首先准备需要的工具
- IDA
- Windbg
- 虚拟机
首先IDA找到PatchGuard初始化函数
INIT:0000000140A349E0 40 53 push rbx
INIT:0000000140A349E2 48 83 EC 30 sub rsp, 30h
INIT:0000000140A349E6 8B 41 18 mov eax, [rcx+18h]
INIT:0000000140A349E9 48 8B D9 mov rbx, rcx
INIT:0000000140A349EC 4C 8B 49 10 mov r9, [rcx+10h]
INIT:0000000140A349F0 44 8B 41 08 mov r8d, [rcx+8]
INIT:0000000140A349F4 8B 51 04 mov edx, [rcx+4]
INIT:0000000140A349F7 8B 09 mov ecx, [rcx]
INIT:0000000140A349F9 89 44 24 20 mov [rsp+38h+var_18], eax
INIT:0000000140A349FD E8 E2 54 FE FF call sub_140A19EE4
INIT:0000000140A34A02 88 43 1C mov [rbx+1Ch], al
INIT:0000000140A34A05 48 83 C4 30 add rsp, 30h
INIT:0000000140A34A09 5B pop rbx
INIT:0000000140A34A0A C3 retnINIT:0000000140A19EE4 4C 89 4C 24 20 mov [rsp+arg_18], r9
INIT:0000000140A19EE9 44 89 44 24 18 mov [rsp+arg_10], r8d
INIT:0000000140A19EEE 89 4C 24 08 mov [rsp+arg_0], ecx
INIT:0000000140A19EF2 53 push rbx
INIT:0000000140A19EF3 56 push rsi
INIT:0000000140A19EF4 57 push rdi
INIT:0000000140A19EF5 41 54 push r12
INIT:0000000140A19EF7 41 55 push r13
INIT:0000000140A19EF9 41 56 push r14
INIT:0000000140A19EFB 41 57 push r15
INIT:0000000140A19EFD 48 81 EC 80 24 00 00 sub rsp, 2480h
INIT:0000000140A19F04 49 8B C1 mov rax, r9
INIT:0000000140A19F07 FA cli
INIT:0000000140A19F08 33 FF xor edi, edi
INIT:0000000140A19F0A 40 38 3D 6F 90 22 00 cmp byte ptr cs:KdDebuggerNotPresent, dil
INIT:0000000140A19F11 75 02 jnz short loc_140A19F15
INIT:0000000140A19F13
INIT:0000000140A19F13 loc_140A19F13: ; CODE XREF: sub_140A19EE4:loc_140A19F13↓j
INIT:0000000140A19F13 EB FE jmp short loc_140A19F13
INIT:0000000140A19F15 ; ---------------------------------------------------------------------------
INIT:0000000140A19F15
INIT:0000000140A19F15 loc_140A19F15: ; CODE XREF: sub_140A19EE4+2D↑j
INIT:0000000140A19F15 FB sti
INIT:0000000140A19F16 41 BE 05 00 00 00 mov r14d, 5
INIT:0000000140A19F1C 4C 89 B4 24 B0 09 00 00 mov [rsp+24B8h+var_1B08], r14
INIT:0000000140A19F24 41 8D 5E 24 lea ebx, [r14+24h]
INIT:0000000140A19F28 8D 4B DB lea ecx, [rbx-25h]
INIT:0000000140A19F2B 48 85 C0 test rax, rax
INIT:0000000140A19F2E 75 27 jnz short loc_140A19F57
INIT:0000000140A19F30 8D 42 FD lea eax, [rdx-3]
INIT:0000000140A19F33 A9 FD FF FF FF test eax, 0FFFFFFFDh
INIT:0000000140A19F38 75 0D jnz short loc_140A19F47
INIT:0000000140A19F3A 8B 9C 24 E0 24 00 00 mov ebx, [rsp+24B8h+arg_20]
INIT:0000000140A19F41 33 C0 xor eax, eax
INIT:0000000140A19F43 8B D0 mov edx, eax
INIT:0000000140A19F45 EB 27 jmp short loc_140A19F6E
INIT:0000000140A19F47 ; ---------------------------------------------------------------------------
INIT:0000000140A19F47
INIT:0000000140A19F47 loc_140A19F47: ; CODE XREF: sub_140A19EE4+54↑j
INIT:0000000140A19F47 8B 84 24 E0 24 00 00 mov eax, [rsp+24B8h+arg_20]
INIT:0000000140A19F4E 89 84 24 7C 03 00 00 mov [rsp+24B8h+var_213C], eax
INIT:0000000140A19F55 EB 1E jmp short loc_140A19F75
INIT:0000000140A19F57 ; ---------------------------------------------------------------------------
INIT:0000000140A19F57
INIT:0000000140A19F57 loc_140A19F57: ; CODE XREF: sub_140A19EE4+4A↑j
INIT:0000000140A19F57 41 3B D6 cmp edx, r14d
INIT:0000000140A19F5A 77 05 ja short loc_140A19F61
INIT:0000000140A19F5C 0F A3 D3 bt ebx, edx
INIT:0000000140A19F5F 72 04 jb short loc_140A19F65
INIT:0000000140A19F61
INIT:0000000140A19F61 loc_140A19F61: ; CODE XREF: sub_140A19EE4+76↑j
INIT:0000000140A19F61 33 C0 xor eax, eax
INIT:0000000140A19F63 8B D0 mov edx, eax
INIT:0000000140A19F65
INIT:0000000140A19F65 loc_140A19F65: ; CODE XREF: sub_140A19EE4+7B↑j
INIT:0000000140A19F65 8B 9C 24 E0 24 00 00 mov ebx, [rsp+24B8h+arg_20]
INIT:0000000140A19F6C 0B D9 or ebx, ecx
INIT:0000000140A19F6E
INIT:0000000140A19F6E loc_140A19F6E: ; CODE XREF: sub_140A19EE4+61↑j
INIT:0000000140A19F6E 89 9C 24 7C 03 00 00 mov [rsp+24B8h+var_213C], ebx
INIT:0000000140A19F75
INIT:0000000140A19F75 loc_140A19F75: ; CODE XREF: sub_140A19EE4+71↑j
INIT:0000000140A19F75 8B 05 BD B6 33 00 mov eax, cs:$$2b
INIT:0000000140A19F7B 33 DB xor ebx, ebx
INIT:0000000140A19F7D 0F A3 D0 bt eax, edx
INIT:0000000140A19F80 8B F3 mov esi, ebx
INIT:0000000140A19F82 0F 43 F2 cmovnb esi, edx
INIT:0000000140A19F85 FA cli
INIT:0000000140A19F86 33 C0 xor eax, eax
INIT:0000000140A19F88 38 05 F2 8F 22 00 cmp byte ptr cs:KdDebuggerNotPresent, al
INIT:0000000140A19F8E 75 02 jnz short loc_140A19F92
INIT:0000000140A19F90
INIT:0000000140A19F90 loc_140A19F90: ; CODE XREF: sub_140A19EE4:loc_140A19F90↓j
INIT:0000000140A19F90 EB FE jmp short loc_140A19F90
INIT:0000000140A19F92 ; ---------------------------------------------------------------------------
INIT:0000000140A19F92
INIT:0000000140A19F92 loc_140A19F92: ; CODE XREF: sub_140A19EE4+AA↑j
INIT:0000000140A19F92 FB sti
INIT:0000000140A19F93 4C 8B 0D 26 B6 33 00 mov r9, cs:KiInitData ; BugCheckParameter3
INIT:0000000140A19F9A 41 BA 0C 00 00 00 mov r10d, 0Ch
INIT:0000000140A19FA0 4D 3B CA cmp r9, r10
INIT:0000000140A19FA3 0F 85 BE A0 01 00 jnz loc_140A34067
INIT:0000000140A19FA9 48 8D 05 C4 E1 FF FF lea rax, __ts_89
INIT:0000000140A19FB0 48 8D 15 25 E3 FF FF lea rdx, __ts_z
INIT:0000000140A19FB7 EB 05 jmp short loc_140A19FBE
INIT:0000000140A19FB9 ; ---------------------------------------------------------------------------
INIT:0000000140A19FB9
INIT:0000000140A19FB9 loc_140A19FB9: ; CODE XREF: sub_140A19EE4+DD↓j
INIT:0000000140A19FB9 03 38 add edi, [rax]
INIT:0000000140A19FBB 48 03 C1 add rax, rcx
INIT:0000000140A19FBE
INIT:0000000140A19FBE loc_140A19FBE: ; CODE XREF: sub_140A19EE4+D3↑j
INIT:0000000140A19FBE 48 3B C2 cmp rax, rdx
INIT:0000000140A19FC1 75 F6 jnz short loc_140A19FB9
INIT:0000000140A19FC3 33 C0 xor eax, eax
INIT:0000000140A19FC5 48 8D 15 A0 E1 FF FF lea rdx, __ps_z
INIT:0000000140A19FCC 48 8D 05 31 E0 FF FF lea rax, __ps_0
INIT:0000000140A19FD3 EB 05 jmp short loc_140A19FDA
INIT:0000000140A19FD5 ; ---------------------------------------------------------------------------
INIT:0000000140A19FD5
INIT:0000000140A19FD5 loc_140A19FD5: ; CODE XREF: sub_140A19EE4+F9↓j
INIT:0000000140A19FD5 03 18 add ebx, [rax]
INIT:0000000140A19FD7 48 03 C1 add rax, rcx
INIT:0000000140A19FDA
INIT:0000000140A19FDA loc_140A19FDA: ; CODE XREF: sub_140A19EE4+EF↑j
INIT:0000000140A19FDA 48 3B C2 cmp rax, rdx
INIT:0000000140A19FDD 75 F6 jnz short loc_140A19FD5
INIT:0000000140A19FDF 33 C0 xor eax, eax
INIT:0000000140A19FE1 3B FB cmp edi, ebx
INIT:0000000140A19FE3 0F 85 AB A0 01 00 jnz loc_140A34094
INIT:0000000140A19FE9 48 39 05 58 B6 33 00 cmp cs:$$2a, rax
INIT:0000000140A19FF0 4C 8D 3D 09 60 5E FF lea r15, cs:140000000h
INIT:0000000140A19FF7 8D 78 06 lea edi, [rax+6]
INIT:0000000140A19FFA 49 BD 01 20 00 04 80 00 10 70 mov r13, 7010008004002001h
INIT:0000000140A1A004 0F 85 4D 09 00 00 jnz loc_140A1A957
INIT:0000000140A1A00A 89 44 24 40 mov [rsp+24B8h+var_2478], eax
INIT:0000000140A1A00E 4C 8D 05 5B 64 05 00 lea r8, aFunctionextent ; "FUNCTIONEXTENTLIST"
INIT:0000000140A1A015 48 89 44 24 38 mov [rsp+24B8h+var_2480], rax
INIT:0000000140A1A01A 8D 57 04 lea edx, [rdi+4]
INIT:0000000140A1A01D 48 89 44 24 30 mov [rsp+24B8h+var_2488], rax
INIT:0000000140A1A022 45 33 C9 xor r9d, r9d
INIT:0000000140A1A025 48 8D 84 24 C0 09 00 00 lea rax, [rsp+24B8h+var_1AF8]
INIT:0000000140A1A02D 4C 89 BC 24 70 12 00 00 mov [rsp+24B8h+var_1248], r15
INIT:0000000140A1A035 48 89 44 24 28 mov [rsp+24B8h+var_2490], rax
INIT:0000000140A1A03A 49 8B CF mov rcx, r15
INIT:0000000140A1A03D 48 8D 84 24 D8 09 00 00 lea rax, [rsp+24B8h+BugCheckParameter2]
INIT:0000000140A1A045 48 89 44 24 20 mov [rsp+24B8h+BugCheckParameter4], rax
INIT:0000000140A1A04A E8 61 5F D5 FF call LdrResFindResource
INIT:0000000140A1A04F 33 DB xor ebx, ebx
INIT:0000000140A1A051 44 8D 67 FB lea r12d, [rdi-5]
INIT:0000000140A1A055 85 C0 test eax, eax
INIT:0000000140A1A057 0F 88 B6 00 00 00 js loc_140A1A113
INIT:0000000140A1A05D 48 8B 8C 24 C0 09 00 00 mov rcx, [rsp+24B8h+var_1AF8]
INIT:0000000140A1A065 BA F7 FF FF FF mov edx, 0FFFFFFF7h
INIT:0000000140A1A06A 48 8D 41 F8 lea rax, [rcx-8]
INIT:0000000140A1A06E 48 3B C2 cmp rax, rdx
INIT:0000000140A1A071 0F 87 9C 00 00 00 ja loc_140A1A113
INIT:0000000140A1A077 89 8C 24 90 03 00 00 mov dword ptr [rsp+24B8h+var_2128], ecx
INIT:0000000140A1A07E 49 8B CF mov rcx, r15
INIT:0000000140A1A081 E8 0A 38 90 FF call RtlImageNtHeader
INIT:0000000140A1A086 48 85 C0 test rax, rax
INIT:0000000140A1A089 0F 84 84 00 00 00 jz loc_140A1A113
INIT:0000000140A1A08F 44 8D 47 FD lea r8d, [rdi-3]
INIT:0000000140A1A093 41 8A D4 mov dl, r12b
INIT:0000000140A1A096 4C 8D 8C 24 1C 04 00 00 lea r9, [rsp+24B8h+var_209C]
INIT:0000000140A1A09E 49 8B CF mov rcx, r15
INIT:0000000140A1A0A1 E8 5A 79 84 FF call RtlImageDirectoryEntryToData
INIT:0000000140A1A0A6 4C 8B E8 mov r13, rax
INIT:0000000140A1A0A9 33 C0 xor eax, eax
INIT:0000000140A1A0AB 4D 85 ED test r13, r13
INIT:0000000140A1A0AE 75 0C jnz short loc_140A1A0BC
INIT:0000000140A1A0B0
INIT:0000000140A1A0B0 loc_140A1A0B0: ; CODE XREF: sub_140A19EE4+4E4↓j
INIT:0000000140A1A0B0 49 BD 01 20 00 04 80 00 10 70 mov r13, 7010008004002001h
INIT:0000000140A1A0BA EB 59 jmp short loc_140A1A115
INIT:0000000140A1A0BC ; ---------------------------------------------------------------------------
INIT:0000000140A1A0BC
INIT:0000000140A1A0BC loc_140A1A0BC: ; CODE XREF: sub_140A19EE4+1CA↑j
INIT:0000000140A1A0BC 48 8B 8C 24 D8 09 00 00 mov rcx, [rsp+24B8h+BugCheckParameter2]
INIT:0000000140A1A0C4 4C 8B F0 mov r14, rax
INIT:0000000140A1A0C7 41 BF 01 00 00 C0 mov r15d, 0C0000001h
INIT:0000000140A1A0CD 8B 11 mov edx, [rcx]
INIT:0000000140A1A0CF 81 EA 43 54 58 45 sub edx, 45585443h
INIT:0000000140A1A0D5 74 0E jz short loc_140A1A0E5
INIT:0000000140A1A0D7 83 FA 09 cmp edx, 9
INIT:0000000140A1A0DA 0F 84 6C 05 00 00 jz loc_140A1A64C
INIT:0000000140A1A0E0 E9 DD 02 00 00 jmp loc_140A1A3C2
INIT:0000000140A1A0E5 ; ---------------------------------------------------------------------------
INIT:0000000140A1A0E5
INIT:0000000140A1A0E5 loc_140A1A0E5: ; CODE XREF: sub_140A19EE4+1F1↑j
INIT:0000000140A1A0E5 B9 04 00 00 00 mov ecx, 4 ; CompressionFormatAndEngine
INIT:0000000140A1A0EA 4C 8D 84 24 1C 05 00 00 lea r8, [rsp+24B8h+CompressFragmentWorkSpaceSize] ; CompressFragmentWorkSpaceSize
INIT:0000000140A1A0F2 48 8D 94 24 28 05 00 00 lea rdx, [rsp+24B8h+CompressBufferWorkSpaceSize] ; CompressBufferWorkSpaceSize
INIT:0000000140A1A0FA E8 C1 BE 89 FF call RtlGetCompressionWorkSpaceSize
INIT:0000000140A1A0FF 85 C0 test eax, eax
INIT:0000000140A1A101 79 63 jns short loc_140A1A166
INIT:0000000140A1A103 41 BE 05 00 00 00 mov r14d, 5
INIT:0000000140A1A109 49 BD 01 20 00 04 80 00 10 70 mov r13, 7010008004002001h
INIT:0000000140A1A113
INIT:0000000140A1A113 loc_140A1A113: ; CODE XREF: sub_140A19EE4+173↑j
INIT:0000000140A1A113 ; sub_140A19EE4+18D↑j ...
INIT:0000000140A1A113 33 C0 xor eax, eax
INIT:0000000140A1A115
INIT:0000000140A1A115 loc_140A1A115: ; CODE XREF: sub_140A19EE4+1D6↑j
INIT:0000000140A1A115 48 89 9C 24 78 12 00 00 mov [rsp+24B8h+var_1240], rbx
INIT:0000000140A1A11D 48 8D 94 24 70 12 00 00 lea rdx, [rsp+24B8h+var_1248]
INIT:0000000140A1A125 BB 18 00 00 00 mov ebx, 18h
INIT:0000000140A1A12A 48 8D 0D 17 B5 33 00 lea rcx, $$2a
INIT:0000000140A1A131 8D 7B EB lea edi, [rbx-15h]
INIT:0000000140A1A134
INIT:0000000140A1A134 loc_140A1A134: ; CODE XREF: sub_140A19EE4+264↓j
INIT:0000000140A1A134 48 8B 02 mov rax, [rdx]
INIT:0000000140A1A137 83 C3 F8 add ebx, 0FFFFFFF8h
INIT:0000000140A1A13A 48 89 01 mov [rcx], rax
INIT:0000000140A1A13D 48 83 C2 08 add rdx, 8
INIT:0000000140A1A141 48 83 C1 08 add rcx, 8
INIT:0000000140A1A145 49 2B FC sub rdi, r12
INIT:0000000140A1A148 75 EA jnz short loc_140A1A134
INIT:0000000140A1A14A 85 DB test ebx, ebx
INIT:0000000140A1A14C 0F 84 49 08 00 00 jz loc_140A1A99B
INIT:0000000140A1A152
INIT:0000000140A1A152 loc_140A1A152: ; CODE XREF: sub_140A19EE4+27B↓j
INIT:0000000140A1A152 8A 02 mov al, [rdx]
INIT:0000000140A1A154 49 03 D4 add rdx, r12
INIT:0000000140A1A157 88 01 mov [rcx], al
INIT:0000000140A1A159 49 03 CC add rcx, r12
INIT:0000000140A1A15C 83 C3 FF add ebx, 0FFFFFFFFh
INIT:0000000140A1A15F 75 F1 jnz short loc_140A1A152
INIT:0000000140A1A161 E9 35 08 00 00 jmp loc_140A1A99B
INIT:0000000140A1A166 ; ---------------------------------------------------------------------------
INIT:0000000140A1A166
INIT:0000000140A1A166 loc_140A1A166: ; CODE XREF: sub_140A19EE4+21D↑j
INIT:0000000140A1A166 48 8B 84 24 D8 09 00 00 mov rax, [rsp+24B8h+BugCheckParameter2]
INIT:0000000140A1A16E 44 8B 60 04 mov r12d, [rax+4]
INIT:0000000140A1A172 41 83 FC 08 cmp r12d, 8
INIT:0000000140A1A176 0F 82 47 9F 01 00 jb loc_140A340C3
INIT:0000000140A1A17C 0F 31 rdtsc
INIT:0000000140A1A17E 48 C1 E2 20 shl rdx, 20h
INIT:0000000140A1A182 49 B8 01 20 00 04 80 00 10 70 mov r8, 7010008004002001h
INIT:0000000140A1A18C 48 0B C2 or rax, rdx
INIT:0000000140A1A18F BB 05 00 00 00 mov ebx, 5
INIT:0000000140A1A194 48 8B C8 mov rcx, rax
INIT:0000000140A1A197 48 C1 C8 03 ror rax, 3
INIT:0000000140A1A19B 48 33 C8 xor rcx, rax
INIT:0000000140A1A19E 49 8B C0 mov rax, r8
INIT:0000000140A1A1A1 48 F7 E1 mul rcx
INIT:0000000140A1A1A4 48 8B CA mov rcx, rdx
INIT:0000000140A1A1A7 48 89 94 24 E8 09 00 00 mov [rsp+24B8h+var_1AD0], rdx
INIT:0000000140A1A1AF 48 33 C8 xor rcx, rax
INIT:0000000140A1A1B2 48 B8 A3 8B 2E BA E8 A2 8B 2E mov rax, 2E8BA2E8BA2E8BA3h
INIT:0000000140A1A1BC 48 F7 E1 mul rcx
INIT:0000000140A1A1BF 48 D1 EA shr rdx, 1
INIT:0000000140A1A1C2 48 6B C2 0B imul rax, rdx, 0Bh
INIT:0000000140A1A1C6 48 2B C8 sub rcx, rax
INIT:0000000140A1A1C9 3B CB cmp ecx, ebx
INIT:0000000140A1A1CB 0F 87 B7 00 00 00 ja loc_140A1A288
INIT:0000000140A1A1D1 0F 84 97 00 00 00 jz loc_140A1A26E
INIT:0000000140A1A1D7 85 C9 test ecx, ecx
INIT:0000000140A1A1D9 74 79 jz short loc_140A1A254
INIT:0000000140A1A1DB 83 E9 01 sub ecx, 1
INIT:0000000140A1A1DE 74 5B jz short loc_140A1A23B
INIT:0000000140A1A1E0 83 E9 01 sub ecx, 1
INIT:0000000140A1A1E3 74 3C jz short loc_140A1A221
INIT:0000000140A1A1E5 83 F9 01 cmp ecx, 1
INIT:0000000140A1A1E8 74 1A jz short loc_140A1A204
INIT:0000000140A1A1EA C7 84 24 30 05 00 00 94 64 07 67 mov [rsp+24B8h+var_1F88], 67076494h
INIT:0000000140A1A1F5 8B BC 24 30 05 00 00 mov edi, [rsp+24B8h+var_1F88]
INIT:0000000140A1A1FC C1 C7 04 rol edi, 4
INIT:0000000140A1A1FF E9 97 01 00 00 jmp loc_140A1A39B
INIT:0000000140A1A204 ; ---------------------------------------------------------------------------
INIT:0000000140A1A204
INIT:0000000140A1A204 loc_140A1A204: ; CODE XREF: sub_140A19EE4+304↑j
INIT:0000000140A1A204 C7 84 24 34 05 00 00 38 39 22 A8 mov [rsp+24B8h+var_1F84], 0A8223938h
INIT:0000000140A1A20F 8B BC 24 34 05 00 00 mov edi, [rsp+24B8h+var_1F84]
INIT:0000000140A1A216 83 F7 03 xor edi, 3
INIT:0000000140A1A219 C1 CF 0F ror edi, 0Fh
INIT:0000000140A1A21C E9 7A 01 00 00 jmp loc_140A1A39B
INIT:0000000140A1A221 ; ---------------------------------------------------------------------------
INIT:0000000140A1A221
INIT:0000000140A1A221 loc_140A1A221: ; CODE XREF: sub_140A19EE4+2FF↑j
INIT:0000000140A1A221 C7 84 24 38 05 00 00 0D 91 B5 85 mov [rsp+24B8h+var_1F80], 85B5910Dh
INIT:0000000140A1A22C 8B BC 24 38 05 00 00 mov edi, [rsp+24B8h+var_1F80]
INIT:0000000140A1A233 C1 CF 02 ror edi, 2
INIT:0000000140A1A236 E9 60 01 00 00 jmp loc_140A1A39B
INIT:0000000140A1A23B ; ---------------------------------------------------------------------------
INIT:0000000140A1A23B
INIT:0000000140A1A23B loc_140A1A23B: ; CODE XREF: sub_140A19EE4+2FA↑j
INIT:0000000140A1A23B C7 84 24 3C 05 00 00 A1 31 AD B2 mov [rsp+24B8h+var_1F7C], 0B2AD31A1h
INIT:0000000140A1A246 8B BC 24 3C 05 00 00 mov edi, [rsp+24B8h+var_1F7C]
INIT:0000000140A1A24D D1 C7 rol edi, 1
INIT:0000000140A1A24F E9 47 01 00 00 jmp loc_140A1A39B
INIT:0000000140A1A254 ; ---------------------------------------------------------------------------
INIT:0000000140A1A254
INIT:0000000140A1A254 loc_140A1A254: ; CODE XREF: sub_140A19EE4+2F5↑j
INIT:0000000140A1A254 C7 84 24 40 05 00 00 D8 D0 98 D0 mov [rsp+24B8h+var_1F78], 0D098D0D8h
INIT:0000000140A1A25F 8B BC 24 40 05 00 00 mov edi, [rsp+24B8h+var_1F78]
INIT:0000000140A1A266 C1 CF 06 ror edi, 6
INIT:0000000140A1A269 E9 2D 01 00 00 jmp loc_140A1A39B
INIT:0000000140A1A26E ; ---------------------------------------------------------------------------
INIT:0000000140A1A26E
INIT:0000000140A1A26E loc_140A1A26E: ; CODE XREF: sub_140A19EE4+2ED↑j
INIT:0000000140A1A26E C7 84 24 44 05 00 00 ED 49 8C 28 mov [rsp+24B8h+var_1F74], 288C49EDh
INIT:0000000140A1A279 8B BC 24 44 05 00 00 mov edi, [rsp+24B8h+var_1F74]
INIT:0000000140A1A280 C1 CF 05 ror edi, 5
INIT:0000000140A1A283 E9 13 01 00 00 jmp loc_140A1A39B
INIT:0000000140A1A288 ; ---------------------------------------------------------------------------
INIT:0000000140A1A288
INIT:0000000140A1A288 loc_140A1A288: ; CODE XREF: sub_140A19EE4+2E7↑j
INIT:0000000140A1A288 2B CF sub ecx, edi
INIT:0000000140A1A28A 0F 84 F4 00 00 00 jz loc_140A1A384
INIT:0000000140A1A290 83 E9 01 sub ecx, 1
INIT:0000000140A1A293 0F 84 D4 00 00 00 jz loc_140A1A36D
INIT:0000000140A1A299 83 E9 01 sub ecx, 1
INIT:0000000140A1A29C 0F 84 B4 00 00 00 jz loc_140A1A356
INIT:0000000140A1A2A2 83 F9 01 cmp ecx, 1
INIT:0000000140A1A2A5 0F 84 91 00 00 00 jz loc_140A1A33C
INIT:0000000140A1A2AB 0F 31 rdtsc
INIT:0000000140A1A2AD 48 C1 E2 20 shl rdx, 20h
INIT:0000000140A1A2B1 48 0B C2 or rax, rdx
INIT:0000000140A1A2B4 48 8B C8 mov rcx, rax
INIT:0000000140A1A2B7 48 C1 C8 03 ror rax, 3
INIT:0000000140A1A2BB 48 33 C8 xor rcx, rax
INIT:0000000140A1A2BE 49 8B C0 mov rax, r8
INIT:0000000140A1A2C1 48 F7 E1 mul rcx
INIT:0000000140A1A2C4 41 B8 4F EC C4 4E mov r8d, 4EC4EC4Fh
INIT:0000000140A1A2CA 48 8B F8 mov rdi, rax
INIT:0000000140A1A2CD 48 89 94 24 F0 09 00 00 mov [rsp+24B8h+var_1AC8], rdx
INIT:0000000140A1A2D5 33 FA xor edi, edx
INIT:0000000140A1A2D7 41 8B C0 mov eax, r8d
INIT:0000000140A1A2DA F7 E7 mul edi
INIT:0000000140A1A2DC 8B CF mov ecx, edi
INIT:0000000140A1A2DE C1 EF 05 shr edi, 5
INIT:0000000140A1A2E1 C1 EA 03 shr edx, 3
INIT:0000000140A1A2E4 8B DF mov ebx, edi
INIT:0000000140A1A2E6 6B C2 1A imul eax, edx, 1Ah
INIT:0000000140A1A2E9 2B C8 sub ecx, eax
INIT:0000000140A1A2EB 41 8B C0 mov eax, r8d
INIT:0000000140A1A2EE F7 E7 mul edi
INIT:0000000140A1A2F0 83 C1 61 add ecx, 61h ; 'a'
INIT:0000000140A1A2F3 C1 EF 05 shr edi, 5
INIT:0000000140A1A2F6 C1 E1 08 shl ecx, 8
INIT:0000000140A1A2F9 C1 EA 03 shr edx, 3
INIT:0000000140A1A2FC 6B C2 1A imul eax, edx, 1Ah
INIT:0000000140A1A2FF 2B D8 sub ebx, eax
INIT:0000000140A1A301 41 8B C0 mov eax, r8d
INIT:0000000140A1A304 F7 E7 mul edi
INIT:0000000140A1A306 83 C3 41 add ebx, 41h ; 'A'
INIT:0000000140A1A309 0B D9 or ebx, ecx
INIT:0000000140A1A30B C1 EA 03 shr edx, 3
INIT:0000000140A1A30E 6B C2 1A imul eax, edx, 1Ah
INIT:0000000140A1A311 8B CF mov ecx, edi
INIT:0000000140A1A313 C1 EF 05 shr edi, 5
INIT:0000000140A1A316 C1 E3 08 shl ebx, 8
INIT:0000000140A1A319 2B C8 sub ecx, eax
INIT:0000000140A1A31B 41 8B C0 mov eax, r8d
INIT:0000000140A1A31E F7 E7 mul edi
INIT:0000000140A1A320 83 C1 61 add ecx, 61h ; 'a'
INIT:0000000140A1A323 0B CB or ecx, ebx
INIT:0000000140A1A325 C1 EA 03 shr edx, 3
INIT:0000000140A1A328 6B C2 1A imul eax, edx, 1Ah
INIT:0000000140A1A32B BB 05 00 00 00 mov ebx, 5
INIT:0000000140A1A330 C1 E1 08 shl ecx, 8
INIT:0000000140A1A333 2B F8 sub edi, eax
INIT:0000000140A1A335 83 C7 41 add edi, 41h ; 'A'
INIT:0000000140A1A338 0B F9 or edi, ecx
INIT:0000000140A1A33A EB 5F jmp short loc_140A1A39B
INIT:0000000140A1A33C ; ---------------------------------------------------------------------------
INIT:0000000140A1A33C
INIT:0000000140A1A33C loc_140A1A33C: ; CODE XREF: sub_140A19EE4+3C1↑j
INIT:0000000140A1A33C C7 84 24 FC 00 00 00 85 9E 86 B0 mov [rsp+24B8h+var_23BC], 0B0869E85h
INIT:0000000140A1A347 8B BC 24 FC 00 00 00 mov edi, [rsp+24B8h+var_23BC]
INIT:0000000140A1A34E 83 F7 09 xor edi, 9
INIT:0000000140A1A351 C1 CF 21 ror edi, 21h
INIT:0000000140A1A354 EB 45 jmp short loc_140A1A39B
INIT:0000000140A1A356 ; ---------------------------------------------------------------------------
INIT:0000000140A1A356
INIT:0000000140A1A356 loc_140A1A356: ; CODE XREF: sub_140A19EE4+3B8↑j
INIT:0000000140A1A356 C7 84 24 00 01 00 00 42 41 66 64 mov [rsp+24B8h+var_23B8], 64664142h
INIT:0000000140A1A361 8B BC 24 00 01 00 00 mov edi, [rsp+24B8h+var_23B8]
INIT:0000000140A1A368 C1 CF 08 ror edi, 8
INIT:0000000140A1A36B EB 2E jmp short loc_140A1A39B
INIT:0000000140A1A36D ; ---------------------------------------------------------------------------
INIT:0000000140A1A36D
INIT:0000000140A1A36D loc_140A1A36D: ; CODE XREF: sub_140A19EE4+3AF↑j
INIT:0000000140A1A36D C7 84 24 04 01 00 00 D8 A6 C6 82 mov [rsp+24B8h+var_23B4], 82C6A6D8h
INIT:0000000140A1A378 8B BC 24 04 01 00 00 mov edi, [rsp+24B8h+var_23B4]
INIT:0000000140A1A37F C1 C7 07 rol edi, 7
INIT:0000000140A1A382 EB 17 jmp short loc_140A1A39B
INIT:0000000140A1A384 ; ---------------------------------------------------------------------------
INIT:0000000140A1A384
INIT:0000000140A1A384 loc_140A1A384: ; CODE XREF: sub_140A19EE4+3A6↑j
INIT:0000000140A1A384 C7 84 24 08 01 00 00 72 46 57 4E mov [rsp+24B8h+var_23B0], 4E574672h
INIT:0000000140A1A38F 8B 84 24 08 01 00 00 mov eax, [rsp+24B8h+var_23B0]
INIT:0000000140A1A396 33 F8 xor edi, eax
INIT:0000000140A1A398 C1 CF 18 ror edi, 18h
INIT:0000000140A1A39B
INIT:0000000140A1A39B loc_140A1A39B: ; CODE XREF: sub_140A19EE4+31B↑j
INIT:0000000140A1A39B ; sub_140A19EE4+338↑j ...
INIT:0000000140A1A39B 8B 94 24 28 05 00 00 mov edx, [rsp+24B8h+CompressBufferWorkSpaceSize] ; NumberOfBytes
INIT:0000000140A1A3A2 44 8B C7 mov r8d, edi ; Tag
INIT:0000000140A1A3A5 B9 00 02 00 00 mov ecx, 200h ; PoolType
INIT:0000000140A1A3AA E8 81 6C F9 FF call ExAllocatePoolWithTag
INIT:0000000140A1A3AF 4C 8B F0 mov r14, rax
INIT:0000000140A1A3B2 33 C0 xor eax, eax
INIT:0000000140A1A3B4 4D 85 F6 test r14, r14
INIT:0000000140A1A3B7 75 14 jnz short loc_140A1A3CD
INIT:0000000140A1A3B9
INIT:0000000140A1A3B9 loc_140A1A3B9: ; CODE XREF: sub_140A19EE4+A6E↓j
INIT:0000000140A1A3B9 48 8B D8 mov rbx, rax
INIT:0000000140A1A3BC
INIT:0000000140A1A3BC loc_140A1A3BC: ; CODE XREF: sub_140A19EE4+A55↓j
INIT:0000000140A1A3BC ; sub_140A19EE4+A5E↓j
INIT:0000000140A1A3BC 41 BC 01 00 00 00 mov r12d, 1
INIT:0000000140A1A3C2
INIT:0000000140A1A3C2 loc_140A1A3C2: ; CODE XREF: sub_140A19EE4+1FC↑j
INIT:0000000140A1A3C2 41 BE 05 00 00 00 mov r14d, 5
INIT:0000000140A1A3C8 E9 E3 FC FF FF jmp loc_140A1A0B0
INIT:0000000140A1A3CD ; ---------------------------------------------------------------------------
INIT:0000000140A1A3CD
INIT:0000000140A1A3CD loc_140A1A3CD: ; CODE XREF: sub_140A19EE4+4D3↑j
INIT:0000000140A1A3CD 0F 31 rdtsc
INIT:0000000140A1A3CF 48 C1 E2 20 shl rdx, 20h
INIT:0000000140A1A3D3 48 BF 01 20 00 04 80 00 10 70 mov rdi, 7010008004002001h
INIT:0000000140A1A3DD 48 0B C2 or rax, rdx
INIT:0000000140A1A3E0 48 8B C8 mov rcx, rax
INIT:0000000140A1A3E3 48 C1 C8 03 ror rax, 3
INIT:0000000140A1A3E7 48 33 C8 xor rcx, rax
INIT:0000000140A1A3EA 48 8B C7 mov rax, rdi
INIT:0000000140A1A3ED 48 F7 E1 mul rcx
INIT:0000000140A1A3F0 48 8B CA mov rcx, rdx
INIT:0000000140A1A3F3 48 89 94 24 20 0A 00 00 mov [rsp+24B8h+var_1A98], rdx
INIT:0000000140A1A3FB 48 33 C8 xor rcx, rax
INIT:0000000140A1A3FE 48 B8 A3 8B 2E BA E8 A2 8B 2E mov rax, 2E8BA2E8BA2E8BA3h
INIT:0000000140A1A408 48 F7 E1 mul rcx
INIT:0000000140A1A40B 48 D1 EA shr rdx, 1
INIT:0000000140A1A40E 48 6B C2 0B imul rax, rdx, 0Bh
INIT:0000000140A1A412 48 2B C8 sub rcx, rax
INIT:0000000140A1A415 3B CB cmp ecx, ebx
INIT:0000000140A1A417 0F 87 B7 00 00 00 ja loc_140A1A4D4
INIT:0000000140A1A41D 0F 84 97 00 00 00 jz loc_140A1A4BA
INIT:0000000140A1A423 85 C9 test ecx, ecx
INIT:0000000140A1A425 74 79 jz short loc_140A1A4A0
INIT:0000000140A1A427 83 E9 01 sub ecx, 1
INIT:0000000140A1A42A 74 5B jz short loc_140A1A487
INIT:0000000140A1A42C 83 E9 01 sub ecx, 1
INIT:0000000140A1A42F 74 3C jz short loc_140A1A46D
INIT:0000000140A1A431 83 F9 01 cmp ecx, 1
INIT:0000000140A1A434 74 1A jz short loc_140A1A450
INIT:0000000140A1A436 C7 84 24 0C 01 00 00 94 64 07 67 mov [rsp+24B8h+var_23AC], 67076494h
INIT:0000000140A1A441 8B BC 24 0C 01 00 00 mov edi, [rsp+24B8h+var_23AC]
INIT:0000000140A1A448 C1 C7 04 rol edi, 4
INIT:0000000140A1A44B E9 97 01 00 00 jmp loc_140A1A5E7
INIT:0000000140A1A450 ; ---------------------------------------------------------------------------
INIT:0000000140A1A450
INIT:0000000140A1A450 loc_140A1A450: ; CODE XREF: sub_140A19EE4+550↑j
INIT:0000000140A1A450 C7 84 24 10 01 00 00 38 39 22 A8 mov [rsp+24B8h+var_23A8], 0A8223938h
INIT:0000000140A1A45B 8B BC 24 10 01 00 00 mov edi, [rsp+24B8h+var_23A8]
INIT:0000000140A1A462 83 F7 03 xor edi, 3
INIT:0000000140A1A465 C1 CF 0F ror edi, 0Fh
INIT:0000000140A1A468 E9 7A 01 00 00 jmp loc_140A1A5E7
INIT:0000000140A1A46D ; ---------------------------------------------------------------------------
INIT:0000000140A1A46D
INIT:0000000140A1A46D loc_140A1A46D: ; CODE XREF: sub_140A19EE4+54B↑j
INIT:0000000140A1A46D C7 84 24 14 01 00 00 0D 91 B5 85 mov [rsp+24B8h+var_23A4], 85B5910Dh
INIT:0000000140A1A478 8B BC 24 14 01 00 00 mov edi, [rsp+24B8h+var_23A4]
INIT:0000000140A1A47F C1 CF 02 ror edi, 2
INIT:0000000140A1A482 E9 60 01 00 00 jmp loc_140A1A5E7
INIT:0000000140A1A487 ; ---------------------------------------------------------------------------
INIT:0000000140A1A487
INIT:0000000140A1A487 loc_140A1A487: ; CODE XREF: sub_140A19EE4+546↑j
INIT:0000000140A1A487 C7 84 24 18 01 00 00 A1 31 AD B2 mov [rsp+24B8h+var_23A0], 0B2AD31A1h
INIT:0000000140A1A492 8B BC 24 18 01 00 00 mov edi, [rsp+24B8h+var_23A0]
INIT:0000000140A1A499 D1 C7 rol edi, 1
INIT:0000000140A1A49B E9 47 01 00 00 jmp loc_140A1A5E7
INIT:0000000140A1A4A0 ; ---------------------------------------------------------------------------
INIT:0000000140A1A4A0
INIT:0000000140A1A4A0 loc_140A1A4A0: ; CODE XREF: sub_140A19EE4+541↑j
INIT:0000000140A1A4A0 C7 84 24 1C 01 00 00 D8 D0 98 D0 mov [rsp+24B8h+var_239C], 0D098D0D8h
INIT:0000000140A1A4AB 8B BC 24 1C 01 00 00 mov edi, [rsp+24B8h+var_239C]
INIT:0000000140A1A4B2 C1 CF 06 ror edi, 6
INIT:0000000140A1A4B5 E9 2D 01 00 00 jmp loc_140A1A5E7
INIT:0000000140A1A4BA ; ---------------------------------------------------------------------------
INIT:0000000140A1A4BA
INIT:0000000140A1A4BA loc_140A1A4BA: ; CODE XREF: sub_140A19EE4+539↑j
INIT:0000000140A1A4BA C7 84 24 20 01 00 00 ED 49 8C 28 mov [rsp+24B8h+var_2398], 288C49EDh
INIT:0000000140A1A4C5 8B BC 24 20 01 00 00 mov edi, [rsp+24B8h+var_2398]
INIT:0000000140A1A4CC C1 CF 05 ror edi, 5
INIT:0000000140A1A4CF E9 13 01 00 00 jmp loc_140A1A5E7
INIT:0000000140A1A4D4 ; ---------------------------------------------------------------------------
INIT:0000000140A1A4D4
INIT:0000000140A1A4D4 loc_140A1A4D4: ; CODE XREF: sub_140A19EE4+533↑j
INIT:0000000140A1A4D4 BA 06 00 00 00 mov edx, 6
INIT:0000000140A1A4D9 2B CA sub ecx, edx
INIT:0000000140A1A4DB 0F 84 EF 00 00 00 jz loc_140A1A5D0
INIT:0000000140A1A4E1 83 E9 01 sub ecx, 1
INIT:0000000140A1A4E4 0F 84 CF 00 00 00 jz loc_140A1A5B9
INIT:0000000140A1A4EA 83 E9 01 sub ecx, 1
INIT:0000000140A1A4ED 0F 84 AF 00 00 00 jz loc_140A1A5A2
INIT:0000000140A1A4F3 83 F9 01 cmp ecx, 1
INIT:0000000140A1A4F6 0F 84 8C 00 00 00 jz loc_140A1A588
INIT:0000000140A1A4FC 0F 31 rdtsc
INIT:0000000140A1A4FE 48 C1 E2 20 shl rdx, 20h
INIT:0000000140A1A502 41 B8 4F EC C4 4E mov r8d, 4EC4EC4Fh
INIT:0000000140A1A508 48 0B C2 or rax, rdx
INIT:0000000140A1A50B 48 8B C8 mov rcx, rax
INIT:0000000140A1A50E 48 C1 C8 03 ror rax, 3
INIT:0000000140A1A512 48 33 C8 xor rcx, rax
INIT:0000000140A1A515 48 8B C7 mov rax, rdi
INIT:0000000140A1A518 48 F7 E1 mul rcx
INIT:0000000140A1A51B 48 8B F8 mov rdi, rax
INIT:0000000140A1A51E 48 89 94 24 28 0A 00 00 mov [rsp+24B8h+var_1A90], rdx
INIT:0000000140A1A526 33 FA xor edi, edx
INIT:0000000140A1A528 41 8B C0 mov eax, r8d
INIT:0000000140A1A52B F7 E7 mul edi
INIT:0000000140A1A52D 8B CF mov ecx, edi
INIT:0000000140A1A52F C1 EF 05 shr edi, 5
INIT:0000000140A1A532 C1 EA 03 shr edx, 3
INIT:0000000140A1A535 8B DF mov ebx, edi
INIT:0000000140A1A537 6B C2 1A imul eax, edx, 1Ah
INIT:0000000140A1A53A 2B C8 sub ecx, eax
INIT:0000000140A1A53C 41 8B C0 mov eax, r8d
INIT:0000000140A1A53F F7 E7 mul edi
INIT:0000000140A1A541 83 C1 61 add ecx, 61h ; 'a'
INIT:0000000140A1A544 C1 EF 05 shr edi, 5
INIT:0000000140A1A547 C1 E1 08 shl ecx, 8
INIT:0000000140A1A54A C1 EA 03 shr edx, 3
INIT:0000000140A1A54D 6B C2 1A imul eax, edx, 1Ah
INIT:0000000140A1A550 2B D8 sub ebx, eax
INIT:0000000140A1A552 41 8B C0 mov eax, r8d
INIT:0000000140A1A555 F7 E7 mul edi
INIT:0000000140A1A557 83 C3 41 add ebx, 41h ; 'A'
INIT:0000000140A1A55A 0B D9 or ebx, ecx
INIT:0000000140A1A55C C1 EA 03 shr edx, 3
INIT:0000000140A1A55F 6B C2 1A imul eax, edx, 1Ah
INIT:0000000140A1A562 8B CF mov ecx, edi
INIT:0000000140A1A564 C1 EF 05 shr edi, 5
INIT:0000000140A1A567 C1 E3 08 shl ebx, 8
INIT:0000000140A1A56A 2B C8 sub ecx, eax
INIT:0000000140A1A56C 41 8B C0 mov eax, r8d
INIT:0000000140A1A56F F7 E7 mul edi
INIT:0000000140A1A571 83 C1 61 add ecx, 61h ; 'a'
INIT:0000000140A1A574 C1 EA 03 shr edx, 3
INIT:0000000140A1A577 0B CB or ecx, ebx
INIT:0000000140A1A579 6B C2 1A imul eax, edx, 1Ah
INIT:0000000140A1A57C C1 E1 08 shl ecx, 8
INIT:0000000140A1A57F 2B F8 sub edi, eax
INIT:0000000140A1A581 83 C7 41 add edi, 41h ; 'A'
INIT:0000000140A1A584 0B F9 or edi, ecx
INIT:0000000140A1A586 EB 5F jmp short loc_140A1A5E7
INIT:0000000140A1A588 ; ---------------------------------------------------------------------------
INIT:0000000140A1A588
INIT:0000000140A1A588 loc_140A1A588: ; CODE XREF: sub_140A19EE4+612↑j
INIT:0000000140A1A588 C7 84 24 24 01 00 00 85 9E 86 B0 mov [rsp+24B8h+var_2394], 0B0869E85h
INIT:0000000140A1A593 8B BC 24 24 01 00 00 mov edi, [rsp+24B8h+var_2394]
INIT:0000000140A1A59A 83 F7 09 xor edi, 9
INIT:0000000140A1A59D C1 CF 21 ror edi, 21h
INIT:0000000140A1A5A0 EB 45 jmp short loc_140A1A5E7
INIT:0000000140A1A5A2 ; ---------------------------------------------------------------------------
INIT:0000000140A1A5A2
INIT:0000000140A1A5A2 loc_140A1A5A2: ; CODE XREF: sub_140A19EE4+609↑j
INIT:0000000140A1A5A2 C7 84 24 28 01 00 00 42 41 66 64 mov [rsp+24B8h+var_2390], 64664142h
INIT:0000000140A1A5AD 8B BC 24 28 01 00 00 mov edi, [rsp+24B8h+var_2390]
INIT:0000000140A1A5B4 C1 CF 08 ror edi, 8
INIT:0000000140A1A5B7 EB 2E jmp short loc_140A1A5E7
INIT:0000000140A1A5B9 ; ---------------------------------------------------------------------------
INIT:0000000140A1A5B9
INIT:0000000140A1A5B9 loc_140A1A5B9: ; CODE XREF: sub_140A19EE4+600↑j
INIT:0000000140A1A5B9 C7 84 24 2C 01 00 00 D8 A6 C6 82 mov [rsp+24B8h+var_238C], 82C6A6D8h
INIT:0000000140A1A5C4 8B BC 24 2C 01 00 00 mov edi, [rsp+24B8h+var_238C]
INIT:0000000140A1A5CB C1 C7 07 rol edi, 7
INIT:0000000140A1A5CE EB 17 jmp short loc_140A1A5E7
INIT:0000000140A1A5D0 ; ---------------------------------------------------------------------------
INIT:0000000140A1A5D0
INIT:0000000140A1A5D0 loc_140A1A5D0: ; CODE XREF: sub_140A19EE4+5F7↑j
INIT:0000000140A1A5D0 C7 84 24 30 01 00 00 72 46 57 4E mov [rsp+24B8h+var_2388], 4E574672h
INIT:0000000140A1A5DB 8B BC 24 30 01 00 00 mov edi, [rsp+24B8h+var_2388]
INIT:0000000140A1A5E2 33 FA xor edi, edx
INIT:0000000140A1A5E4 C1 CF 18 ror edi, 18h
INIT:0000000140A1A5E7
INIT:0000000140A1A5E7 loc_140A1A5E7: ; CODE XREF: sub_140A19EE4+567↑j
INIT:0000000140A1A5E7 ; sub_140A19EE4+584↑j ...
INIT:0000000140A1A5E7 49 8B D4 mov rdx, r12 ; NumberOfBytes
INIT:0000000140A1A5EA 44 8B C7 mov r8d, edi ; Tag
INIT:0000000140A1A5ED B9 00 02 00 00 mov ecx, 200h ; PoolType
INIT:0000000140A1A5F2 E8 39 6A F9 FF call ExAllocatePoolWithTag
INIT:0000000140A1A5F7 48 8B D8 mov rbx, rax
INIT:0000000140A1A5FA 48 85 C0 test rax, rax
INIT:0000000140A1A5FD 0F 84 26 03 00 00 jz loc_140A1A929
INIT:0000000140A1A603 8B 84 24 90 03 00 00 mov eax, dword ptr [rsp+24B8h+var_2128]
INIT:0000000140A1A60A 48 8D 94 24 90 03 00 00 lea rdx, [rsp+24B8h+var_2128]
INIT:0000000140A1A612 4C 8B 8C 24 D8 09 00 00 mov r9, [rsp+24B8h+BugCheckParameter2]
INIT:0000000140A1A61A 83 C0 F8 add eax, 0FFFFFFF8h
INIT:0000000140A1A61D 4C 89 74 24 30 mov [rsp+24B8h+var_2488], r14
INIT:0000000140A1A622 49 83 C1 08 add r9, 8
INIT:0000000140A1A626 48 89 54 24 28 mov [rsp+24B8h+var_2490], rdx
INIT:0000000140A1A62B B9 04 00 00 00 mov ecx, 4
INIT:0000000140A1A630 48 8B D3 mov rdx, rbx
INIT:0000000140A1A633 89 44 24 20 mov dword ptr [rsp+24B8h+BugCheckParameter4], eax
INIT:0000000140A1A637 45 8B C4 mov r8d, r12d
INIT:0000000140A1A63A E8 01 B9 89 FF call RtlDecompressBufferEx
INIT:0000000140A1A63F 85 C0 test eax, eax
INIT:0000000140A1A641 0F 88 BD 9A 01 00 js loc_140A34104
INIT:0000000140A1A647 BF 06 00 00 00 mov edi, 6虚拟机双机调试时 不连接调试器 等进入桌面后,在连接调试器即可 或者等win图片出现连接也可以