, 8
INITKDBG:0000000140ACD312 4C 2B DE sub r11, rsi
INITKDBG:0000000140ACD315 75 CE jnz short loc_140ACD2E5
INITKDBG:0000000140ACD317 4C 8B 5D AF mov r11, [rbp+57h+var_A8]
INITKDBG:0000000140ACD31B
INITKDBG:0000000140ACD31B loc_140ACD31B: ; CODE XREF: sub_140ACCC24+6B8↑j
INITKDBG:0000000140ACD31B 45 85 C9 test r9d, r9d
INITKDBG:0000000140ACD31E 74 32 jz short loc_140ACD352
INITKDBG:0000000140ACD320 0F 31 rdtsc
INITKDBG:0000000140ACD322 48 C1 E2 20 shl rdx, 20h
INITKDBG:0000000140ACD326 48 0B C2 or rax, rdx
INITKDBG:0000000140ACD329 48 8B C8 mov rcx, rax
INITKDBG:0000000140ACD32C 48 8B D0 mov rdx, rax
INITKDBG:0000000140ACD32F 48 C1 C9 03 ror rcx, 3
INITKDBG:0000000140ACD333 49 8B C5 mov rax, r13
INITKDBG:0000000140ACD336 48 33 D1 xor rdx, rcx
INITKDBG:0000000140ACD339 48 F7 E2 mul rdx
INITKDBG:0000000140ACD33C 48 89 55 0F mov [rbp+57h+var_48], rdx
INITKDBG:0000000140ACD340 48 33 D0 xor rdx, rax
INITKDBG:0000000140ACD343
INITKDBG:0000000140ACD343 loc_140ACD343: ; CODE XREF: sub_140ACCC24+72C↓j
INITKDBG:0000000140ACD343 41 88 10 mov [r8], dl
INITKDBG:0000000140ACD346 4C 03 C6 add r8, rsi
INITKDBG:0000000140ACD349 48 C1 EA 08 shr rdx, 8
INITKDBG:0000000140ACD34D 45 03 CF add r9d, r15d
INITKDBG:0000000140ACD350 75 F1 jnz short loc_140ACD343
INITKDBG:0000000140ACD352
INITKDBG:0000000140ACD352 loc_140ACD352: ; CODE XREF: sub_140ACCC24+6FA↑j
INITKDBG:0000000140ACD352 44 8B 4D 7F mov r9d, dword ptr [rbp+57h+arg_18]
INITKDBG:0000000140ACD356 41 8B C3 mov eax, r11d
INITKDBG:0000000140ACD359 45 2B CB sub r9d, r11d
INITKDBG:0000000140ACD35C 44 8B 5D 6F mov r11d, [rbp+57h+arg_8]
INITKDBG:0000000140ACD360 48 89 45 AF mov [rbp+57h+var_A8], rax
INITKDBG:0000000140ACD364 4E 8D 04 18 lea r8, [rax+r11]
INITKDBG:0000000140ACD368 4C 03 45 A7 add r8, [rbp+57h+var_B0]
INITKDBG:0000000140ACD36C 41 83 F9 08 cmp r9d, 8
INITKDBG:0000000140ACD370 72 40 jb short loc_140ACD3B2
INITKDBG:0000000140ACD372 41 8B C1 mov eax, r9d
INITKDBG:0000000140ACD375 48 C1 E8 03 shr rax, 3
INITKDBG:0000000140ACD379 4C 8B D8 mov r11, rax
INITKDBG:0000000140ACD37C
INITKDBG:0000000140ACD37C loc_140ACD37C: ; CODE XREF: sub_140ACCC24+788↓j
INITKDBG:0000000140ACD37C 0F 31 rdtsc
INITKDBG:0000000140ACD37E 48 C1 E2 20 shl rdx, 20h
INITKDBG:0000000140ACD382 45 03 CA add r9d, r10d
INITKDBG:0000000140ACD385 48 0B C2 or rax, rdx
INITKDBG:0000000140ACD388 48 8B C8 mov rcx, rax
INITKDBG:0000000140ACD38B 48 8B D0 mov rdx, rax
INITKDBG:0000000140ACD38E 48 C1 C9 03 ror rcx, 3
INITKDBG:0000000140ACD392 49 8B C5 mov rax, r13
INITKDBG:0000000140ACD395 48 33 D1 xor rdx, rcx
INITKDBG:0000000140ACD398 48 F7 E2 mul rdx
INITKDBG:0000000140ACD39B 48 89 55 7F mov [rbp+57h+arg_18], rdx
INITKDBG:0000000140ACD39F 48 33 D0 xor rdx, rax
INITKDBG:0000000140ACD3A2 49 89 10 mov [r8], rdx
INITKDBG:0000000140ACD3A5 49 83 C0 08 add r8, 8
INITKDBG:0000000140ACD3A9 4C 2B DE sub r11, rsi
INITKDBG:0000000140ACD3AC 75 CE jnz short loc_140ACD37C
INITKDBG:0000000140ACD3AE 44 8B 5D 6F mov r11d, [rbp+57h+arg_8]
INITKDBG:0000000140ACD3B2
INITKDBG:0000000140ACD3B2 loc_140ACD3B2: ; CODE XREF: sub_140ACCC24+74C↑j
INITKDBG:0000000140ACD3B2 45 85 C9 test r9d, r9d
INITKDBG:0000000140ACD3B5 74 32 jz short loc_140ACD3E9
INITKDBG:0000000140ACD3B7 0F 31 rdtsc
INITKDBG:0000000140ACD3B9 48 C1 E2 20 shl rdx, 20h
INITKDBG:0000000140ACD3BD 48 0B C2 or rax, rdx
INITKDBG:0000000140ACD3C0 48 8B C8 mov rcx, rax
INITKDBG:0000000140ACD3C3 48 8B D0 mov rdx, rax
INITKDBG:0000000140ACD3C6 48 C1 C9 03 ror rcx, 3
INITKDBG:0000000140ACD3CA 49 8B C5 mov rax, r13
INITKDBG:0000000140ACD3CD 48 33 D1 xor rdx, rcx
INITKDBG:0000000140ACD3D0 48 F7 E2 mul rdx
INITKDBG:0000000140ACD3D3 48 89 55 17 mov [rbp+57h+var_40], rdx
INITKDBG:0000000140ACD3D7 48 33 D0 xor rdx, rax
INITKDBG:0000000140ACD3DA
INITKDBG:0000000140ACD3DA loc_140ACD3DA: ; CODE XREF: sub_140ACCC24+7C3↓j
INITKDBG:0000000140ACD3DA 41 88 10 mov [r8], dl
INITKDBG:0000000140ACD3DD 4C 03 C6 add r8, rsi
INITKDBG:0000000140ACD3E0 48 C1 EA 08 shr rdx, 8
INITKDBG:0000000140ACD3E4 45 03 CF add r9d, r15d
INITKDBG:0000000140ACD3E7 75 F1 jnz short loc_140ACD3DA
INITKDBG:0000000140ACD3E9
INITKDBG:0000000140ACD3E9 loc_140ACD3E9: ; CODE XREF: sub_140ACCC24+791↑j
INITKDBG:0000000140ACD3E9 48 8B 4D AF mov rcx, [rbp+57h+var_A8]
INITKDBG:0000000140ACD3ED 48 03 4D A7 add rcx, [rbp+57h+var_B0]
INITKDBG:0000000140ACD3F1 0F 84 85 00 00 00 jz loc_140ACD47C
INITKDBG:0000000140ACD3F7 8B 97 AC 07 00 00 mov edx, [rdi+7ACh]
INITKDBG:0000000140ACD3FD 4C 8B C1 mov r8, rcx
INITKDBG:0000000140ACD400 83 FA 08 cmp edx, 8
INITKDBG:0000000140ACD403 72 1D jb short loc_140ACD422
INITKDBG:0000000140ACD405 44 8B CA mov r9d, edx
INITKDBG:0000000140ACD408 49 C1 E9 03 shr r9, 3
INITKDBG:0000000140ACD40C
INITKDBG:0000000140ACD40C loc_140ACD40C: ; CODE XREF: sub_140ACCC24+7FC↓j
INITKDBG:0000000140ACD40C 48 8B 07 mov rax, [rdi]
INITKDBG:0000000140ACD40F 41 03 D2 add edx, r10d
INITKDBG:0000000140ACD412 49 89 00 mov [r8], rax
INITKDBG:0000000140ACD415 48 83 C7 08 add rdi, 8
INITKDBG:0000000140ACD419 49 83 C0 08 add r8, 8
INITKDBG:0000000140ACD41D 4C 2B CE sub r9, rsi
INITKDBG:0000000140ACD420 75 EA jnz short loc_140ACD40C
INITKDBG:0000000140ACD422
INITKDBG:0000000140ACD422 loc_140ACD422: ; CODE XREF: sub_140ACCC24+7DF↑j
INITKDBG:0000000140ACD422 85 D2 test edx, edx
INITKDBG:0000000140ACD424 74 11 jz short loc_140ACD437
INITKDBG:0000000140ACD426 4C 2B C7 sub r8, rdi
INITKDBG:0000000140ACD429
INITKDBG:0000000140ACD429 loc_140ACD429: ; CODE XREF: sub_140ACCC24+811↓j
INITKDBG:0000000140ACD429 8A 07 mov al, [rdi]
INITKDBG:0000000140ACD42B 41 88 04 38 mov [r8+rdi], al
INITKDBG:0000000140ACD42F 48 03 FE add rdi, rsi
INITKDBG:0000000140ACD432 41 03 D7 add edx, r15d
INITKDBG:0000000140ACD435 75 F2 jnz short loc_140ACD429
INITKDBG:0000000140ACD437
INITKDBG:0000000140ACD437 loc_140ACD437: ; CODE XREF: sub_140ACCC24+800↑j
INITKDBG:0000000140ACD437 8B 81 58 09 00 00 mov eax, [rcx+958h]
INITKDBG:0000000140ACD43D 44 89 99 AC 07 00 00 mov [rcx+7ACh], r11d
INITKDBG:0000000140ACD444 4C 89 A1 90 07 00 00 mov [rcx+790h], r12
INITKDBG:0000000140ACD44B C7 81 EC 08 00 00 03 00 00 00 mov dword ptr [rcx+8ECh], 3
INITKDBG:0000000140ACD455 0F BA E0 1C bt eax, 1Ch
INITKDBG:0000000140ACD459 72 24 jb short loc_140ACD47F
INITKDBG:0000000140ACD45B 0F BA E8 1D bts eax, 1Dh
INITKDBG:0000000140ACD45F 89 81 58 09 00 00 mov [rcx+958h], eax
INITKDBG:0000000140ACD465 EB 18 jmp short loc_140ACD47F
INITKDBG:0000000140ACD467 ; ---------------------------------------------------------------------------
INITKDBG:0000000140ACD467
INITKDBG:0000000140ACD467 loc_140ACD467: ; CODE XREF: sub_140ACCC24+62A↑j
INITKDBG:0000000140ACD467 ; sub_140ACCC24+64D↑j ...
INITKDBG:0000000140ACD467 48 8B 87 58 03 00 00 mov rax, [rdi+358h]
INITKDBG:0000000140ACD46E 49 8B CC mov rcx, r12
INITKDBG:0000000140ACD471 E8 3A 1F 00 00 call KeGuardDispatchICall
INITKDBG:0000000140ACD476
INITKDBG:0000000140ACD476 loc_140ACD476: ; CODE XREF: sub_140ACCC24+46F↑j
INITKDBG:0000000140ACD476 ; sub_140ACCC24+594↑j
INITKDBG:0000000140ACD476 01 B7 E0 09 00 00 add [rdi+9E0h], esi
INITKDBG:0000000140ACD47C
INITKDBG:0000000140ACD47C loc_140ACD47C: ; CODE XREF: sub_140ACCC24+7CD↑j
INITKDBG:0000000140ACD47C 48 8B CB mov rcx, rbx
INITKDBG:0000000140ACD47F
INITKDBG:0000000140ACD47F loc_140ACD47F: ; CODE XREF: sub_140ACCC24+835↑j
INITKDBG:0000000140ACD47F ; sub_140ACCC24+841↑j
INITKDBG:0000000140ACD47F 48 8B C1 mov rax, rcx
INITKDBG:0000000140ACD482
INITKDBG:0000000140ACD482 loc_140ACD482: ; CODE XREF: sub_140ACCC24+342↑j
INITKDBG:0000000140ACD482 48 81 C4 C0 00 00 00 add rsp, 0C0h
INITKDBG:0000000140ACD489 41 5F pop r15
INITKDBG:0000000140ACD48B 41 5D pop r13
INITKDBG:0000000140ACD48D 41 5C pop r12
INITKDBG:0000000140ACD48F 5F pop rdi
INITKDBG:0000000140ACD490 5E pop rsi
INITKDBG:0000000140ACD491 5B pop rbx
INITKDBG:0000000140ACD492 5D pop rbp
INITKDBG:0000000140ACD493 C3 retn
INITKDBG:0000000140ACD493 ; ---------------------------------------------------------------------------
INITKDBG:0000000140ACD494 CC db 0CCh
INITKDBG:0000000140ACD494 sub_140ACCC24 endp解密
ffffd209`fa71b882 488b07 mov rax,qword ptr [rdi]
ffffd209`fa71b885 4103d2 add edx,r10d
ffffd209`fa71b888 498900 mov qword ptr [r8],rax
ffffd209`fa71b88b 4883c708 add rdi,8
ffffd209`fa71b88f 4983c008 add r8,8
ffffd209`fa71b893 4c2bfe sub r15,rsi
ffffd209`fa71b896 75ea jne ffffd209`fa71b882加密的地址被解密后
ffffd209`fa71b674 8bd0 mov edx, eax
ffffd209`fa71b676 48c1c903 ror rcx, 3
ffffd209`fa71b67a 498bc5 mov rax, r13
ffffd209`fa71b67d 4833d1 xor rdx, rcx
ffffd209`fa71b680 48f7e2 mul rax, rdx
ffffd209`fa71b683 33c2 xor eax, edx
ffffd209`fa71b685 488955cf mov qword ptr [rbp-31h], rdx
ffffd209`fa71b689 23c6 and eax, esi
ffffd209`fa71b68b 83caff or edx, 0FFFFFFFFh
ffffd209`fa71b68e c1e00c shl eax, 0Ch
ffffd209`fa71b691 0500100000 add eax, 1000h
ffffd209`fa71b696 4403f8 add r15d, eax
ffffd209`fa71b699 438d041f lea eax, [r15+r11]
ffffd209`fa71b69d 488d4808 lea rcx, [rax+8]
ffffd209`fa71b6a1 4889457f mov qword ptr [rbp+7Fh], rax
ffffd209`fa71b6a5 488b8710020000 mov rax, qword ptr [rdi+210h]
ffffd209`fa71b6ac 48894daf mov qword ptr [rbp-51h], rcx
ffffd209`fa71b6b0 e875260000 call ffffd209`fa71dd2a
ffffd209`fa71b6b5 4c8be0 mov r12, rax
ffffd209`fa71b6b8 4885c0 test rax, rax
ffffd209`fa71b6bb 7478 je ffffd209`fa71b735
ffffd209`fa71b6bd 488b557f mov rdx, qword ptr [rbp+7Fh]
ffffd209`fa71b6c1 448d463f lea r8d, [rsi+3Fh]
ffffd209`fa71b6c5 488b8720020000 mov rax, qword ptr [rdi+220h]
ffffd209`fa71b6cc 4881c2ff0f0000 add rdx, 0FFFh
ffffd209`fa71b6d3 81e200f0ffff and edx, 0FFFFF000h
ffffd209`fa71b6d9 498bcc mov rcx, r12
ffffd209`fa71b6dc e849260000 call ffffd209`fa71dd2a
ffffd209`fa71b6e1 84c0 test al, al
ffffd209`fa71b6e3 7515 jne ffffd209`fa71b6fa
ffffd209`fa71b6e5 488b8718020000 mov rax, qword ptr [rdi+218h]
ffffd209`fa71b6ec 498bcc mov rcx, r12
ffffd209`fa71b6ef 488b557f mov rdx, qword ptr [rbp+7Fh]
ffffd209`fa71b6f3 e832260000 call ffffd209`fa71dd2a
ffffd209`fa71b6f8 eb3b jmp ffffd209`fa71b735
ffffd209`fa71b6fa 488b45af mov rax, qword ptr [rbp-51h]
ffffd209`fa71b6fe 49890424 mov qword ptr [r12], rax
ffffd209`fa71b702 4983c408 add r12, 8
ffffd209`fa71b706 eb28 jmp ffffd209`fa71b730
ffffd209`fa71b708 488b87e8000000 mov rax, qword ptr [rdi+0E8h]
ffffd209`fa71b70f 438d141f lea edx, [r15+r11]
ffffd209`fa71b713 448b457f mov r8d, dword ptr [rbp+7Fh]
ffffd209`fa71b717 41f7dc neg r12d
ffffd209`fa71b71a 481bc9 sbb rcx, rcx
ffffd209`fa71b71d 4883e1c0 and rcx, 0FFFFFFFFFFFFFFC0h
ffffd209`fa71b721 4881c182000000 add rcx, 82h
ffffd209`fa71b728 e8fd250000 call ffffd209`fa71dd2a
ffffd209`fa71b72d 4c8be0 mov r12, rax
ffffd209`fa71b730 4d85e4 test r12, r12
ffffd209`fa71b733 750b jne ffffd209`fa71b740
ffffd209`fa71b735 01b7e0090000 add dword ptr [rdi+9E0h], esi
ffffd209`fa71b73b e99d010000 jmp ffffd209`fa71b8dd
ffffd209`fa71b740 488b45a7 mov rax, qword ptr [rbp-59h]
ffffd209`fa71b744 4d8bc4 mov r8, r12
ffffd209`fa71b747 448bd8 mov r11d, eax
ffffd209`fa71b74a 41baf8ffffff mov r10d, 0FFFFFFF8h
ffffd209`fa71b750 83f808 cmp eax, 8
ffffd209`fa71b753 7239 jb ffffd209`fa71b78e
ffffd209`fa71b755 448bc8 mov r9d, eax
ffffd209`fa71b758 49c1e903 shr r9, 3
ffffd209`fa71b75c 0f31 rdtsc
ffffd209`fa71b75e 48c1e220 shl rdx, 20h
ffffd209`fa71b762 4503da add r11d, r10d
ffffd209`fa71b765 480bc2 or rax, rdx
ffffd209`fa71b768 488bc8 mov rcx, rax
ffffd209`fa71b76b 488bd0 mov rdx, rax
ffffd209`fa71b76e 48c1c903 ror rcx, 3
ffffd209`fa71b772 498bc5 mov rax, r13
ffffd209`fa71b775 4833d1 xor rdx, rcx
ffffd209`fa71b778 48f7e2 mul rax, rdx
ffffd209`fa71b77b 488955d7 mov qword ptr [rbp-29h], rdx
ffffd209`fa71b77f 4833d0 xor rdx, rax
ffffd209`fa71b782 498910 mov qword ptr [r8], rdx
ffffd209`fa71b785 4983c008 add r8, 8
ffffd209`fa71b789 4c2bce sub r9, rsi
ffffd209`fa71b78c 75ce jne ffffd209`fa71b75c
ffffd209`fa71b78e 4585db test r11d, r11d
ffffd209`fa71b791 7438 je ffffd209`fa71b7cb
ffffd209`fa71b793 0f31 rdtsc
ffffd209`fa71b795 48c1e220 shl rdx, 20h
ffffd209`fa71b799 480bc2 or rax, rdx
ffffd209`fa71b79c 488bc8 mov rcx, rax
ffffd209`fa71b79f 488bd0 mov rdx, rax
ffffd209`fa71b7a2 48c1c903 ror rcx, 3
ffffd209`fa71b7a6 498bc5 mov rax, r13
ffffd209`fa71b7a9 4833d1 xor rdx, rcx
ffffd209`fa71b7ac 48f7e2 mul rax, rdx
ffffd209`fa71b7af 488955df mov qword ptr [rbp-21h], rdx
ffffd209`fa71b7b3 4833d0 xor rdx, rax
ffffd209`fa71b7b6 4183c9ff or r9d, 0FFFFFFFFh
ffffd209`fa71b7ba 418810 mov byte ptr [r8], dl
ffffd209`fa71b7bd 4c03c6 add r8, rsi
ffffd209`fa71b7c0 48c1ea08 shr rdx, 8
ffffd209`fa71b7c4 4503d9 add r11d, r9d
ffffd209`fa71b7c7 75f1 jne ffffd209`fa71b7ba
ffffd209`fa71b7c9 eb04 jmp ffffd209`fa71b7cf
ffffd209`fa71b7cb 4183c9ff or r9d, 0FFFFFFFFh
ffffd209`fa71b7cf 488b55a7 mov rdx, qword ptr [rbp-59h]
ffffd209`fa71b7d3 448b5d6f mov r11d, dword ptr [rbp+6Fh]
ffffd209`fa71b7d7 442bfa sub r15d, edx
ffffd209`fa71b7da 8bc2 mov eax, edx
ffffd209`fa71b7dc 488945af mov qword ptr [rbp-51h], rax
ffffd209`fa71b7e0 4f8d041c lea r8, [r12+r11]
ffffd209`fa71b7e4 4c03c0 add r8, rax
ffffd209`fa71b7e7 4183ff08 cmp r15d, 8
ffffd209`fa71b7eb 7240 jb ffffd209`fa71b82d
ffffd209`fa71b7ed 418bc7 mov eax, r15d
ffffd209`fa71b7f0 48c1e803 shr rax, 3
ffffd209`fa71b7f4 4c8bd8 mov r11, rax
ffffd209`fa71b7f7 0f31 rdtsc
ffffd209`fa71b7f9 48c1e220 shl rdx, 20h
ffffd209`fa71b7fd 4503fa add r15d, r10d
ffffd209`fa71b800 480bc2 or rax, rdx
ffffd209`fa71b803 488bc8 mov rcx, rax
ffffd209`fa71b806 488bd0 mov rdx, rax
ffffd209`fa71b809 48c1c903 ror rcx, 3
ffffd209`fa71b80d 498bc5 mov rax, r13
ffffd209`fa71b810 4833d1 xor rdx, rcx
ffffd209`fa71b813 48f7e2 mul rax, rdx
ffffd209`fa71b816 488955e7 mov qword ptr [rbp-19h], rdx
ffffd209`fa71b81a 4833d0 xor rdx, rax
ffffd209`fa71b81d 498910 mov qword ptr [r8], rdx
ffffd209`fa71b820 4983c008 add r8, 8
ffffd209`fa71b824 4c2bde sub r11, rsi
ffffd209`fa71b827 75ce jne ffffd209`fa71b7f7
ffffd209`fa71b829 448b5d6f mov r11d, dword ptr [rbp+6Fh]
ffffd209`fa71b82d 4585ff test r15d, r15d
ffffd209`fa71b830 7432 je ffffd209`fa71b864
ffffd209`fa71b832 0f31 rdtsc
ffffd209`fa71b834 48c1e220 shl rdx, 20h
ffffd209`fa71b838 480bc2 or rax, rdx
ffffd209`fa71b83b 488bc8 mov rcx, rax
ffffd209`fa71b83e 488bd0 mov rdx, rax
ffffd209`fa71b841 48c1c903 ror rcx, 3
ffffd209`fa71b845 498bc5 mov rax, r13
ffffd209`fa71b848 4833d1 xor rdx, rcx
ffffd209`fa71b84b 48f7e2 mul rax, rdx
ffffd209`fa71b84e 488955ef mov qword ptr [rbp-11h], rdx
ffffd209`fa71b852 4833d0 xor rdx, rax
ffffd209`fa71b855 418810 mov byte ptr [r8], dl
ffffd209`fa71b858 4c03c6 add r8, rsi
ffffd209`fa71b85b 48c1ea08 shr rdx, 8
ffffd209`fa71b85f 4503f9 add r15d, r9d
ffffd209`fa71b862 75f1 jne ffffd209`fa71b855
ffffd209`fa71b864 488b4daf mov rcx, qword ptr [rbp-51h]
ffffd209`fa71b868 4903cc add rcx, r12
ffffd209`fa71b86b 7470 je ffffd209`fa71b8dd
ffffd209`fa71b86d 8b97ac070000 mov edx, dword ptr [rdi+7ACh]
ffffd209`fa71b873 4c8bc1 mov r8, rcx
ffffd209`fa71b876 83fa08 cmp edx, 8
ffffd209`fa71b879 721d jb ffffd209`fa71b898
ffffd209`fa71b87b 448bfa mov r15d, edx
ffffd209`fa71b87e 49c1ef03 shr r15, 3
ffffd209`fa71b882 488b07 mov rax, qword ptr [rdi]
ffffd209`fa71b885 4103d2 add edx, r10d
ffffd209`fa71b888 498900 mov qword ptr [r8], rax
ffffd209`fa71b88b 4883c708 add rdi, 8
ffffd209`fa71b88f 4983c008 add r8, 8
ffffd209`fa71b893 4c2bfe sub r15, rsi
ffffd209`fa71b896 75ea jne ffffd209`fa71b882
ffffd209`fa71b898 85d2 test edx, edx
ffffd209`fa71b89a 7411 je ffffd209`fa71b8ad
ffffd209`fa71b89c 4c2bc7 sub r8, rdi
ffffd209`fa71b89f 8a07 mov al, byte ptr [rdi]
ffffd209`fa71b8a1 42880407 mov byte ptr [rdi+r8], al
ffffd209`fa71b8a5 4803fe add rdi, rsi
ffffd209`fa71b8a8 4103d1 add edx, r9d
ffffd209`fa71b8ab 75f2 jne ffffd209`fa71b89f
ffffd209`fa71b8ad 8b4577 mov eax, dword ptr [rbp+77h]
ffffd209`fa71b8b0 8981ec080000 mov dword ptr [rcx+8ECh], eax
ffffd209`fa71b8b6 8b8158090000 mov eax, dword ptr [rcx+958h]
ffffd209`fa71b8bc 448999ac070000 mov dword ptr [rcx+7ACh], r11d
ffffd209`fa71b8c3 4c89a190070000 mov qword ptr [rcx+790h], r12
ffffd209`fa71b8ca 0fbae01c bt eax, 1Ch
ffffd209`fa71b8ce 720a jb ffffd209`fa71b8da
ffffd209`fa71b8d0 0fbae81d bts eax, 1Dh
ffffd209`fa71b8d4 898158090000 mov dword ptr [rcx+958h], eax
ffffd209`fa71b8da 488bd9 mov rbx, rcx
ffffd209`fa71b8dd 488bc3 mov rax, rbx
ffffd209`fa71b8e0 e917050000 jmp ffffd209`fa71bdfc
ffffd209`fa71b8e5 0f31 rdtsc
ffffd209`fa71b8e7 48c1e220 shl rdx, 20h
ffffd209`fa71b8eb 49bd0120000480001070 mov r13, 7010008004002001h
ffffd209`fa71b8f5 480bc2 or rax, rdx
ffffd209`fa71b8f8 488bc8 mov rcx, rax
ffffd209`fa71b8fb 488bd0 mov rdx, rax
ffffd209`fa71b8fe 48c1c903 ror rcx, 3
ffffd209`fa71b902 498bc5 mov rax, r13
ffffd209`fa71b905 4833d1 xor rdx, rcx
ffffd209`fa71b908 48f7e2 mul rax, rdx
ffffd209`fa71b90b 4c8bc8 mov r9, rax
ffffd209`fa71b90e 488955ef mov qword ptr [rbp-11h], rdx
ffffd209`fa71b912 4433ca xor r9d, edx
ffffd209`fa71b915 4181e1ff070000 and r9d, 7FFh
ffffd209`fa71b91c 0f31 rdtsc
ffffd209`fa71b91e 48c1e220 shl rdx, 20h
ffffd209`fa71b922 480bc2 or rax, rdx
ffffd209`fa71b925 488bc8 mov rcx, rax
ffffd209`fa71b928 488bd0 mov rdx, rax
ffffd209`fa71b92b 48c1c903 ror rcx, 3
ffffd209`fa71b92f 498bc5 mov rax, r13
ffffd209`fa71b932 4833d1 xor rdx, rcx
ffffd209`fa71b935 418d4901 lea ecx, [r9+1]
ffffd209`fa71b939 48f7e2 mul rax, rdx
ffffd209`fa71b93c 488955e7 mov qword ptr [rbp-19h], rdx
ffffd209`fa71b940 4833c2 xor rax, rdx
ffffd209`fa71b943 33d2 xor edx, edx
ffffd209`fa71b945 48f7f1 div rax, rcx
ffffd209`fa71b948 488955af mov qword ptr [rbp-51h], rdx
ffffd209`fa71b94c 0f31 rdtsc
ffffd209`fa71b94e 48c1e220 shl rdx, 20h
ffffd209`fa71b952 be01000000 mov esi, 1
ffffd209`fa71b957 480bc2 or rax, rdx
ffffd209`fa71b95a 488bc8 mov rcx, rax
ffffd209`fa71b95d 4c8bc0 mov r8, rax
ffffd209`fa71b960 48c1c903 ror rcx, 3
ffffd209`fa71b964 498bc5 mov rax, r13
ffffd209`fa71b967 4c33c1 xor r8, rcx
ffffd209`fa71b96a 49f7e0 mul rax, r8
ffffd209`fa71b96d 448b87d8070000 mov r8d, dword ptr [rdi+7D8h]
ffffd209`fa71b974 33c2 xor eax, edx
ffffd209`fa71b976 488955df mov qword ptr [rbp-21h], rdx
ffffd209`fa71b97a 23c6 and eax, esi
ffffd209`fa71b97c c1e00c shl eax, 0Ch
ffffd209`fa71b97f 0500100000 add eax, 1000h
ffffd209`fa71b984 4103c1 add eax, r9d
ffffd209`fa71b987 89457f mov dword ptr [rbp+7Fh], eax
ffffd209`fa71b98a 0f31 rdtsc
ffffd209`fa71b98c 48c1e220 shl rdx, 20h
ffffd209`fa71b990 480bc2 or rax, rdx
ffffd209`fa71b993 488bc8 mov rcx, rax
ffffd209`fa71b996 488bd0 mov rdx, rax
ffffd209`fa71b999 48c1c903 ror rcx, 3
ffffd209`fa71b99d 498bc5 mov rax, r13
ffffd209`fa71b9a0 4833d1 xor rdx, rcx
ffffd209`fa71b9a3 48f7e2 mul rax, rdx
ffffd209`fa71b9a6 4c8be0 mov r12, rax
ffffd209`fa71b9a9 488955d7 mov qword ptr [rbp-29h], rdx
ffffd209`fa71b9ad 4433e2 xor r12d, edx
ffffd209`fa71b9b0 4181e4ff070000 and r12d, 7FFh
ffffd209`fa71b9b7 0f31 rdtsc
ffffd209`fa71b9b9 48c1e220 shl rdx, 20h
ffffd209`fa71b9bd 480bc2 or rax, rdx
ffffd209`fa71b9c0 488bc8 mov rcx, rax
ffffd209`fa71b9c3 488bd0 mov rdx, rax
ffffd209`fa71b9c6 48c1c903 ror rcx, 3
ffffd209`fa71b9ca 498bc5 mov rax, r13
ffffd209`fa71b9cd 4833d1 xor rdx, rcx
ffffd209`fa71b9d0 418d4c2401 lea ecx, [r12+1]
ffffd209`fa71b9d5 48f7e2 mul rax, rdx
ffffd209`fa71b9d8 4833c2 xor rax, rdx
ffffd209`fa71b9db 488955cf mov qword ptr [rbp-31h], rdx
ffffd209`fa71b9df 33d2 xor edx, edx
ffffd209`fa71b9e1 48f7f1 div rax, rcx
ffffd209`fa71b9e4 488b87e8000000 mov rax, qword ptr [rdi+0E8h]
ffffd209`fa71b9eb 8d4e41 lea ecx, [rsi+41h]
ffffd209`fa71b9ee 488955b7 mov qword ptr [rbp-49h], rdx
ffffd209`fa71b9f2 418d542420 lea edx, [r12+20h]
ffffd209`fa71b9f7 e82e230000 call ffffd209`fa71dd2a
ffffd209`fa71b9fc 33db xor ebx, ebx
ffffd209`fa71b9fe 488945a7 mov qword ptr [rbp-59h], rax
ffffd209`fa71ba02 4885c0 test rax, rax
ffffd209`fa71ba05 750b jne ffffd209`fa71ba12
ffffd209`fa71ba07 01b7e0090000 add dword ptr [rdi+9E0h], esi
ffffd209`fa71ba0d e9de030000 jmp ffffd209`fa71bdf0
ffffd209`fa71ba12 4c8b5db7 mov r11, qword ptr [rbp-49h]
ffffd209`fa71ba16 4c8bc8 mov r9, rax
ffffd209`fa71ba19 458bd3 mov r10d, r11d
ffffd209`fa71ba1c 41b8f8ffffff mov r8d, 0FFFFFFF8h
ffffd209`fa71ba22 4183fb08 cmp r11d, 8
ffffd209`fa71ba26 7239 jb ffffd209`fa71ba61
ffffd209`fa71ba28 458bfb mov r15d, r11d
ffffd209`fa71ba2b 49c1ef03 shr r15, 3
ffffd209`fa71ba2f 0f31 rdtsc
ffffd209`fa71ba31 48c1e220 shl rdx, 20h
ffffd209`fa71ba35 4503d0 add r10d, r8d
ffffd209`fa71ba38 480bc2 or rax, rdx
ffffd209`fa71ba3b 488bc8 mov rcx, rax
ffffd209`fa71ba3e 488bd0 mov rdx, rax
ffffd209`fa71ba41 48c1c903 ror rcx, 3
ffffd209`fa71ba45 498bc5 mov rax, r13
ffffd209`fa71ba48 4833d1 xor rdx, rcx
ffffd209`fa71ba4b 48f7e2 mul rax, rdx
ffffd209`fa71ba4e 488955c7 mov qword ptr [rbp-39h], rdx
ffffd209`fa71ba52 4833d0 xor rdx, rax
ffffd209`fa71ba55 498911 mov qword ptr [r9], rdx
ffffd209`fa71ba58 4983c108 add r9, 8
ffffd209`fa71ba5c 4c2bfe sub r15, rsi
ffffd209`fa71ba5f 75ce jne ffffd209`fa71ba2f
ffffd209`fa71ba61 4183cfff or r15d, 0FFFFFFFFh
ffffd209`fa71ba65 4585d2 test r10d, r10d
ffffd209`fa71ba68 7432 je ffffd209`fa71ba9c
ffffd209`fa71ba6a 0f31 rdtsc
ffffd209`fa71ba6c 48c1e220 shl rdx, 20h
ffffd209`fa71ba70 480bc2 or rax, rdx
ffffd209`fa71ba73 488bc8 mov rcx, rax
ffffd209`fa71ba76 488bd0 mov rdx, rax
ffffd209`fa71ba79 48c1c903 ror rcx, 3
ffffd209`fa71ba7d 498bc5 mov rax, r13
ffffd209`fa71ba80 4833d1 xor rdx, rcx
ffffd209`fa71ba83 48f7e2 mul rax, rdx
ffffd209`fa71ba86 488955bf mov qword ptr [rbp-41h], rdx
ffffd209`fa71ba8a 4833d0 xor rdx, rax
ffffd209`fa71ba8d 418811 mov byte ptr [r9], dl
ffffd209`fa71ba90 4c03ce add r9, rsi
ffffd209`fa71ba93 48c1ea08 shr rdx, 8
ffffd209`fa71ba97 4503d7 add r10d, r15d
ffffd209`fa71ba9a 75f1 jne ffffd209`fa71ba8d
ffffd209`fa71ba9c 418bc3 mov eax, r11d
ffffd209`fa71ba9f 452be3 sub r12d, r11d
ffffd209`fa71baa2 4c8b5da7 mov r11, qword ptr [rbp-59h]
ffffd209`fa71baa6 4d8d4b20 lea r9, [r11+20h]
ffffd209`fa71baaa 4c03c8 add r9, rax
ffffd209`fa71baad 4a8d0c18 lea rcx, [rax+r11]
ffffd209`fa71bab1 48894db7 mov qword ptr [rbp-49h], rcx
ffffd209`fa71bab5 4183fc08 cmp r12d, 8
ffffd209`fa71bab9 7239 jb ffffd209`fa71baf4
ffffd209`fa71babb 458bd4 mov r10d, r12d
ffffd209`fa71babe 49c1ea03 shr r10, 3
ffffd209`fa71bac2 0f31 rdtsc
ffffd209`fa71bac4 48c1e220 shl rdx, 20h
ffffd209`fa71bac8 4503e0 add r12d, r8d
ffffd209`fa71bacb 480bc2 or rax, rdx
ffffd209`fa71bace 488bc8 mov rcx, rax
ffffd209`fa71bad1 488bd0 mov rdx, rax
ffffd209`fa71bad4 48c1c903 ror rcx, 3
ffffd209`fa71bad8 498bc5 mov rax, r13
ffffd209`fa71badb 4833d1 xor rdx, rcx
ffffd209`fa71bade 48f7e2 mul rax, rdx
ffffd209`fa71bae1 488955f7 mov qword ptr [rbp-9], rdx
ffffd209`fa71bae5 4833d0 xor rdx, rax
ffffd209`fa71bae8 498911 mov qword ptr [r9], rdx
ffffd209`fa71baeb 4983c108 add r9, 8
ffffd209`fa71baef 4c2bd6 sub r10, rsi
ffffd209`fa71baf2 75ce jne ffffd209`fa71bac2
ffffd209`fa71baf4 4585e4 test r12d, r12d
ffffd209`fa71baf7 7432 je ffffd209`fa71bb2b
ffffd209`fa71baf9 0f31 rdtsc
ffffd209`fa71bafb 48c1e220 shl rdx, 20h
ffffd209`fa71baff 480bc2 or rax, rdx
ffffd209`fa71bb02 488bc8 mov rcx, rax
ffffd209`fa71bb05 488bd0 mov rdx, rax
ffffd209`fa71bb08 48c1c903 ror rcx, 3
ffffd209`fa71bb0c 498bc5 mov rax, r13
ffffd209`fa71bb0f 4833d1 xor rdx, rcx
ffffd209`fa71bb12 48f7e2 mul rax, rdx
ffffd209`fa71bb15 488955ff mov qword ptr [rbp-1], rdx
ffffd209`fa71bb19 4833d0 xor rdx, rax
ffffd209`fa71bb1c 418811 mov byte ptr [r9], dl
ffffd209`fa71bb1f 4c03ce add r9, rsi
ffffd209`fa71bb22 48c1ea08 shr rdx, 8
ffffd209`fa71bb26 4503e7 add r12d, r15d
ffffd209`fa71bb29 75f1 jne ffffd209`fa71bb1c
ffffd209`fa71bb2b 4c8b65b7 mov r12, qword ptr [rbp-49h]
ffffd209`fa71bb2f 4d85e4 test r12, r12
ffffd209`fa71bb32 0f84b8020000 je ffffd209`fa71bdf0
ffffd209`fa71bb38 b920000000 mov ecx, 20h
ffffd209`fa71bb3d 498bc4 mov rax, r12
ffffd209`fa71bb40 8d51e4 lea edx, [rcx-1Ch]
ffffd209`fa71bb43 488918 mov qword ptr [rax], rbx
ffffd209`fa71bb46 4103c8 add ecx, r8d如果不处理则
