Source taken from HEAD just before Casper took it down for the rebuild.

Initially it was hanging just after the splash so I rebuilt with DGB to see if I could glean more info.

Now it crashes upon install, just before it goes to the GUI config.

Here is a sceenshot of the crash http://homepage.ntlworld.com/gedmurphy/crash.jpg

I have attached the map files for smss. I would have stuck on one for ntoskrnl too, but it's a little large. I can stick it on the along with anything else if someone wants it.

Regards,

Ged.

smss.nostrip.exe: file format pei-i386

Disassembly of section .text:

00401000 _NtProcessStartup@4: /* Native image's entry point */

VOID STDCALL NtProcessStartup(PPEB Peb) { 401000: 55 push %ebp 401001: 89 e5 mov %esp,%ebp 401003: 57 push %edi 401004: 83 ec 34 sub $0x34,%esp NTSTATUS Status; PROCESS_BASIC_INFORMATION PBI = {0}; 401007: 8d 7d c8 lea 0xffffffc8(%ebp),%edi 40100a: fc cld 40100b: ba 00 00 00 00 mov $0x0,%edx 401010: b8 06 00 00 00 mov $0x6,%eax 401015: 89 c1 mov %eax,%ecx 401017: 89 d0 mov %edx,%eax 401019: f3 ab repz stos %eax,%es:(%edi)

PrintString("ReactOS Session Manager %s (Build %s)\n", 40101b: 83 ec 04 sub $0x4,%esp 40101e: 68 00 50 40 00 push $0x405000 401023: 68 10 50 40 00 push $0x405010 401028: 68 20 50 40 00 push $0x405020 40102d: e8 79 26 00 00 call 4036ab _PrintString@0 401032: 83 c4 10 add $0x10,%esp KERNEL_RELEASE_STR, KERNEL_VERSION_BUILD_STR);

/* Lookup yourself */ Status = NtQueryInformationProcess (NtCurrentProcess(), 401035: 83 ec 0c sub $0xc,%esp 401038: 6a 00 push $0x0 40103a: 6a 18 push $0x18 40103c: 8d 45 c8 lea 0xffffffc8(%ebp),%eax 40103f: 50 push %eax 401040: 6a 00 push $0x0 401042: 6a ff push $0xffffffff 401044: e8 27 29 00 00 call 403970 _NtQueryInformationProcess@20 401049: 83 c4 0c add $0xc,%esp 40104c: 89 45 f4 mov %eax,0xfffffff4(%ebp) ProcessBasicInformation, & PBI, sizeof PBI, NULL); if(NT_SUCCESS(Status)) 40104f: 83 7d f4 00 cmpl $0x0,0xfffffff4(%ebp) 401053: 78 08 js 40105d <_NtProcessStartup@4+0x5d> { SmSsProcessId = PBI.UniqueProcessId; 401055: 8b 45 d8 mov 0xffffffd8(%ebp),%eax 401058: a3 00 60 40 00 mov %eax,0x406000 } /* Initialize the system */ Status = InitSessionManager(); 40105d: e8 24 01 00 00 call 401186 <_InitSessionManager> 401062: 89 45 f4 mov %eax,0xfffffff4(%ebp) #if 0 if (!NT_SUCCESS(Status)) { int i; for (i=0; i < (sizeof Children / sizeof Children[0]); i++) { if (Children[i]) { NtTerminateProcess(Children[i],0); } } DPRINT1("SM: Initialization failed!\n"); goto ByeBye; }

Status = NtWaitForMultipleObjects(((LONG) sizeof(Children) / sizeof(HANDLE)), Children, WaitAny, TRUE, /* alertable */ NULL); /* NULL for infinite */ if (!NT_SUCCESS(Status)) { DPRINT1("SM: NtWaitForMultipleObjects failed! (Status=0x%08lx)\n", Status); } else { DPRINT1("SM: Process terminated!\n"); }

ByeBye: /* Raise a hard error (crash the system/BSOD) */ NtRaiseHardError(STATUS_SYSTEM_PROCESS_TERMINATED, 0,0,0,0,0);

// NtTerminateProcess(NtCurrentProcess(), 0); #endif NtTerminateThread(NtCurrentThread(), Status); 401065: 83 ec 08 sub $0x8,%esp 401068: ff 75 f4 pushl 0xfffffff4(%ebp) 40106b: 6a fe push $0xfffffffe 40106d: e8 0e 29 00 00 call 403980 _NtTerminateThread@8 401072: 83 c4 08 add $0x8,%esp } 401075: 8b 7d fc mov 0xfffffffc(%ebp),%edi 401078: c9 leave 401079: c2 04 00 ret $0x4 40107c: 90 nop 40107d: 90 nop 40107e: 90 nop 40107f: 90 nop

00401080 <_SmpSignalInitEvent>: 401080: 55 push %ebp 401081: 89 e5 mov %esp,%ebp 401083: 57 push %edi 401084: 83 ec 54 sub $0x54,%esp 401087: c7 45 f4 00 00 00 00 movl $0x0,0xfffffff4(%ebp) 40108e: 8d 7d c8 lea 0xffffffc8(%ebp),%edi 401091: fc cld 401092: ba 00 00 00 00 mov $0x0,%edx 401097: b8 06 00 00 00 mov $0x6,%eax 40109c: 89 c1 mov %eax,%ecx 40109e: 89 d0 mov %edx,%eax 4010a0: f3 ab repz stos %eax,%es:(%edi) 4010a2: c7 45 c0 00 00 00 00 movl $0x0,0xffffffc0(%ebp) 4010a9: c7 45 c4 00 00 00 00 movl $0x0,0xffffffc4(%ebp) 4010b0: c7 45 bc 00 00 00 00 movl $0x0,0xffffffbc(%ebp) 4010b7: 83 ec 08 sub $0x8,%esp 4010ba: 68 60 50 40 00 push $0x405060 4010bf: 8d 45 c0 lea 0xffffffc0(%ebp),%eax 4010c2: 50 push %eax 4010c3: e8 c8 28 00 00 call 403990 _RtlInitUnicodeString@8 4010c8: 83 c4 08 add $0x8,%esp 4010cb: c7 45 c8 18 00 00 00 movl $0x18,0xffffffc8(%ebp) 4010d2: 8d 45 c0 lea 0xffffffc0(%ebp),%eax 4010d5: 89 45 d0 mov %eax,0xffffffd0(%ebp) 4010d8: c7 45 d4 03 00 1f 00 movl $0x1f0003,0xffffffd4(%ebp) 4010df: c7 45 cc 00 00 00 00 movl $0x0,0xffffffcc(%ebp) 4010e6: c7 45 d8 00 00 00 00 movl $0x0,0xffffffd8(%ebp) 4010ed: c7 45 dc 00 00 00 00 movl $0x0,0xffffffdc(%ebp) 4010f4: 83 ec 04 sub $0x4,%esp 4010f7: 8d 45 c8 lea 0xffffffc8(%ebp),%eax 4010fa: 50 push %eax 4010fb: 68 03 00 1f 00 push $0x1f0003 401100: 8d 45 bc lea 0xffffffbc(%ebp),%eax 401103: 50 push %eax 401104: e8 97 28 00 00 call 4039a0 _NtOpenEvent@12 401109: 83 c4 04 add $0x4,%esp 40110c: 89 45 f4 mov %eax,0xfffffff4(%ebp) 40110f: 83 7d f4 00 cmpl $0x0,0xfffffff4(%ebp) 401113: 78 42 js 401157 <_SmpSignalInitEvent+0xd7> 401115: 83 ec 08 sub $0x8,%esp 401118: 6a 00 push $0x0 40111a: ff 75 bc pushl 0xffffffbc(%ebp) 40111d: e8 8e 28 00 00 call 4039b0 _NtPulseEvent@8 401122: 83 c4 08 add $0x8,%esp 401125: c7 45 b0 80 0f 05 fd movl $0xfd050f80,0xffffffb0(%ebp) 40112c: c7 45 b4 ff ff ff ff movl $0xffffffff,0xffffffb4(%ebp) 401133: 83 ec 04 sub $0x4,%esp 401136: 8d 45 b0 lea 0xffffffb0(%ebp),%eax 401139: 50 push %eax 40113a: 6a 00 push $0x0 40113c: ff 75 bc pushl 0xffffffbc(%ebp) 40113f: e8 7c 28 00 00 call 4039c0 _NtWaitForSingleObject@12 401144: 83 c4 04 add $0x4,%esp 401147: 83 ec 0c sub $0xc,%esp 40114a: ff 75 bc pushl 0xffffffbc(%ebp) 40114d: e8 7e 28 00 00 call 4039d0 _NtClose@4 401152: 83 c4 0c add $0xc,%esp 401155: eb 27 jmp 40117e <_SmpSignalInitEvent+0xfe> 401157: 83 ec 04 sub $0x4,%esp 40115a: 6a 44 push $0x44 40115c: 68 82 50 40 00 push $0x405082 401161: 68 89 50 40 00 push $0x405089 401166: e8 75 28 00 00 call 4039e0 <_DbgPrint> 40116b: 83 c4 10 add $0x10,%esp 40116e: 83 ec 0c sub $0xc,%esp 401171: 68 a0 50 40 00 push $0x4050a0 401176: e8 65 28 00 00 call 4039e0 <_DbgPrint> 40117b: 83 c4 10 add $0x10,%esp 40117e: 8b 45 f4 mov 0xfffffff4(%ebp),%eax 401181: 8b 7d fc mov 0xfffffffc(%ebp),%edi 401184: c9 leave 401185: c3 ret

00401186 <_InitSessionManager>:

/* EOF */ 401186: 55 push %ebp 401187: 89 e5 mov %esp,%ebp 401189: 83 ec 18 sub $0x18,%esp 40118c: c7 45 fc 00 00 00 00 movl $0x0,0xfffffffc(%ebp) 401193: c7 45 f8 00 00 00 00 movl $0x0,0xfffffff8(%ebp) 40119a: c7 45 fc 00 00 00 00 movl $0x0,0xfffffffc(%ebp) 4011a1: 83 7d fc 0e cmpl $0xe,0xfffffffc(%ebp) 4011a5: 76 05 jbe 4011ac <_InitSessionManager+0x26> 4011a7: e9 82 00 00 00 jmp 40122e <_InitSessionManager+0xa8> 4011ac: 8b 55 fc mov 0xfffffffc(%ebp),%edx 4011af: 89 d0 mov %edx,%eax 4011b1: 01 c0 add %eax,%eax 4011b3: 01 d0 add %edx,%eax 4011b5: c1 e0 02 shl $0x2,%eax 4011b8: 8b 80 04 40 40 00 mov 0x404004(%eax),%eax 4011be: ff d0 call *%eax 4011c0: 89 45 f8 mov %eax,0xfffffff8(%ebp) 4011c3: 83 7d f8 00 cmpl $0x0,0xfffffff8(%ebp) 4011c7: 79 5b jns 401224 <_InitSessionManager+0x9e> 4011c9: 83 ec 04 sub $0x4,%esp 4011cc: 6a 6c push $0x6c 4011ce: 68 82 50 40 00 push $0x405082 4011d3: 68 89 50 40 00 push $0x405089 4011d8: e8 03 28 00 00 call 4039e0 <_DbgPrint> 4011dd: 83 c4 10 add $0x10,%esp 4011e0: ff 75 f8 pushl 0xfffffff8(%ebp) 4011e3: 8b 55 fc mov 0xfffffffc(%ebp),%edx 4011e6: 89 d0 mov %edx,%eax 4011e8: 01 c0 add %eax,%eax 4011ea: 01 d0 add %edx,%eax 4011ec: c1 e0 02 shl $0x2,%eax 4011ef: ff b0 08 40 40 00 pushl 0x404008(%eax) 4011f5: 68 65 52 40 00 push $0x405265 4011fa: 68 80 52 40 00 push $0x405280 4011ff: e8 dc 27 00 00 call 4039e0 <_DbgPrint> 401204: 83 c4 10 add $0x10,%esp 401207: 8b 55 fc mov 0xfffffffc(%ebp),%edx 40120a: 89 d0 mov %edx,%eax 40120c: 01 c0 add %eax,%eax 40120e: 01 d0 add %edx,%eax 401210: c1 e0 02 shl $0x2,%eax 401213: 83 b8 00 40 40 00 00 cmpl $0x0,0x404000(%eax) 40121a: 74 08 je 401224 <_InitSessionManager+0x9e> 40121c: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 40121f: 89 45 f4 mov %eax,0xfffffff4(%ebp) 401222: eb 11 jmp 401235 <_InitSessionManager+0xaf> 401224: 8d 45 fc lea 0xfffffffc(%ebp),%eax 401227: ff 00 incl (%eax) 401229: e9 73 ff ff ff jmp 4011a1 <_InitSessionManager+0x1b> 40122e: c7 45 f4 00 00 00 00 movl $0x0,0xfffffff4(%ebp) 401235: 8b 45 f4 mov 0xfffffff4(%ebp),%eax 401238: c9 leave 401239: c3 ret 40123a: 90 nop 40123b: 90 nop 40123c: 90 nop 40123d: 90 nop 40123e: 90 nop 40123f: 90 nop

00401240 <_SmCreateHeap>: HANDLE SmpHeap = NULL;

NTSTATUS SmCreateHeap(VOID) { 401240: 55 push %ebp 401241: 89 e5 mov %esp,%ebp 401243: 83 ec 08 sub $0x8,%esp /* Create our own heap */ SmpHeap = RtlCreateHeap(HEAP_GROWABLE, 401246: 83 ec 08 sub $0x8,%esp 401249: 6a 00 push $0x0 40124b: 6a 00 push $0x0 40124d: 68 00 00 01 00 push $0x10000 401252: 68 00 00 01 00 push $0x10000 401257: 6a 00 push $0x0 401259: 6a 02 push $0x2 40125b: e8 90 27 00 00 call 4039f0 _RtlCreateHeap@24 401260: 83 c4 08 add $0x8,%esp 401263: a3 10 60 40 00 mov %eax,0x406010 NULL, 65536, 65536, NULL, NULL); return (NULL == SmpHeap) ? STATUS_UNSUCCESSFUL : STATUS_SUCCESS; 401268: 83 3d 10 60 40 00 00 cmpl $0x0,0x406010 40126f: 75 09 jne 40127a <_SmCreateHeap+0x3a> 401271: c7 45 fc 01 00 00 c0 movl $0xc0000001,0xfffffffc(%ebp) 401278: eb 07 jmp 401281 <_SmCreateHeap+0x41> 40127a: c7 45 fc 00 00 00 00 movl $0x0,0xfffffffc(%ebp) 401281: 8b 45 fc mov 0xfffffffc(%ebp),%eax } 401284: c9 leave 401285: c3 ret 401286: 90 nop 401287: 90 nop 401288: 90 nop 401289: 90 nop 40128a: 90 nop 40128b: 90 nop 40128c: 90 nop 40128d: 90 nop 40128e: 90 nop 40128f: 90 nop

00401290 <_SmCreateEnvironment>: 401290: 55 push %ebp 401291: 89 e5 mov %esp,%ebp 401293: 83 ec 08 sub $0x8,%esp 401296: 83 ec 08 sub $0x8,%esp 401299: 68 20 60 40 00 push $0x406020 40129e: 6a 00 push $0x0 4012a0: e8 5b 27 00 00 call 403a00 _RtlCreateEnvironment@8 4012a5: 83 c4 08 add $0x8,%esp 4012a8: c9 leave 4012a9: c3 ret

004012aa <_SmpSetEnvironmentVariable>: 4012aa: 55 push %ebp 4012ab: 89 e5 mov %esp,%ebp 4012ad: 83 ec 18 sub $0x18,%esp 4012b0: 83 ec 08 sub $0x8,%esp 4012b3: ff 75 0c pushl 0xc(%ebp) 4012b6: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 4012b9: 50 push %eax 4012ba: e8 d1 26 00 00 call 403990 _RtlInitUnicodeString@8 4012bf: 83 c4 08 add $0x8,%esp 4012c2: 83 ec 08 sub $0x8,%esp 4012c5: ff 75 10 pushl 0x10(%ebp) 4012c8: 8d 45 f0 lea 0xfffffff0(%ebp),%eax 4012cb: 50 push %eax 4012cc: e8 bf 26 00 00 call 403990 _RtlInitUnicodeString@8 4012d1: 83 c4 08 add $0x8,%esp 4012d4: 83 ec 04 sub $0x4,%esp 4012d7: 8d 45 f0 lea 0xfffffff0(%ebp),%eax 4012da: 50 push %eax 4012db: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 4012de: 50 push %eax 4012df: ff 75 08 pushl 0x8(%ebp) 4012e2: e8 29 27 00 00 call 403a10 _RtlSetEnvironmentVariable@12 4012e7: 83 c4 04 add $0x4,%esp 4012ea: b8 00 00 00 00 mov $0x0,%eax 4012ef: c9 leave 4012f0: c3 ret

004012f1 _SmpEnvironmentQueryRoutine@24: 4012f1: 55 push %ebp 4012f2: 89 e5 mov %esp,%ebp 4012f4: 83 ec 08 sub $0x8,%esp 4012f7: 83 7d 0c 01 cmpl $0x1,0xc(%ebp) 4012fb: 74 09 je 401306 <_SmpEnvironmentQueryRoutine@24+0x15> 4012fd: c7 45 fc 00 00 00 00 movl $0x0,0xfffffffc(%ebp) 401304: eb 17 jmp 40131d <_SmpEnvironmentQueryRoutine@24+0x2c> 401306: 83 ec 04 sub $0x4,%esp 401309: ff 75 10 pushl 0x10(%ebp) 40130c: ff 75 08 pushl 0x8(%ebp) 40130f: ff 75 18 pushl 0x18(%ebp) 401312: e8 93 ff ff ff call 4012aa <_SmpSetEnvironmentVariable> 401317: 83 c4 10 add $0x10,%esp 40131a: 89 45 fc mov %eax,0xfffffffc(%ebp) 40131d: 8b 45 fc mov 0xfffffffc(%ebp),%eax 401320: c9 leave 401321: c2 18 00 ret $0x18

00401324 <_SmSetEnvironmentVariables>: 401324: 55 push %ebp 401325: 89 e5 mov %esp,%ebp 401327: 81 ec 68 02 00 00 sub $0x268,%esp */

/* Copy system root into value buffer */ wcscpy(ValueBuffer, 40132d: 83 ec 08 sub $0x8,%esp 401330: 68 30 00 fe 7f push $0x7ffe0030 401335: 8d 85 a8 fd ff ff lea 0xfffffda8(%ebp),%eax 40133b: 50 push %eax 40133c: e8 ff 26 00 00 call 403a40 <_wcscpy> 401341: 83 c4 10 add $0x10,%esp SharedUserData->NtSystemRoot);

/* Set SystemRoot = "C:\reactos" */ SmpSetEnvironmentVariable(&SmSystemEnvironment,L"SystemRoot",ValueBuffer); 401344: 83 ec 04 sub $0x4,%esp 401347: 8d 85 a8 fd ff ff lea 0xfffffda8(%ebp),%eax 40134d: 50 push %eax 40134e: 68 c0 52 40 00 push $0x4052c0 401353: 68 20 60 40 00 push $0x406020 401358: e8 4d ff ff ff call 4012aa <_SmpSetEnvironmentVariable> 40135d: 83 c4 10 add $0x10,%esp

/* Cut off trailing path */ ValueBuffer[2] = 0; 401360: 66 c7 85 ac fd ff ff movw $0x0,0xfffffdac(%ebp) 401367: 00 00

/* Set SystemDrive = "C:" */ SmpSetEnvironmentVariable(&SmSystemEnvironment,L"SystemDrive",ValueBuffer); 401369: 83 ec 04 sub $0x4,%esp 40136c: 8d 85 a8 fd ff ff lea 0xfffffda8(%ebp),%eax 401372: 50 push %eax 401373: 68 d6 52 40 00 push $0x4052d6 401378: 68 20 60 40 00 push $0x406020 40137d: e8 28 ff ff ff call 4012aa <_SmpSetEnvironmentVariable> 401382: 83 c4 10 add $0x10,%esp

/* Read system environment from the registry. */ RtlZeroMemory(&QueryTable, 401385: 83 ec 08 sub $0x8,%esp 401388: 6a 38 push $0x38 40138a: 8d 45 b8 lea 0xffffffb8(%ebp),%eax 40138d: 50 push %eax 40138e: e8 8d 26 00 00 call 403a20 _RtlZeroMemory@8 401393: 83 c4 08 add $0x8,%esp sizeof(QueryTable));

QueryTable[0].QueryRoutine = SmpEnvironmentQueryRoutine; 401396: c7 45 b8 f1 12 40 00 movl $0x4012f1,0xffffffb8(%ebp)

Status = RtlQueryRegistryValues(RTL_REGISTRY_CONTROL, 40139d: 83 ec 0c sub $0xc,%esp 4013a0: ff 35 20 60 40 00 pushl 0x406020 4013a6: 68 20 60 40 00 push $0x406020 4013ab: 8d 45 b8 lea 0xffffffb8(%ebp),%eax 4013ae: 50 push %eax 4013af: 68 00 53 40 00 push $0x405300 4013b4: 6a 02 push $0x2 4013b6: e8 75 26 00 00 call 403a30 _RtlQueryRegistryValues@20 4013bb: 83 c4 0c add $0xc,%esp 4013be: 89 85 a4 fd ff ff mov %eax,0xfffffda4(%ebp) L"\Session Manager\Environment", QueryTable, &SmSystemEnvironment, SmSystemEnvironment);

return(Status); 4013c4: 8b 85 a4 fd ff ff mov 0xfffffda4(%ebp),%eax } 4013ca: c9 leave 4013cb: c3 ret

004013cc <_SmUpdateEnvironment>:

/********************************************************************** * Set environment variables from registry */ NTSTATUS SmUpdateEnvironment(VOID) { 4013cc: 55 push %ebp 4013cd: 89 e5 mov %esp,%ebp /* TODO */ return STATUS_SUCCESS; 4013cf: b8 00 00 00 00 mov $0x0,%eax } 4013d4: 5d pop %ebp 4013d5: c3 ret 4013d6: 90 nop 4013d7: 90 nop 4013d8: 90 nop 4013d9: 90 nop 4013da: 90 nop 4013db: 90 nop 4013dc: 90 nop 4013dd: 90 nop 4013de: 90 nop 4013df: 90 nop

004013e0 _SmpObjectDirectoryQueryRoutine@24: 4013e0: 55 push %ebp 4013e1: 89 e5 mov %esp,%ebp 4013e3: 83 ec 48 sub $0x48,%esp 4013e6: c7 45 c8 00 00 00 00 movl $0x0,0xffffffc8(%ebp) DbgPrint("ValueData '%S'\n", (PWSTR)ValueData); #endif if (ValueType != REG_SZ) 4013ed: 83 7d 0c 01 cmpl $0x1,0xc(%ebp) 4013f1: 74 09 je 4013fc <_SmpObjectDirectoryQueryRoutine@24+0x1c> { return(STATUS_SUCCESS); 4013f3: c7 45 c4 00 00 00 00 movl $0x0,0xffffffc4(%ebp) 4013fa: eb 59 jmp 401455 <_SmpObjectDirectoryQueryRoutine@24+0x75> }

RtlInitUnicodeString(&UnicodeString, 4013fc: 83 ec 08 sub $0x8,%esp 4013ff: ff 75 10 pushl 0x10(%ebp) 401402: 8d 45 d0 lea 0xffffffd0(%ebp),%eax 401405: 50 push %eax 401406: e8 85 25 00 00 call 403990 _RtlInitUnicodeString@8 40140b: 83 c4 08 add $0x8,%esp (PWSTR)ValueData);

InitializeObjectAttributes(&ObjectAttributes, 40140e: c7 45 d8 18 00 00 00 movl $0x18,0xffffffd8(%ebp) 401415: 8d 45 d0 lea 0xffffffd0(%ebp),%eax 401418: 89 45 e0 mov %eax,0xffffffe0(%ebp) 40141b: c7 45 e4 00 00 00 00 movl $0x0,0xffffffe4(%ebp) 401422: c7 45 dc 00 00 00 00 movl $0x0,0xffffffdc(%ebp) 401429: c7 45 e8 00 00 00 00 movl $0x0,0xffffffe8(%ebp) 401430: c7 45 ec 00 00 00 00 movl $0x0,0xffffffec(%ebp) &UnicodeString, 0, NULL, NULL);

Status = ZwCreateDirectoryObject(&WindowsDirectory, 401437: 83 ec 04 sub $0x4,%esp 40143a: 8d 45 d8 lea 0xffffffd8(%ebp),%eax 40143d: 50 push %eax 40143e: 6a 00 push $0x0 401440: 8d 45 cc lea 0xffffffcc(%ebp),%eax 401443: 50 push %eax 401444: e8 07 26 00 00 call 403a50 _ZwCreateDirectoryObject@12 401449: 83 c4 04 add $0x4,%esp 40144c: 89 45 c8 mov %eax,0xffffffc8(%ebp) 0, &ObjectAttributes);

return(Status); 40144f: 8b 45 c8 mov 0xffffffc8(%ebp),%eax 401452: 89 45 c4 mov %eax,0xffffffc4(%ebp) } 401455: 8b 45 c4 mov 0xffffffc4(%ebp),%eax 401458: c9 leave 401459: c2 18 00 ret $0x18

0040145c <_SmCreateObjectDirectories>:

NTSTATUS SmCreateObjectDirectories(VOID) { 40145c: 55 push %ebp 40145d: 89 e5 mov %esp,%ebp 40145f: 83 ec 58 sub $0x58,%esp RTL_QUERY_REGISTRY_TABLE QueryTable[2]; NTSTATUS Status;

RtlZeroMemory(&QueryTable, 401462: 83 ec 08 sub $0x8,%esp 401465: 6a 38 push $0x38 401467: 8d 45 b8 lea 0xffffffb8(%ebp),%eax 40146a: 50 push %eax 40146b: e8 b0 25 00 00 call 403a20 _RtlZeroMemory@8 401470: 83 c4 08 add $0x8,%esp sizeof(QueryTable));

QueryTable[0].Name = L"ObjectDirectories"; 401473: c7 45 c0 40 53 40 00 movl $0x405340,0xffffffc0(%ebp) QueryTable[0].QueryRoutine = SmpObjectDirectoryQueryRoutine; 40147a: c7 45 b8 e0 13 40 00 movl $0x4013e0,0xffffffb8(%ebp)

Status = RtlQueryRegistryValues(RTL_REGISTRY_CONTROL, 401481: 83 ec 0c sub $0xc,%esp 401484: 6a 00 push $0x0 401486: 6a 00 push $0x0 401488: 8d 45 b8 lea 0xffffffb8(%ebp),%eax 40148b: 50 push %eax 40148c: 68 80 53 40 00 push $0x405380 401491: 6a 02 push $0x2 401493: e8 98 25 00 00 call 403a30 _RtlQueryRegistryValues@20 401498: 83 c4 0c add $0xc,%esp 40149b: 89 45 b4 mov %eax,0xffffffb4(%ebp) SM_REGISTRY_ROOT_NAME, QueryTable, NULL, NULL);

return(Status); 40149e: 8b 45 b4 mov 0xffffffb4(%ebp),%eax } 4014a1: c9 leave 4014a2: c3 ret 4014a3: 90 nop 4014a4: 90 nop 4014a5: 90 nop 4014a6: 90 nop 4014a7: 90 nop 4014a8: 90 nop 4014a9: 90 nop 4014aa: 90 nop 4014ab: 90 nop 4014ac: 90 nop 4014ad: 90 nop 4014ae: 90 nop 4014af: 90 nop

004014b0 _SmpDosDevicesQueryRoutine@24: 4014b0: 55 push %ebp 4014b1: 89 e5 mov %esp,%ebp 4014b3: 81 ec f8 00 00 00 sub $0xf8,%esp 4014b9: 83 7d 0c 01 cmpl $0x1,0xc(%ebp) 4014bd: 74 0f je 4014ce <_SmpDosDevicesQueryRoutine@24+0x1e> 4014bf: c7 85 10 ff ff ff 00 movl $0x0,0xffffff10(%ebp) 4014c6: 00 00 00 4014c9: e9 db 00 00 00 jmp 4015a9 <_SmpDosDevicesQueryRoutine@24+0xf9> 4014ce: 83 ec 04 sub $0x4,%esp 4014d1: ff 75 08 pushl 0x8(%ebp) 4014d4: 68 c0 53 40 00 push $0x4053c0 4014d9: 8d 85 18 ff ff ff lea 0xffffff18(%ebp),%eax 4014df: 50 push %eax 4014e0: e8 8b 25 00 00 call 403a70 <_swprintf> 4014e5: 83 c4 10 add $0x10,%esp 4014e8: 83 ec 08 sub $0x8,%esp 4014eb: 8d 85 18 ff ff ff lea 0xffffff18(%ebp),%eax 4014f1: 50 push %eax 4014f2: 8d 45 c8 lea 0xffffffc8(%ebp),%eax 4014f5: 50 push %eax 4014f6: e8 95 24 00 00 call 403990 _RtlInitUnicodeString@8 4014fb: 83 c4 08 add $0x8,%esp 4014fe: 83 ec 08 sub $0x8,%esp 401501: ff 75 10 pushl 0x10(%ebp) 401504: 8d 45 d0 lea 0xffffffd0(%ebp),%eax 401507: 50 push %eax 401508: e8 83 24 00 00 call 403990 _RtlInitUnicodeString@8 40150d: 83 c4 08 add $0x8,%esp 401510: c7 45 d8 18 00 00 00 movl $0x18,0xffffffd8(%ebp) 401517: 8d 45 c8 lea 0xffffffc8(%ebp),%eax 40151a: 89 45 e0 mov %eax,0xffffffe0(%ebp) 40151d: c7 45 e4 10 00 00 00 movl $0x10,0xffffffe4(%ebp) 401524: c7 45 dc 00 00 00 00 movl $0x0,0xffffffdc(%ebp) 40152b: c7 45 e8 00 00 00 00 movl $0x0,0xffffffe8(%ebp) 401532: c7 45 ec 00 00 00 00 movl $0x0,0xffffffec(%ebp) 401539: 8d 45 d0 lea 0xffffffd0(%ebp),%eax 40153c: 50 push %eax 40153d: 8d 45 d8 lea 0xffffffd8(%ebp),%eax 401540: 50 push %eax 401541: 68 01 00 0f 00 push $0xf0001 401546: 8d 45 c4 lea 0xffffffc4(%ebp),%eax 401549: 50 push %eax 40154a: e8 11 25 00 00 call 403a60 _NtCreateSymbolicLinkObject@16 40154f: 89 85 14 ff ff ff mov %eax,0xffffff14(%ebp) 401555: 83 bd 14 ff ff ff 00 cmpl $0x0,0xffffff14(%ebp) 40155c: 79 31 jns 40158f <_SmpDosDevicesQueryRoutine@24+0xdf> 40155e: 83 ec 04 sub $0x4,%esp 401561: 6a 4f push $0x4f 401563: 68 ce 53 40 00 push $0x4053ce 401568: 68 db 53 40 00 push $0x4053db 40156d: e8 6e 24 00 00 call 4039e0 <_DbgPrint> 401572: 83 c4 10 add $0x10,%esp 401575: 8d 45 d0 lea 0xffffffd0(%ebp),%eax 401578: 50 push %eax 401579: 8d 45 c8 lea 0xffffffc8(%ebp),%eax 40157c: 50 push %eax 40157d: 68 e4 53 40 00 push $0x4053e4 401582: 68 00 54 40 00 push $0x405400 401587: e8 54 24 00 00 call 4039e0 <_DbgPrint> 40158c: 83 c4 10 add $0x10,%esp 40158f: 83 ec 0c sub $0xc,%esp 401592: ff 75 c4 pushl 0xffffffc4(%ebp) 401595: e8 36 24 00 00 call 4039d0 _NtClose@4 40159a: 83 c4 0c add $0xc,%esp 40159d: 8b 85 14 ff ff ff mov 0xffffff14(%ebp),%eax 4015a3: 89 85 10 ff ff ff mov %eax,0xffffff10(%ebp) 4015a9: 8b 85 10 ff ff ff mov 0xffffff10(%ebp),%eax 4015af: c9 leave 4015b0: c2 18 00 ret $0x18

004015b3 <_SmInitDosDevices>:

/* EOF */ 4015b3: 55 push %ebp 4015b4: 89 e5 mov %esp,%ebp 4015b6: 83 ec 58 sub $0x58,%esp 4015b9: 83 ec 08 sub $0x8,%esp 4015bc: 6a 38 push $0x38 4015be: 8d 45 b8 lea 0xffffffb8(%ebp),%eax 4015c1: 50 push %eax 4015c2: e8 59 24 00 00 call 403a20 _RtlZeroMemory@8 4015c7: 83 c4 08 add $0x8,%esp 4015ca: c7 45 b8 b0 14 40 00 movl $0x4014b0,0xffffffb8(%ebp) 4015d1: 83 ec 0c sub $0xc,%esp 4015d4: 6a 00 push $0x0 4015d6: 6a 00 push $0x0 4015d8: 8d 45 b8 lea 0xffffffb8(%ebp),%eax 4015db: 50 push %eax 4015dc: 68 40 54 40 00 push $0x405440 4015e1: 6a 02 push $0x2 4015e3: e8 48 24 00 00 call 403a30 _RtlQueryRegistryValues@20 4015e8: 83 c4 0c add $0xc,%esp 4015eb: 89 45 b4 mov %eax,0xffffffb4(%ebp) 4015ee: 8b 45 b4 mov 0xffffffb4(%ebp),%eax 4015f1: c9 leave 4015f2: c3 ret 4015f3: 90 nop 4015f4: 90 nop 4015f5: 90 nop 4015f6: 90 nop 4015f7: 90 nop 4015f8: 90 nop 4015f9: 90 nop 4015fa: 90 nop 4015fb: 90 nop 4015fc: 90 nop 4015fd: 90 nop 4015fe: 90 nop 4015ff: 90 nop

00401600 _SmpRunBootAppsQueryRoutine@24: 401600: 55 push %ebp 401601: 89 e5 mov %esp,%ebp 401603: 81 ec 68 08 00 00 sub $0x868,%esp 401609: 83 7d 0c 01 cmpl $0x1,0xc(%ebp) 40160d: 74 0f je 40161e <_SmpRunBootAppsQueryRoutine@24+0x1e> 40160f: c7 85 a4 f7 ff ff 00 movl $0x0,0xfffff7a4(%ebp) 401616: 00 00 00 401619: e9 8f 01 00 00 jmp 4017ad <_SmpRunBootAppsQueryRoutine@24+0x1ad> 40161e: 83 ec 08 sub $0x8,%esp 401621: 6a 20 push $0x20 401623: ff 75 10 pushl 0x10(%ebp) 401626: e8 85 24 00 00 call 403ab0 <_wcschr> 40162b: 83 c4 10 add $0x10,%esp 40162e: 89 85 b4 f7 ff ff mov %eax,0xfffff7b4(%ebp) 401634: 8b 55 10 mov 0x10(%ebp),%edx 401637: 8b 85 b4 f7 ff ff mov 0xfffff7b4(%ebp),%eax 40163d: 29 d0 sub %edx,%eax 40163f: d1 f8 sar %eax 401641: 89 85 ac f7 ff ff mov %eax,0xfffff7ac(%ebp) 401647: 83 ec 04 sub $0x4,%esp 40164a: 8b 85 ac f7 ff ff mov 0xfffff7ac(%ebp),%eax 401650: 01 c0 add %eax,%eax 401652: 50 push %eax 401653: ff 75 10 pushl 0x10(%ebp) 401656: 8d 85 e8 fd ff ff lea 0xfffffde8(%ebp),%eax 40165c: 50 push %eax 40165d: e8 3e 24 00 00 call 403aa0 <_memcpy> 401662: 83 c4 10 add $0x10,%esp 401665: 8b 85 ac f7 ff ff mov 0xfffff7ac(%ebp),%eax 40166b: 66 c7 84 45 e8 fd ff movw $0x0,0xfffffde8(%ebp,%eax,2) 401672: ff 00 00 401675: 8d 85 b4 f7 ff ff lea 0xfffff7b4(%ebp),%eax 40167b: 83 00 02 addl $0x2,(%eax) 40167e: 83 ec 08 sub $0x8,%esp 401681: 6a 20 push $0x20 401683: ff b5 b4 f7 ff ff pushl 0xfffff7b4(%ebp) 401689: e8 22 24 00 00 call 403ab0 <_wcschr> 40168e: 83 c4 10 add $0x10,%esp 401691: 89 85 b0 f7 ff ff mov %eax,0xfffff7b0(%ebp) 401697: 83 bd b0 f7 ff ff 00 cmpl $0x0,0xfffff7b0(%ebp) 40169e: 74 18 je 4016b8 <_SmpRunBootAppsQueryRoutine@24+0xb8> 4016a0: 8b 95 b4 f7 ff ff mov 0xfffff7b4(%ebp),%edx 4016a6: 8b 85 b0 f7 ff ff mov 0xfffff7b0(%ebp),%eax 4016ac: 29 d0 sub %edx,%eax 4016ae: d1 f8 sar %eax 4016b0: 89 85 ac f7 ff ff mov %eax,0xfffff7ac(%ebp) 4016b6: eb 17 jmp 4016cf <_SmpRunBootAppsQueryRoutine@24+0xcf> 4016b8: 83 ec 0c sub $0xc,%esp 4016bb: ff b5 b4 f7 ff ff pushl 0xfffff7b4(%ebp) 4016c1: e8 ca 23 00 00 call 403a90 <_wcslen> 4016c6: 83 c4 10 add $0x10,%esp 4016c9: 89 85 ac f7 ff ff mov %eax,0xfffff7ac(%ebp) 4016cf: 83 ec 04 sub $0x4,%esp 4016d2: 8b 85 ac f7 ff ff mov 0xfffff7ac(%ebp),%eax 4016d8: 01 c0 add %eax,%eax 4016da: 50 push %eax 4016db: ff b5 b4 f7 ff ff pushl 0xfffff7b4(%ebp) 4016e1: 8d 85 d8 fb ff ff lea 0xfffffbd8(%ebp),%eax 4016e7: 50 push %eax 4016e8: e8 b3 23 00 00 call 403aa0 <_memcpy> 4016ed: 83 c4 10 add $0x10,%esp 4016f0: 8b 85 ac f7 ff ff mov 0xfffff7ac(%ebp),%eax 4016f6: 66 c7 84 45 d8 fb ff movw $0x0,0xfffffbd8(%ebp,%eax,2) 4016fd: ff 00 00 401700: 83 bd b0 f7 ff ff 00 cmpl $0x0,0xfffff7b0(%ebp) 401707: 75 0b jne 401714 <_SmpRunBootAppsQueryRoutine@24+0x114> 401709: 66 c7 85 b8 f7 ff ff movw $0x0,0xfffff7b8(%ebp) 401710: 00 00 401712: eb 21 jmp 401735 <_SmpRunBootAppsQueryRoutine@24+0x135> 401714: 8d 85 b0 f7 ff ff lea 0xfffff7b0(%ebp),%eax 40171a: 83 00 02 addl $0x2,(%eax) 40171d: 83 ec 08 sub $0x8,%esp 401720: ff b5 b0 f7 ff ff pushl 0xfffff7b0(%ebp) 401726: 8d 85 b8 f7 ff ff lea 0xfffff7b8(%ebp),%eax 40172c: 50 push %eax 40172d: e8 0e 23 00 00 call 403a40 <_wcscpy> 401732: 83 c4 10 add $0x10,%esp 401735: 83 ec 08 sub $0x8,%esp 401738: 68 80 54 40 00 push $0x405480 40173d: 8d 85 c8 f9 ff ff lea 0xfffff9c8(%ebp),%eax 401743: 50 push %eax 401744: e8 f7 22 00 00 call 403a40 <_wcscpy> 401749: 83 c4 10 add $0x10,%esp 40174c: 83 ec 08 sub $0x8,%esp 40174f: 8d 85 d8 fb ff ff lea 0xfffffbd8(%ebp),%eax 401755: 50 push %eax 401756: 8d 85 c8 f9 ff ff lea 0xfffff9c8(%ebp),%eax 40175c: 50 push %eax 40175d: e8 1e 23 00 00 call 403a80 <_wcscat> 401762: 83 c4 10 add $0x10,%esp 401765: 83 ec 08 sub $0x8,%esp 401768: 68 ac 54 40 00 push $0x4054ac 40176d: 8d 85 c8 f9 ff ff lea 0xfffff9c8(%ebp),%eax 401773: 50 push %eax 401774: e8 07 23 00 00 call 403a80 <_wcscat> 401779: 83 c4 10 add $0x10,%esp 40177c: 83 ec 08 sub $0x8,%esp 40177f: 6a 00 push $0x0 401781: 6a 01 push $0x1 401783: 6a 00 push $0x0 401785: 6a 01 push $0x1 401787: 8d 85 b8 f7 ff ff lea 0xfffff7b8(%ebp),%eax 40178d: 50 push %eax 40178e: 8d 85 c8 f9 ff ff lea 0xfffff9c8(%ebp),%eax 401794: 50 push %eax 401795: e8 26 11 00 00 call 4028c0 _SmCreateUserProcess@24 40179a: 83 c4 08 add $0x8,%esp 40179d: 89 85 a8 f7 ff ff mov %eax,0xfffff7a8(%ebp) 4017a3: c7 85 a4 f7 ff ff 00 movl $0x0,0xfffff7a4(%ebp) 4017aa: 00 00 00 4017ad: 8b 85 a4 f7 ff ff mov 0xfffff7a4(%ebp),%eax 4017b3: c9 leave 4017b4: c2 18 00 ret $0x18

004017b7 <_SmRunBootApplications>: 4017b7: 55 push %ebp 4017b8: 89 e5 mov %esp,%ebp 4017ba: 83 ec 58 sub $0x58,%esp 4017bd: 83 ec 08 sub $0x8,%esp 4017c0: 6a 38 push $0x38 4017c2: 8d 45 b8 lea 0xffffffb8(%ebp),%eax 4017c5: 50 push %eax 4017c6: e8 55 22 00 00 call 403a20 _RtlZeroMemory@8 4017cb: 83 c4 08 add $0x8,%esp 4017ce: c7 45 c0 b6 54 40 00 movl $0x4054b6,0xffffffc0(%ebp) 4017d5: c7 45 b8 00 16 40 00 movl $0x401600,0xffffffb8(%ebp) 4017dc: 83 ec 0c sub $0xc,%esp 4017df: 6a 00 push $0x0 4017e1: 6a 00 push $0x0 4017e3: 8d 45 b8 lea 0xffffffb8(%ebp),%eax 4017e6: 50 push %eax 4017e7: 68 e0 54 40 00 push $0x4054e0 4017ec: 6a 02 push $0x2 4017ee: e8 3d 22 00 00 call 403a30 _RtlQueryRegistryValues@20 4017f3: 83 c4 0c add $0xc,%esp 4017f6: 89 45 b4 mov %eax,0xffffffb4(%ebp) NULL, NULL); if (!NT_SUCCESS(Status)) 4017f9: 83 7d b4 00 cmpl $0x0,0xffffffb4(%ebp) 4017fd: 79 32 jns 401831 <_SmRunBootApplications+0x7a> { DPRINT1("%s: RtlQueryRegistryValues() failed! (Status %lx)\n", 4017ff: 83 ec 04 sub $0x4,%esp 401802: 68 8e 00 00 00 push $0x8e 401807: 68 02 55 40 00 push $0x405502 40180c: 68 0c 55 40 00 push $0x40550c 401811: e8 ca 21 00 00 call 4039e0 <_DbgPrint> 401816: 83 c4 10 add $0x10,%esp 401819: 83 ec 04 sub $0x4,%esp 40181c: ff 75 b4 pushl 0xffffffb4(%ebp) 40181f: 68 15 55 40 00 push $0x405515 401824: 68 40 55 40 00 push $0x405540 401829: e8 b2 21 00 00 call 4039e0 <_DbgPrint> 40182e: 83 c4 10 add $0x10,%esp __FUNCTION__, Status); }

return(Status); 401831: 8b 45 b4 mov 0xffffffb4(%ebp),%eax } 401834: c9 leave 401835: c3 ret 401836: 90 nop 401837: 90 nop 401838: 90 nop 401839: 90 nop 40183a: 90 nop 40183b: 90 nop 40183c: 90 nop 40183d: 90 nop 40183e: 90 nop 40183f: 90 nop

00401840 <_SmProcessFileRenameList>: 401840: 55 push %ebp 401841: 89 e5 mov %esp,%ebp 401843: b8 00 00 00 00 mov $0x0,%eax 401848: 5d pop %ebp 401849: c3 ret 40184a: 90 nop 40184b: 90 nop 40184c: 90 nop 40184d: 90 nop 40184e: 90 nop 40184f: 90 nop

00401850 _SmpKnownDllsQueryRoutine@24: 401850: 55 push %ebp 401851: 89 e5 mov %esp,%ebp 401853: 83 ec 48 sub $0x48,%esp 401856: 83 ec 08 sub $0x8,%esp 401859: 68 80 55 40 00 push $0x405580 40185e: ff 75 08 pushl 0x8(%ebp) 401861: e8 ba 22 00 00 call 403b20 <__wcsicmp> 401866: 83 c4 10 add $0x10,%esp 401869: 85 c0 test %eax,%eax 40186b: 75 0c jne 401879 <_SmpKnownDllsQueryRoutine@24+0x29> 40186d: c7 45 b8 00 00 00 00 movl $0x0,0xffffffb8(%ebp) 401874: e9 97 01 00 00 jmp 401a10 <_SmpKnownDllsQueryRoutine@24+0x1c0> 401879: 83 ec 08 sub $0x8,%esp 40187c: ff 75 10 pushl 0x10(%ebp) 40187f: 8d 45 c8 lea 0xffffffc8(%ebp),%eax 401882: 50 push %eax 401883: e8 08 21 00 00 call 403990 _RtlInitUnicodeString@8 401888: 83 c4 08 add $0x8,%esp 40188b: c7 45 d8 18 00 00 00 movl $0x18,0xffffffd8(%ebp) 401892: 8d 45 c8 lea 0xffffffc8(%ebp),%eax 401895: 89 45 e0 mov %eax,0xffffffe0(%ebp) 401898: c7 45 e4 40 00 00 00 movl $0x40,0xffffffe4(%ebp) 40189f: 8b 45 18 mov 0x18(%ebp),%eax 4018a2: 89 45 dc mov %eax,0xffffffdc(%ebp) 4018a5: c7 45 e8 00 00 00 00 movl $0x0,0xffffffe8(%ebp) 4018ac: c7 45 ec 00 00 00 00 movl $0x0,0xffffffec(%ebp) 4018b3: 83 ec 08 sub $0x8,%esp 4018b6: 6a 60 push $0x60 4018b8: 6a 01 push $0x1 4018ba: 8d 45 d0 lea 0xffffffd0(%ebp),%eax 4018bd: 50 push %eax 4018be: 8d 45 d8 lea 0xffffffd8(%ebp),%eax 4018c1: 50 push %eax 4018c2: 68 21 00 10 00 push $0x100021 4018c7: 8d 45 c4 lea 0xffffffc4(%ebp),%eax 4018ca: 50 push %eax 4018cb: e8 f0 21 00 00 call 403ac0 _NtOpenFile@24 4018d0: 83 c4 08 add $0x8,%esp 4018d3: 89 45 bc mov %eax,0xffffffbc(%ebp) 4018d6: 83 7d bc 00 cmpl $0x0,0xffffffbc(%ebp) 4018da: 79 36 jns 401912 <_SmpKnownDllsQueryRoutine@24+0xc2> 4018dc: 83 ec 04 sub $0x4,%esp 4018df: 6a 46 push $0x46 4018e1: 68 9a 55 40 00 push $0x40559a 4018e6: 68 a6 55 40 00 push $0x4055a6 4018eb: e8 f0 20 00 00 call 4039e0 <_DbgPrint> 4018f0: 83 c4 10 add $0x10,%esp 4018f3: 83 ec 08 sub $0x8,%esp 4018f6: ff 75 bc pushl 0xffffffbc(%ebp) 4018f9: 68 c0 55 40 00 push $0x4055c0 4018fe: e8 dd 20 00 00 call 4039e0 <_DbgPrint> 401903: 83 c4 10 add $0x10,%esp 401906: c7 45 b8 00 00 00 00 movl $0x0,0xffffffb8(%ebp) 40190d: e9 fe 00 00 00 jmp 401a10 <_SmpKnownDllsQueryRoutine@24+0x1c0> 401912: 6a 00 push $0x0 401914: 6a 00 push $0x0 401916: 6a 00 push $0x0 401918: ff 75 c4 pushl 0xffffffc4(%ebp) 40191b: e8 b0 21 00 00 call 403ad0 _LdrVerifyImageMatchesChecksum@16 401920: 89 45 bc mov %eax,0xffffffbc(%ebp) 401923: 81 7d bc 21 02 00 c0 cmpl $0xc0000221,0xffffffbc(%ebp) 40192a: 75 1a jne 401946 <_SmpKnownDllsQueryRoutine@24+0xf6> 40192c: 83 ec 08 sub $0x8,%esp 40192f: 6a 00 push $0x0 401931: 6a 00 push $0x0 401933: 6a 00 push $0x0 401935: 6a 00 push $0x0 401937: 6a 00 push $0x0 401939: ff 75 bc pushl 0xffffffbc(%ebp) 40193c: e8 9f 21 00 00 call 403ae0 _NtRaiseHardError@24 401941: 83 c4 08 add $0x8,%esp 401944: eb 52 jmp 401998 <_SmpKnownDllsQueryRoutine@24+0x148> 401946: 83 7d bc 00 cmpl $0x0,0xffffffbc(%ebp) 40194a: 79 4c jns 401998 <_SmpKnownDllsQueryRoutine@24+0x148> { DPRINT1("Failed to check the image checksum\n"); 40194c: 83 ec 04 sub $0x4,%esp 40194f: 6a 5d push $0x5d 401951: 68 9a 55 40 00 push $0x40559a 401956: 68 a6 55 40 00 push $0x4055a6 40195b: e8 80 20 00 00 call 4039e0 <_DbgPrint> 401960: 83 c4 10 add $0x10,%esp 401963: 83 ec 0c sub $0xc,%esp 401966: 68 00 56 40 00 push $0x405600 40196b: e8 70 20 00 00 call 4039e0 <_DbgPrint> 401970: 83 c4 10 add $0x10,%esp

NtClose(SectionHandle); 401973: 83 ec 0c sub $0xc,%esp 401976: ff 75 c0 pushl 0xffffffc0(%ebp) 401979: e8 52 20 00 00 call 4039d0 _NtClose@4 40197e: 83 c4 0c add $0xc,%esp NtClose(FileHandle); 401981: 83 ec 0c sub $0xc,%esp 401984: ff 75 c4 pushl 0xffffffc4(%ebp) 401987: e8 44 20 00 00 call 4039d0 _NtClose@4 40198c: 83 c4 0c add $0xc,%esp

return STATUS_SUCCESS; 40198f: c7 45 b8 00 00 00 00 movl $0x0,0xffffffb8(%ebp) 401996: eb 78 jmp 401a10 <_SmpKnownDllsQueryRoutine@24+0x1c0> }

InitializeObjectAttributes(&ObjectAttributes, 401998: c7 45 d8 18 00 00 00 movl $0x18,0xffffffd8(%ebp) 40199f: 8d 45 c8 lea 0xffffffc8(%ebp),%eax 4019a2: 89 45 e0 mov %eax,0xffffffe0(%ebp) 4019a5: c7 45 e4 50 00 00 00 movl $0x50,0xffffffe4(%ebp) 4019ac: 8b 45 1c mov 0x1c(%ebp),%eax 4019af: 89 45 dc mov %eax,0xffffffdc(%ebp) 4019b2: c7 45 e8 00 00 00 00 movl $0x0,0xffffffe8(%ebp) 4019b9: c7 45 ec 00 00 00 00 movl $0x0,0xffffffec(%ebp) &ImageName, OBJ_CASE_INSENSITIVE | OBJ_PERMANENT, (HANDLE)EntryContext, NULL); Status = NtCreateSection(&SectionHandle, 4019c0: 83 ec 04 sub $0x4,%esp 4019c3: ff 75 c4 pushl 0xffffffc4(%ebp) 4019c6: 68 00 00 00 01 push $0x1000000 4019cb: 6a 10 push $0x10 4019cd: 6a 00 push $0x0 4019cf: 8d 45 d8 lea 0xffffffd8(%ebp),%eax 4019d2: 50 push %eax 4019d3: 68 1f 00 0f 00 push $0xf001f 4019d8: 8d 45 c0 lea 0xffffffc0(%ebp),%eax 4019db: 50 push %eax 4019dc: e8 0f 21 00 00 call 403af0 _NtCreateSection@28 4019e1: 83 c4 04 add $0x4,%esp 4019e4: 89 45 bc mov %eax,0xffffffbc(%ebp) SECTION_ALL_ACCESS, &ObjectAttributes, NULL, PAGE_EXECUTE, SEC_IMAGE, FileHandle); if (NT_SUCCESS(Status)) 4019e7: 83 7d bc 00 cmpl $0x0,0xffffffbc(%ebp) 4019eb: 78 0e js 4019fb <_SmpKnownDllsQueryRoutine@24+0x1ab> { DPRINT("Created section successfully\n"); NtClose(SectionHandle); 4019ed: 83 ec 0c sub $0xc,%esp 4019f0: ff 75 c0 pushl 0xffffffc0(%ebp) 4019f3: e8 d8 1f 00 00 call 4039d0 _NtClose@4 4019f8: 83 c4 0c add $0xc,%esp }

NtClose(FileHandle); 4019fb: 83 ec 0c sub $0xc,%esp 4019fe: ff 75 c4 pushl 0xffffffc4(%ebp) 401a01: e8 ca 1f 00 00 call 4039d0 _NtClose@4 401a06: 83 c4 0c add $0xc,%esp

return STATUS_SUCCESS; 401a09: c7 45 b8 00 00 00 00 movl $0x0,0xffffffb8(%ebp) } 401a10: 8b 45 b8 mov 0xffffffb8(%ebp),%eax 401a13: c9 leave 401a14: c2 18 00 ret $0x18

00401a17 <_SmLoadKnownDlls>:

NTSTATUS SmLoadKnownDlls(VOID) { 401a17: 55 push %ebp 401a18: 89 e5 mov %esp,%ebp 401a1a: 81 ec a8 00 00 00 sub $0xa8,%esp RTL_QUERY_REGISTRY_TABLE QueryTable[2]; OBJECT_ATTRIBUTES ObjectAttributes; IO_STATUS_BLOCK IoStatusBlock; UNICODE_STRING DllDosPath; UNICODE_STRING DllNtPath; UNICODE_STRING Name; HANDLE ObjectDirHandle; HANDLE FileDirHandle; HANDLE SymlinkHandle; NTSTATUS Status;

DPRINT("SM: loading well-known DLLs\n");

DPRINT("SmLoadKnownDlls() called\n");

/* Create 'KnownDlls' object directory */ RtlInitUnicodeString(&Name, 401a20: 83 ec 08 sub $0x8,%esp 401a23: 68 24 56 40 00 push $0x405624 401a28: 8d 85 78 ff ff ff lea 0xffffff78(%ebp),%eax 401a2e: 50 push %eax 401a2f: e8 5c 1f 00 00 call 403990 _RtlInitUnicodeString@8 401a34: 83 c4 08 add $0x8,%esp L"\KnownDlls"); InitializeObjectAttributes(&ObjectAttributes, 401a37: c7 45 98 18 00 00 00 movl $0x18,0xffffff98(%ebp) 401a3e: 8d 85 78 ff ff ff lea 0xffffff78(%ebp),%eax 401a44: 89 45 a0 mov %eax,0xffffffa0(%ebp) 401a47: c7 45 a4 d0 00 00 00 movl $0xd0,0xffffffa4(%ebp) 401a4e: c7 45 9c 00 00 00 00 movl $0x0,0xffffff9c(%ebp) 401a55: c7 45 a8 00 00 00 00 movl $0x0,0xffffffa8(%ebp) 401a5c: c7 45 ac 00 00 00 00 movl $0x0,0xffffffac(%ebp) &Name, OBJ_PERMANENT | OBJ_CASE_INSENSITIVE | OBJ_OPENIF, NULL, NULL); Status = NtCreateDirectoryObject(&ObjectDirHandle, 401a63: 83 ec 04 sub $0x4,%esp 401a66: 8d 45 98 lea 0xffffff98(%ebp),%eax 401a69: 50 push %eax 401a6a: 68 0f 00 0f 00 push $0xf000f 401a6f: 8d 85 74 ff ff ff lea 0xffffff74(%ebp),%eax 401a75: 50 push %eax 401a76: e8 85 20 00 00 call 403b00 _NtCreateDirectoryObject@12 401a7b: 83 c4 04 add $0x4,%esp 401a7e: 89 85 68 ff ff ff mov %eax,0xffffff68(%ebp) DIRECTORY_ALL_ACCESS, &ObjectAttributes); if (!NT_SUCCESS(Status)) 401a84: 83 bd 68 ff ff ff 00 cmpl $0x0,0xffffff68(%ebp) 401a8b: 79 41 jns 401ace <_SmLoadKnownDlls+0xb7> { DPRINT1("NtCreateDirectoryObject() failed (Status %lx)\n", Status); 401a8d: 83 ec 04 sub $0x4,%esp 401a90: 68 9d 00 00 00 push $0x9d 401a95: 68 9a 55 40 00 push $0x40559a 401a9a: 68 a6 55 40 00 push $0x4055a6 401a9f: e8 3c 1f 00 00 call 4039e0 <_DbgPrint> 401aa4: 83 c4 10 add $0x10,%esp 401aa7: 83 ec 08 sub $0x8,%esp 401aaa: ff b5 68 ff ff ff pushl 0xffffff68(%ebp) 401ab0: 68 40 56 40 00 push $0x405640 401ab5: e8 26 1f 00 00 call 4039e0 <_DbgPrint> 401aba: 83 c4 10 add $0x10,%esp return Status; 401abd: 8b 85 68 ff ff ff mov 0xffffff68(%ebp),%eax 401ac3: 89 85 64 ff ff ff mov %eax,0xffffff64(%ebp) 401ac9: e9 da 02 00 00 jmp 401da8 <_SmLoadKnownDlls+0x391> }

RtlInitUnicodeString(&DllDosPath, NULL); 401ace: 83 ec 08 sub $0x8,%esp 401ad1: 6a 00 push $0x0 401ad3: 8d 45 88 lea 0xffffff88(%ebp),%eax 401ad6: 50 push %eax 401ad7: e8 b4 1e 00 00 call 403990 _RtlInitUnicodeString@8 401adc: 83 c4 08 add $0x8,%esp

RtlZeroMemory(&QueryTable, 401adf: 83 ec 08 sub $0x8,%esp 401ae2: 6a 38 push $0x38 401ae4: 8d 45 b8 lea 0xffffffb8(%ebp),%eax 401ae7: 50 push %eax 401ae8: e8 33 1f 00 00 call 403a20 _RtlZeroMemory@8 401aed: 83 c4 08 add $0x8,%esp sizeof(QueryTable));

QueryTable[0].Name = L"DllDirectory"; 401af0: c7 45 c0 80 55 40 00 movl $0x405580,0xffffffc0(%ebp) QueryTable[0].Flags = RTL_QUERY_REGISTRY_DIRECT; 401af7: c7 45 bc 20 00 00 00 movl $0x20,0xffffffbc(%ebp) QueryTable[0].EntryContext = &DllDosPath; 401afe: 8d 45 88 lea 0xffffff88(%ebp),%eax 401b01: 89 45 c4 mov %eax,0xffffffc4(%ebp)

Status = RtlQueryRegistryValues(RTL_REGISTRY_CONTROL, 401b04: 83 ec 0c sub $0xc,%esp 401b07: ff 35 20 60 40 00 pushl 0x406020 401b0d: 6a 00 push $0x0 401b0f: 8d 45 b8 lea 0xffffffb8(%ebp),%eax 401b12: 50 push %eax 401b13: 68 80 56 40 00 push $0x405680 401b18: 6a 02 push $0x2 401b1a: e8 11 1f 00 00 call 403a30 _RtlQueryRegistryValues@20 401b1f: 83 c4 0c add $0xc,%esp 401b22: 89 85 68 ff ff ff mov %eax,0xffffff68(%ebp) L"\Session Manager\KnownDlls", QueryTable, NULL, SmSystemEnvironment); if (!NT_SUCCESS(Status)) 401b28: 83 bd 68 ff ff ff 00 cmpl $0x0,0xffffff68(%ebp) 401b2f: 79 41 jns 401b72 <_SmLoadKnownDlls+0x15b> { DPRINT1("RtlQueryRegistryValues() failed (Status %lx)\n", Status); 401b31: 83 ec 04 sub $0x4,%esp 401b34: 68 b1 00 00 00 push $0xb1 401b39: 68 9a 55 40 00 push $0x40559a 401b3e: 68 a6 55 40 00 push $0x4055a6 401b43: e8 98 1e 00 00 call 4039e0 <_DbgPrint> 401b48: 83 c4 10 add $0x10,%esp 401b4b: 83 ec 08 sub $0x8,%esp 401b4e: ff b5 68 ff ff ff pushl 0xffffff68(%ebp) 401b54: 68 c0 56 40 00 push $0x4056c0 401b59: e8 82 1e 00 00 call 4039e0 <_DbgPrint> 401b5e: 83 c4 10 add $0x10,%esp return Status; 401b61: 8b 85 68 ff ff ff mov 0xffffff68(%ebp),%eax 401b67: 89 85 64 ff ff ff mov %eax,0xffffff64(%ebp) 401b6d: e9 36 02 00 00 jmp 401da8 <_SmLoadKnownDlls+0x391> }

DPRINT("DllDosPath: '%wZ'\n", &DllDosPath);

if (!RtlDosPathNameToNtPathName_U(DllDosPath.Buffer, 401b72: 6a 00 push $0x0 401b74: 6a 00 push $0x0 401b76: 8d 45 80 lea 0xffffff80(%ebp),%eax 401b79: 50 push %eax 401b7a: ff 75 8c pushl 0xffffff8c(%ebp) 401b7d: e8 8e 1f 00 00 call 403b10 _RtlDosPathNameToNtPathName_U@16 401b82: 84 c0 test %al,%al 401b84: 75 39 jne 401bbf <_SmLoadKnownDlls+0x1a8> &DllNtPath, NULL, NULL)) { DPRINT1("RtlDosPathNameToNtPathName_U() failed\n"); 401b86: 83 ec 04 sub $0x4,%esp 401b89: 68 bc 00 00 00 push $0xbc 401b8e: 68 9a 55 40 00 push $0x40559a 401b93: 68 a6 55 40 00 push $0x4055a6 401b98: e8 43 1e 00 00 call 4039e0 <_DbgPrint> 401b9d: 83 c4 10 add $0x10,%esp 401ba0: 83 ec 0c sub $0xc,%esp 401ba3: 68 00 57 40 00 push $0x405700 401ba8: e8 33 1e 00 00 call 4039e0 <_DbgPrint> 401bad: 83 c4 10 add $0x10,%esp return STATUS_OBJECT_NAME_INVALID; 401bb0: c7 85 64 ff ff ff 33 movl $0xc0000033,0xffffff64(%ebp) 401bb7: 00 00 c0 401bba: e9 e9 01 00 00 jmp 401da8 <_SmLoadKnownDlls+0x391> }

DPRINT("DllNtPath: '%wZ'\n", &DllNtPath);

/* Open the dll path directory */ InitializeObjectAttributes(&ObjectAttributes, 401bbf: c7 45 98 18 00 00 00 movl $0x18,0xffffff98(%ebp) 401bc6: 8d 45 80 lea 0xffffff80(%ebp),%eax 401bc9: 89 45 a0 mov %eax,0xffffffa0(%ebp) 401bcc: c7 45 a4 40 00 00 00 movl $0x40,0xffffffa4(%ebp) 401bd3: c7 45 9c 00 00 00 00 movl $0x0,0xffffff9c(%ebp) 401bda: c7 45 a8 00 00 00 00 movl $0x0,0xffffffa8(%ebp) 401be1: c7 45 ac 00 00 00 00 movl $0x0,0xffffffac(%ebp) &DllNtPath, OBJ_CASE_INSENSITIVE, NULL, NULL); Status = NtOpenFile(&FileDirHandle, 401be8: 83 ec 08 sub $0x8,%esp 401beb: 6a 21 push $0x21 401bed: 6a 03 push $0x3 401bef: 8d 45 90 lea 0xffffff90(%ebp),%eax 401bf2: 50 push %eax 401bf3: 8d 45 98 lea 0xffffff98(%ebp),%eax 401bf6: 50 push %eax 401bf7: 68 01 00 10 00 push $0x100001 401bfc: 8d 85 70 ff ff ff lea 0xffffff70(%ebp),%eax 401c02: 50 push %eax 401c03: e8 b8 1e 00 00 call 403ac0 _NtOpenFile@24 401c08: 83 c4 08 add $0x8,%esp 401c0b: 89 85 68 ff ff ff mov %eax,0xffffff68(%ebp) SYNCHRONIZE | FILE_READ_DATA, &ObjectAttributes, &IoStatusBlock, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_SYNCHRONOUS_IO_NONALERT | FILE_DIRECTORY_FILE); if (!NT_SUCCESS(Status)) 401c11: 83 bd 68 ff ff ff 00 cmpl $0x0,0xffffff68(%ebp) 401c18: 79 45 jns 401c5f <_SmLoadKnownDlls+0x248> { DPRINT1("NtOpenFile(%wZ) failed (Status %lx)\n", &DllNtPath, Status); 401c1a: 83 ec 04 sub $0x4,%esp 401c1d: 68 d0 00 00 00 push $0xd0 401c22: 68 9a 55 40 00 push $0x40559a 401c27: 68 a6 55 40 00 push $0x4055a6 401c2c: e8 af 1d 00 00 call 4039e0 <_DbgPrint> 401c31: 83 c4 10 add $0x10,%esp 401c34: 83 ec 04 sub $0x4,%esp 401c37: ff b5 68 ff ff ff pushl 0xffffff68(%ebp) 401c3d: 8d 45 80 lea 0xffffff80(%ebp),%eax 401c40: 50 push %eax 401c41: 68 40 57 40 00 push $0x405740 401c46: e8 95 1d 00 00 call 4039e0 <_DbgPrint> 401c4b: 83 c4 10 add $0x10,%esp return Status; 401c4e: 8b 85 68 ff ff ff mov 0xffffff68(%ebp),%eax 401c54: 89 85 64 ff ff ff mov %eax,0xffffff64(%ebp) 401c5a: e9 49 01 00 00 jmp 401da8 <_SmLoadKnownDlls+0x391> }

/* Link 'KnownDllPath' the dll path directory */ RtlInitUnicodeString(&Name, 401c5f: 83 ec 08 sub $0x8,%esp 401c62: 68 66 57 40 00 push $0x405766 401c67: 8d 85 78 ff ff ff lea 0xffffff78(%ebp),%eax 401c6d: 50 push %eax 401c6e: e8 1d 1d 00 00 call 403990 _RtlInitUnicodeString@8 401c73: 83 c4 08 add $0x8,%esp L"KnownDllPath"); InitializeObjectAttributes(&ObjectAttributes, 401c76: c7 45 98 18 00 00 00 movl $0x18,0xffffff98(%ebp) 401c7d: 8d 85 78 ff ff ff lea 0xffffff78(%ebp),%eax 401c83: 89 45 a0 mov %eax,0xffffffa0(%ebp) 401c86: c7 45 a4 d0 00 00 00 movl $0xd0,0xffffffa4(%ebp) 401c8d: 8b 85 74 ff ff ff mov 0xffffff74(%ebp),%eax 401c93: 89 45 9c mov %eax,0xffffff9c(%ebp) 401c96: c7 45 a8 00 00 00 00 movl $0x0,0xffffffa8(%ebp) 401c9d: c7 45 ac 00 00 00 00 movl $0x0,0xffffffac(%ebp) &Name, OBJ_PERMANENT | OBJ_CASE_INSENSITIVE | OBJ_OPENIF, ObjectDirHandle, NULL); Status = NtCreateSymbolicLinkObject(&SymlinkHandle, 401ca4: 8d 45 88 lea 0xffffff88(%ebp),%eax 401ca7: 50 push %eax 401ca8: 8d 45 98 lea 0xffffff98(%ebp),%eax 401cab: 50 push %eax 401cac: 68 01 00 0f 00 push $0xf0001 401cb1: 8d 85 6c ff ff ff lea 0xffffff6c(%ebp),%eax 401cb7: 50 push %eax 401cb8: e8 a3 1d 00 00 call 403a60 _NtCreateSymbolicLinkObject@16 401cbd: 89 85 68 ff ff ff mov %eax,0xffffff68(%ebp) SYMBOLIC_LINK_ALL_ACCESS, &ObjectAttributes, &DllDosPath); if (!NT_SUCCESS(Status)) 401cc3: 83 bd 68 ff ff ff 00 cmpl $0x0,0xffffff68(%ebp) 401cca: 79 41 jns 401d0d <_SmLoadKnownDlls+0x2f6> { DPRINT1("NtCreateSymbolicLink() failed (Status %lx)\n", Status); 401ccc: 83 ec 04 sub $0x4,%esp 401ccf: 68 e2 00 00 00 push $0xe2 401cd4: 68 9a 55 40 00 push $0x40559a 401cd9: 68 a6 55 40 00 push $0x4055a6 401cde: e8 fd 1c 00 00 call 4039e0 <_DbgPrint> 401ce3: 83 c4 10 add $0x10,%esp 401ce6: 83 ec 08 sub $0x8,%esp 401ce9: ff b5 68 ff ff ff pushl 0xffffff68(%ebp) 401cef: 68 80 57 40 00 push $0x405780 401cf4: e8 e7 1c 00 00 call 4039e0 <_DbgPrint> 401cf9: 83 c4 10 add $0x10,%esp return Status; 401cfc: 8b 85 68 ff ff ff mov 0xffffff68(%ebp),%eax 401d02: 89 85 64 ff ff ff mov %eax,0xffffff64(%ebp) 401d08: e9 9b 00 00 00 jmp 401da8 <_SmLoadKnownDlls+0x391> }

NtClose(SymlinkHandle); 401d0d: 83 ec 0c sub $0xc,%esp 401d10: ff b5 6c ff ff ff pushl 0xffffff6c(%ebp) 401d16: e8 b5 1c 00 00 call 4039d0 _NtClose@4 401d1b: 83 c4 0c add $0xc,%esp

RtlZeroMemory(&QueryTable, 401d1e: 83 ec 08 sub $0x8,%esp 401d21: 6a 38 push $0x38 401d23: 8d 45 b8 lea 0xffffffb8(%ebp),%eax 401d26: 50 push %eax 401d27: e8 f4 1c 00 00 call 403a20 _RtlZeroMemory@8 401d2c: 83 c4 08 add $0x8,%esp sizeof(QueryTable));

QueryTable[0].QueryRoutine = SmpKnownDllsQueryRoutine; 401d2f: c7 45 b8 50 18 40 00 movl $0x401850,0xffffffb8(%ebp) QueryTable[0].EntryContext = ObjectDirHandle; 401d36: 8b 85 74 ff ff ff mov 0xffffff74(%ebp),%eax 401d3c: 89 45 c4 mov %eax,0xffffffc4(%ebp)

Status = RtlQueryRegistryValues(RTL_REGISTRY_CONTROL, 401d3f: 83 ec 0c sub $0xc,%esp 401d42: 6a 00 push $0x0 401d44: ff b5 70 ff ff ff pushl 0xffffff70(%ebp) 401d4a: 8d 45 b8 lea 0xffffffb8(%ebp),%eax 401d4d: 50 push %eax 401d4e: 68 80 56 40 00 push $0x405680 401d53: 6a 02 push $0x2 401d55: e8 d6 1c 00 00 call 403a30 _RtlQueryRegistryValues@20 401d5a: 83 c4 0c add $0xc,%esp 401d5d: 89 85 68 ff ff ff mov %eax,0xffffff68(%ebp) L"\Session Manager\KnownDlls", QueryTable, (PVOID)FileDirHandle, NULL); if (!NT_SUCCESS(Status)) 401d63: 83 bd 68 ff ff ff 00 cmpl $0x0,0xffffff68(%ebp) 401d6a: 79 30 jns 401d9c <_SmLoadKnownDlls+0x385> { DPRINT1("RtlQueryRegistryValues() failed (Status %lx)\n", Status); 401d6c: 83 ec 04 sub $0x4,%esp 401d6f: 68 f5 00 00 00 push $0xf5 401d74: 68 9a 55 40 00 push $0x40559a 401d79: 68 a6 55 40 00 push $0x4055a6 401d7e: e8 5d 1c 00 00 call 4039e0 <_DbgPrint> 401d83: 83 c4 10 add $0x10,%esp 401d86: 83 ec 08 sub $0x8,%esp 401d89: ff b5 68 ff ff ff pushl 0xffffff68(%ebp) 401d8f: 68 c0 56 40 00 push $0x4056c0 401d94: e8 47 1c 00 00 call 4039e0 <_DbgPrint> 401d99: 83 c4 10 add $0x10,%esp }

DPRINT("SmLoadKnownDlls() done\n");

return Status; 401d9c: 8b 85 68 ff ff ff mov 0xffffff68(%ebp),%eax 401da2: 89 85 64 ff ff ff mov %eax,0xffffff64(%ebp) } 401da8: 8b 85 64 ff ff ff mov 0xffffff64(%ebp),%eax 401dae: c9 leave 401daf: c3 ret

00401db0 _SmpPagingFilesQueryRoutine@24: 401db0: 55 push %ebp 401db1: 89 e5 mov %esp,%ebp 401db3: 83 ec 28 sub $0x28,%esp 401db6: 83 7d 0c 01 cmpl $0x1,0xc(%ebp) 401dba: 74 0c je 401dc8 <_SmpPagingFilesQueryRoutine@24+0x18> 401dbc: c7 45 dc 00 00 00 00 movl $0x0,0xffffffdc(%ebp) 401dc3: e9 e9 00 00 00 jmp 401eb1 <_SmpPagingFilesQueryRoutine@24+0x101> 401dc8: 83 ec 08 sub $0x8,%esp 401dcb: 6a 20 push $0x20 401dcd: ff 75 10 pushl 0x10(%ebp) 401dd0: e8 db 1c 00 00 call 403ab0 <_wcschr> 401dd5: 83 c4 10 add $0x10,%esp 401dd8: 89 45 e0 mov %eax,0xffffffe0(%ebp) 401ddb: 83 7d e0 00 cmpl $0x0,0xffffffe0(%ebp) 401ddf: 74 6b je 401e4c <_SmpPagingFilesQueryRoutine@24+0x9c> 401de1: 8b 45 e0 mov 0xffffffe0(%ebp),%eax 401de4: 66 c7 00 00 00 movw $0x0,(%eax) 401de9: 83 ec 04 sub $0x4,%esp 401dec: 6a 00 push $0x0 401dee: 8d 45 e0 lea 0xffffffe0(%ebp),%eax 401df1: 50 push %eax 401df2: 8b 45 e0 mov 0xffffffe0(%ebp),%eax 401df5: 83 c0 02 add $0x2,%eax 401df8: 50 push %eax 401df9: e8 62 1d 00 00 call 403b60 <_wcstoul> 401dfe: 83 c4 10 add $0x10,%esp 401e01: c1 e0 14 shl $0x14,%eax 401e04: ba 00 00 00 00 mov $0x0,%edx 401e09: 89 45 f0 mov %eax,0xfffffff0(%ebp) 401e0c: 89 55 f4 mov %edx,0xfffffff4(%ebp) 401e0f: 8b 45 e0 mov 0xffffffe0(%ebp),%eax 401e12: 66 83 38 20 cmpw $0x20,(%eax) 401e16: 75 26 jne 401e3e <_SmpPagingFilesQueryRoutine@24+0x8e> 401e18: 83 ec 04 sub $0x4,%esp 401e1b: 6a 00 push $0x0 401e1d: 6a 00 push $0x0 401e1f: 8b 45 e0 mov 0xffffffe0(%ebp),%eax 401e22: 83 c0 02 add $0x2,%eax 401e25: 50 push %eax 401e26: e8 35 1d 00 00 call 403b60 <_wcstoul> 401e2b: 83 c4 10 add $0x10,%esp 401e2e: c1 e0 14 shl $0x14,%eax 401e31: ba 00 00 00 00 mov $0x0,%edx 401e36: 89 45 e8 mov %eax,0xffffffe8(%ebp) 401e39: 89 55 ec mov %edx,0xffffffec(%ebp) 401e3c: eb 2a jmp 401e68 <_SmpPagingFilesQueryRoutine@24+0xb8> 401e3e: 8b 45 f0 mov 0xfffffff0(%ebp),%eax 401e41: 8b 55 f4 mov 0xfffffff4(%ebp),%edx 401e44: 89 45 e8 mov %eax,0xffffffe8(%ebp) 401e47: 89 55 ec mov %edx,0xffffffec(%ebp) 401e4a: eb 1c jmp 401e68 <_SmpPagingFilesQueryRoutine@24+0xb8> 401e4c: c7 45 f0 00 20 03 00 movl $0x32000,0xfffffff0(%ebp) 401e53: c7 45 f4 00 00 00 00 movl $0x0,0xfffffff4(%ebp) 401e5a: c7 45 e8 00 00 05 00 movl $0x50000,0xffffffe8(%ebp) 401e61: c7 45 ec 00 00 00 00 movl $0x0,0xffffffec(%ebp) 401e68: 6a 00 push $0x0 401e6a: 6a 00 push $0x0 401e6c: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 401e6f: 50 push %eax 401e70: ff 75 10 pushl 0x10(%ebp) 401e73: e8 98 1c 00 00 call 403b10 _RtlDosPathNameToNtPathName_U@16 401e78: 84 c0 test %al,%al 401e7a: 75 09 jne 401e85 <_SmpPagingFilesQueryRoutine@24+0xd5> 401e7c: c7 45 dc 00 00 00 00 movl $0x0,0xffffffdc(%ebp) 401e83: eb 2c jmp 401eb1 <_SmpPagingFilesQueryRoutine@24+0x101> 401e85: 6a 00 push $0x0 401e87: 8d 45 e8 lea 0xffffffe8(%ebp),%eax 401e8a: 50 push %eax 401e8b: 8d 45 f0 lea 0xfffffff0(%ebp),%eax 401e8e: 50 push %eax 401e8f: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 401e92: 50 push %eax 401e93: e8 98 1c 00 00 call 403b30 _NtCreatePagingFile@16 401e98: 89 45 e4 mov %eax,0xffffffe4(%ebp) 401e9b: 83 ec 0c sub $0xc,%esp 401e9e: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 401ea1: 50 push %eax 401ea2: e8 99 1c 00 00 call 403b40 _RtlFreeUnicodeString@4 401ea7: 83 c4 0c add $0xc,%esp 401eaa: c7 45 dc 00 00 00 00 movl $0x0,0xffffffdc(%ebp) 401eb1: 8b 45 dc mov 0xffffffdc(%ebp),%eax 401eb4: c9 leave 401eb5: c2 18 00 ret $0x18

00401eb8 <_SmCreatePagingFiles>: 401eb8: 55 push %ebp 401eb9: 89 e5 mov %esp,%ebp 401ebb: 83 ec 58 sub $0x58,%esp 401ebe: 83 ec 08 sub $0x8,%esp 401ec1: 68 c0 57 40 00 push $0x4057c0 401ec6: 6a 02 push $0x2 401ec8: e8 83 1c 00 00 call 403b50 _RtlCheckRegistryKey@8 401ecd: 83 c4 08 add $0x8,%esp 401ed0: 85 c0 test %eax,%eax 401ed2: 75 09 jne 401edd <_SmCreatePagingFiles+0x25> 401ed4: c7 45 b0 00 00 00 00 movl $0x0,0xffffffb0(%ebp) 401edb: eb 42 jmp 401f1f <_SmCreatePagingFiles+0x67> 401edd: 83 ec 08 sub $0x8,%esp 401ee0: 6a 38 push $0x38 401ee2: 8d 45 b8 lea 0xffffffb8(%ebp),%eax 401ee5: 50 push %eax 401ee6: e8 35 1b 00 00 call 403a20 _RtlZeroMemory@8 401eeb: 83 c4 08 add $0x8,%esp 401eee: c7 45 c0 ce 57 40 00 movl $0x4057ce,0xffffffc0(%ebp) 401ef5: c7 45 b8 b0 1d 40 00 movl $0x401db0,0xffffffb8(%ebp) 401efc: 83 ec 0c sub $0xc,%esp 401eff: 6a 00 push $0x0 401f01: 6a 00 push $0x0 401f03: 8d 45 b8 lea 0xffffffb8(%ebp),%eax 401f06: 50 push %eax 401f07: 68 00 58 40 00 push $0x405800 401f0c: 6a 02 push $0x2 401f0e: e8 1d 1b 00 00 call 403a30 _RtlQueryRegistryValues@20 401f13: 83 c4 0c add $0xc,%esp 401f16: 89 45 b4 mov %eax,0xffffffb4(%ebp) 401f19: 8b 45 b4 mov 0xffffffb4(%ebp),%eax 401f1c: 89 45 b0 mov %eax,0xffffffb0(%ebp) 401f1f: 8b 45 b0 mov 0xffffffb0(%ebp),%eax 401f22: c9 leave 401f23: c3 ret 401f24: 90 nop 401f25: 90 nop 401f26: 90 nop 401f27: 90 nop 401f28: 90 nop 401f29: 90 nop 401f2a: 90 nop 401f2b: 90 nop 401f2c: 90 nop 401f2d: 90 nop 401f2e: 90 nop 401f2f: 90 nop

00401f30 <_SmpRegisterSmss>: 401f30: 55 push %ebp 401f31: 89 e5 mov %esp,%ebp 401f33: 83 ec 18 sub $0x18,%esp 401f36: c7 45 fc 00 00 00 00 movl $0x0,0xfffffffc(%ebp) 401f3d: c7 45 f0 00 00 00 00 movl $0x0,0xfffffff0(%ebp) 401f44: c7 45 f4 00 00 00 00 movl $0x0,0xfffffff4(%ebp) 401f4b: 83 ec 08 sub $0x8,%esp 401f4e: 68 60 58 40 00 push $0x405860 401f53: 8d 45 f0 lea 0xfffffff0(%ebp),%eax 401f56: 50 push %eax 401f57: e8 34 1a 00 00 call 403990 _RtlInitUnicodeString@8 401f5c: 83 c4 08 add $0x8,%esp 401f5f: 68 40 60 40 00 push $0x406040 401f64: 6a 01 push $0x1 401f66: 6a ff push $0xffffffff 401f68: 8d 45 f0 lea 0xfffffff0(%ebp),%eax 401f6b: 50 push %eax 401f6c: e8 cf 17 00 00 call 403740 _SmConnectApiPort@16 401f71: 89 45 fc mov %eax,0xfffffffc(%ebp) 401f74: 83 7d fc 00 cmpl $0x0,0xfffffffc(%ebp) 401f78: 79 08 jns 401f82 <_SmpRegisterSmss+0x52> 401f7a: 8b 45 fc mov 0xfffffffc(%ebp),%eax 401f7d: 89 45 ec mov %eax,0xffffffec(%ebp) 401f80: eb 06 jmp 401f88 <_SmpRegisterSmss+0x58> 401f82: 8b 45 fc mov 0xfffffffc(%ebp),%eax 401f85: 89 45 ec mov %eax,0xffffffec(%ebp) 401f88: 8b 45 ec mov 0xffffffec(%ebp),%eax 401f8b: c9 leave 401f8c: c3 ret

00401f8d <_SmpLoadKernelModeSubsystem>: 401f8d: 55 push %ebp 401f8e: 89 e5 mov %esp,%ebp 401f90: 57 push %edi 401f91: 81 ec 54 04 00 00 sub $0x454,%esp 401f97: c7 45 f4 00 00 00 00 movl $0x0,0xfffffff4(%ebp) 401f9e: c7 85 d4 fd ff ff 0a movl $0x20a,0xfffffdd4(%ebp) 401fa5: 02 00 00 401fa8: c7 85 d0 fd ff ff 00 movl $0x0,0xfffffdd0(%ebp) 401faf: 00 00 00 401fb2: 83 ec 0c sub $0xc,%esp 401fb5: 6a 01 push $0x1 401fb7: 8d 85 d0 fd ff ff lea 0xfffffdd0(%ebp),%eax 401fbd: 50 push %eax 401fbe: 8d 85 d4 fd ff ff lea 0xfffffdd4(%ebp),%eax 401fc4: 50 push %eax 401fc5: 8d 85 d8 fd ff ff lea 0xfffffdd8(%ebp),%eax 401fcb: 50 push %eax 401fcc: 68 62 58 40 00 push $0x405862 401fd1: e8 7f 0a 00 00 call 402a55 _SmLookupSubsystem@20 401fd6: 83 c4 0c add $0xc,%esp 401fd9: 89 45 f4 mov %eax,0xfffffff4(%ebp) 401fdc: 83 7d f4 00 cmpl $0x0,0xfffffff4(%ebp) 401fe0: 0f 85 93 00 00 00 jne 402079 <_SmpLoadKernelModeSubsystem+0xec> 401fe6: 83 bd d4 fd ff ff 02 cmpl $0x2,0xfffffdd4(%ebp) 401fed: 0f 86 86 00 00 00 jbe 402079 <_SmpLoadKernelModeSubsystem+0xec> 401ff3: 8d bd b8 fb ff ff lea 0xfffffbb8(%ebp),%edi 401ff9: fc cld 401ffa: b9 0a 02 00 00 mov $0x20a,%ecx 401fff: b0 00 mov $0x0,%al 402001: f3 aa repz stos %al,%es:(%edi) 402003: 83 ec 08 sub $0x8,%esp 402006: 68 6e 58 40 00 push $0x40586e 40200b: 8d 85 b8 fb ff ff lea 0xfffffbb8(%ebp),%eax 402011: 50 push %eax 402012: e8 29 1a 00 00 call 403a40 <_wcscpy> 402017: 83 c4 10 add $0x10,%esp 40201a: 83 ec 08 sub $0x8,%esp 40201d: 8d 85 d8 fd ff ff lea 0xfffffdd8(%ebp),%eax 402023: 50 push %eax 402024: 8d 85 b8 fb ff ff lea 0xfffffbb8(%ebp),%eax 40202a: 50 push %eax 40202b: e8 50 1a 00 00 call 403a80 <_wcscat> 402030: 83 c4 10 add $0x10,%esp 402033: 83 ec 08 sub $0x8,%esp 402036: 6a 08 push $0x8 402038: 8d 85 b0 fb ff ff lea 0xfffffbb0(%ebp),%eax 40203e: 50 push %eax 40203f: e8 dc 19 00 00 call 403a20 _RtlZeroMemory@8 402044: 83 c4 08 add $0x8,%esp 402047: 83 ec 08 sub $0x8,%esp 40204a: 8d 85 b8 fb ff ff lea 0xfffffbb8(%ebp),%eax 402050: 50 push %eax 402051: 8d 85 b0 fb ff ff lea 0xfffffbb0(%ebp),%eax 402057: 50 push %eax 402058: e8 33 19 00 00 call 403990 _RtlInitUnicodeString@8 40205d: 83 c4 08 add $0x8,%esp 402060: 83 ec 04 sub $0x4,%esp 402063: 6a 08 push $0x8 402065: 8d 85 b0 fb ff ff lea 0xfffffbb0(%ebp),%eax 40206b: 50 push %eax 40206c: 6a 26 push $0x26 40206e: e8 fd 1a 00 00 call 403b70 _NtSetSystemInformation@12 402073: 83 c4 04 add $0x4,%esp 402076: 89 45 f4 mov %eax,0xfffffff4(%ebp) 402079: 8b 45 f4 mov 0xfffffff4(%ebp),%eax 40207c: 8b 7d fc mov 0xfffffffc(%ebp),%edi 40207f: c9 leave 402080: c3 ret

00402081 <_SmpLoadRequiredSubsystems>: 402081: 55 push %ebp 402082: 89 e5 mov %esp,%ebp 402084: 81 ec 48 02 00 00 sub $0x248,%esp 40208a: c7 45 f4 00 00 00 00 movl $0x0,0xfffffff4(%ebp) 402091: c7 85 d4 fd ff ff 0a movl $0x20a,0xfffffdd4(%ebp) 402098: 02 00 00 40209b: c7 85 d0 fd ff ff 00 movl $0x0,0xfffffdd0(%ebp) 4020a2: 00 00 00 4020a5: 83 ec 08 sub $0x8,%esp 4020a8: ff b5 d4 fd ff ff pushl 0xfffffdd4(%ebp) 4020ae: 8d 85 d8 fd ff ff lea 0xfffffdd8(%ebp),%eax 4020b4: 50 push %eax 4020b5: e8 66 19 00 00 call 403a20 _RtlZeroMemory@8 4020ba: 83 c4 08 add $0x8,%esp 4020bd: 83 ec 0c sub $0xc,%esp 4020c0: 6a 00 push $0x0 4020c2: 8d 85 d0 fd ff ff lea 0xfffffdd0(%ebp),%eax 4020c8: 50 push %eax 4020c9: 8d 85 d4 fd ff ff lea 0xfffffdd4(%ebp),%eax 4020cf: 50 push %eax 4020d0: 8d 85 d8 fd ff ff lea 0xfffffdd8(%ebp),%eax 4020d6: 50 push %eax 4020d7: 68 78 58 40 00 push $0x405878 4020dc: e8 74 09 00 00 call 402a55 _SmLookupSubsystem@20 4020e1: 83 c4 0c add $0xc,%esp 4020e4: 89 45 f4 mov %eax,0xfffffff4(%ebp) 4020e7: 83 7d f4 00 cmpl $0x0,0xfffffff4(%ebp) 4020eb: 0f 85 04 01 00 00 jne 4021f5 <_SmpLoadRequiredSubsystems+0x174> 4020f1: 83 bd d4 fd ff ff 02 cmpl $0x2,0xfffffdd4(%ebp) 4020f8: 0f 86 f7 00 00 00 jbe 4021f5 <_SmpLoadRequiredSubsystems+0x174> 4020fe: c7 85 cc fd ff ff 00 movl $0x0,0xfffffdcc(%ebp) 402105: 00 00 00 402108: c7 85 c8 fd ff ff 00 movl $0x0,0xfffffdc8(%ebp) 40210f: 00 00 00 for (Name = Data; (Offset < DataLength); ) 402112: 8d 85 d8 fd ff ff lea 0xfffffdd8(%ebp),%eax 402118: 89 85 cc fd ff ff mov %eax,0xfffffdcc(%ebp) 40211e: 8b 85 c8 fd ff ff mov 0xfffffdc8(%ebp),%eax 402124: 3b 85 d4 fd ff ff cmp 0xfffffdd4(%ebp),%eax 40212a: 72 05 jb 402131 <_SmpLoadRequiredSubsystems+0xb0> 40212c: e9 c4 00 00 00 jmp 4021f5 <_SmpLoadRequiredSubsystems+0x174> { if(L'\0' != *Name) 402131: 8b 85 cc fd ff ff mov 0xfffffdcc(%ebp),%eax 402137: 66 83 38 00 cmpw $0x0,(%eax) 40213b: 0f 84 9e 00 00 00 je 4021df <_SmpLoadRequiredSubsystems+0x15e> { UNICODE_STRING Program;

/* Run the current program */ RtlInitUnicodeString (& Program, Name); 402141: 83 ec 08 sub $0x8,%esp 402144: ff b5 cc fd ff ff pushl 0xfffffdcc(%ebp) 40214a: 8d 85 c0 fd ff ff lea 0xfffffdc0(%ebp),%eax 402150: 50 push %eax 402151: e8 3a 18 00 00 call 403990 _RtlInitUnicodeString@8 402156: 83 c4 08 add $0x8,%esp Status = SmExecuteProgram (hSmApiPort, & Program); 402159: 83 ec 08 sub $0x8,%esp 40215c: 8d 85 c0 fd ff ff lea 0xfffffdc0(%ebp),%eax 402162: 50 push %eax 402163: ff 35 40 60 40 00 pushl 0x406040 402169: e8 32 17 00 00 call 4038a0 _SmExecuteProgram@8 40216e: 83 c4 08 add $0x8,%esp 402171: 89 45 f4 mov %eax,0xfffffff4(%ebp) if(!NT_SUCCESS(Status)) 402174: 83 7d f4 00 cmpl $0x0,0xfffffff4(%ebp) 402178: 79 35 jns 4021af <_SmpLoadRequiredSubsystems+0x12e> { DPRINT1("SM: %s failed to run '%S' program (Status=0x%08lx)\n", 40217a: 83 ec 04 sub $0x4,%esp 40217d: 68 a0 00 00 00 push $0xa0 402182: 68 8a 58 40 00 push $0x40588a 402187: 68 93 58 40 00 push $0x405893 40218c: e8 4f 18 00 00 call 4039e0 <_DbgPrint> 402191: 83 c4 10 add $0x10,%esp 402194: ff 75 f4 pushl 0xfffffff4(%ebp) 402197: ff b5 cc fd ff ff pushl 0xfffffdcc(%ebp) 40219d: 68 9c 58 40 00 push $0x40589c 4021a2: 68 c0 58 40 00 push $0x4058c0 4021a7: e8 34 18 00 00 call 4039e0 <_DbgPrint> 4021ac: 83 c4 10 add $0x10,%esp 4021af: 90 nop __FUNCTION__, Name, Status); } /* Look for the next program */ while ((L'\0' != *Name) && (Offset < DataLength)) 4021b0: 8b 85 cc fd ff ff mov 0xfffffdcc(%ebp),%eax 4021b6: 66 83 38 00 cmpw $0x0,(%eax) 4021ba: 74 23 je 4021df <_SmpLoadRequiredSubsystems+0x15e> 4021bc: 8b 85 c8 fd ff ff mov 0xfffffdc8(%ebp),%eax 4021c2: 3b 85 d4 fd ff ff cmp 0xfffffdd4(%ebp),%eax 4021c8: 72 02 jb 4021cc <_SmpLoadRequiredSubsystems+0x14b> 4021ca: eb 13 jmp 4021df <_SmpLoadRequiredSubsystems+0x15e> { ++ Name; 4021cc: 8d 85 cc fd ff ff lea 0xfffffdcc(%ebp),%eax 4021d2: 83 00 02 addl $0x2,(%eax) ++ Offset; 4021d5: 8d 85 c8 fd ff ff lea 0xfffffdc8(%ebp),%eax 4021db: ff 00 incl (%eax) 4021dd: eb d1 jmp 4021b0 <_SmpLoadRequiredSubsystems+0x12f> } } ++ Name; 4021df: 8d 85 cc fd ff ff lea 0xfffffdcc(%ebp),%eax 4021e5: 83 00 02 addl $0x2,(%eax) ++ Offset; 4021e8: 8d 85 c8 fd ff ff lea 0xfffffdc8(%ebp),%eax 4021ee: ff 00 incl (%eax) 4021f0: e9 29 ff ff ff jmp 40211e <_SmpLoadRequiredSubsystems+0x9d> } }

return Status; 4021f5: 8b 45 f4 mov 0xfffffff4(%ebp),%eax } 4021f8: c9 leave 4021f9: c3 ret

004021fa <_SmLoadSubsystems>:

/********************************************************************** * SmLoadSubsystems/0 */ NTSTATUS SmLoadSubsystems(VOID) { 4021fa: 55 push %ebp 4021fb: 89 e5 mov %esp,%ebp 4021fd: 83 ec 08 sub $0x8,%esp NTSTATUS Status = STATUS_SUCCESS; 402200: c7 45 fc 00 00 00 00 movl $0x0,0xfffffffc(%ebp)

DPRINT("SM: loading subsystems\n");

/* SM self registers */ Status = SmpRegisterSmss(); 402207: e8 24 fd ff ff call 401f30 <_SmpRegisterSmss> 40220c: 89 45 fc mov %eax,0xfffffffc(%ebp) if(!NT_SUCCESS(Status)) return Status; 40220f: 83 7d fc 00 cmpl $0x0,0xfffffffc(%ebp) 402213: 79 08 jns 40221d <_SmLoadSubsystems+0x23> 402215: 8b 45 fc mov 0xfffffffc(%ebp),%eax 402218: 89 45 f8 mov %eax,0xfffffff8(%ebp) 40221b: eb 32 jmp 40224f <_SmLoadSubsystems+0x55> /* Load Kmode subsystem (aka win32k.sys) */ Status = SmpLoadKernelModeSubsystem(); 40221d: e8 6b fd ff ff call 401f8d <_SmpLoadKernelModeSubsystem> 402222: 89 45 fc mov %eax,0xfffffffc(%ebp) if(!NT_SUCCESS(Status)) return Status; 402225: 83 7d fc 00 cmpl $0x0,0xfffffffc(%ebp) 402229: 79 08 jns 402233 <_SmLoadSubsystems+0x39> 40222b: 8b 45 fc mov 0xfffffffc(%ebp),%eax 40222e: 89 45 f8 mov %eax,0xfffffff8(%ebp) 402231: eb 1c jmp 40224f <_SmLoadSubsystems+0x55> /* Load Required subsystems (Debug Windows) */ Status = SmpLoadRequiredSubsystems(); 402233: e8 49 fe ff ff call 402081 <_SmpLoadRequiredSubsystems> 402238: 89 45 fc mov %eax,0xfffffffc(%ebp) if(!NT_SUCCESS(Status)) return Status; 40223b: 83 7d fc 00 cmpl $0x0,0xfffffffc(%ebp) 40223f: 79 08 jns 402249 <_SmLoadSubsystems+0x4f> 402241: 8b 45 fc mov 0xfffffffc(%ebp),%eax 402244: 89 45 f8 mov %eax,0xfffffff8(%ebp) 402247: eb 06 jmp 40224f <_SmLoadSubsystems+0x55> /* done */ return Status; 402249: 8b 45 fc mov 0xfffffffc(%ebp),%eax 40224c: 89 45 f8 mov %eax,0xfffffff8(%ebp) } 40224f: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 402252: c9 leave 402253: c3 ret 402254: 90 nop 402255: 90 nop 402256: 90 nop 402257: 90 nop 402258: 90 nop 402259: 90 nop 40225a: 90 nop 40225b: 90 nop 40225c: 90 nop 40225d: 90 nop 40225e: 90 nop 40225f: 90 nop

00402260 <_SmInitializeRegistry>: 402260: 55 push %ebp 402261: 89 e5 mov %esp,%ebp 402263: 83 ec 08 sub $0x8,%esp 402266: 83 ec 0c sub $0xc,%esp 402269: 6a 00 push $0x0 40226b: e8 10 19 00 00 call 403b80 _NtInitializeRegistry@4 402270: 83 c4 0c add $0xc,%esp 402273: c9 leave 402274: c3 ret 402275: 90 nop 402276: 90 nop 402277: 90 nop 402278: 90 nop 402279: 90 nop 40227a: 90 nop 40227b: 90 nop 40227c: 90 nop 40227d: 90 nop 40227e: 90 nop 40227f: 90 nop

00402280 <@SmInvalid@4>: 402280: 55 push %ebp 402281: 89 e5 mov %esp,%ebp 402283: 83 ec 04 sub $0x4,%esp 402286: 89 4d fc mov %ecx,0xfffffffc(%ebp) 402289: 8b 45 fc mov 0xfffffffc(%ebp),%eax 40228c: c7 40 1c 02 00 00 c0 movl $0xc0000002,0x1c(%eax) 402293: b8 00 00 00 00 mov $0x0,%eax 402298: c9 leave 402299: c3 ret

0040229a <@SmpGetConnectData@4>: 40229a: 55 push %ebp 40229b: 89 e5 mov %esp,%ebp 40229d: 83 ec 08 sub $0x8,%esp 4022a0: 89 4d fc mov %ecx,0xfffffffc(%ebp) 4022a3: 8b 45 fc mov 0xfffffffc(%ebp),%eax 4022a6: 89 45 f8 mov %eax,0xfffffff8(%ebp) 4022a9: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 4022ac: 83 c0 18 add $0x18,%eax 4022af: c9 leave 4022b0: c3 ret

004022b1 <_SmpCallbackServer>: 4022b1: 55 push %ebp 4022b2: 89 e5 mov %esp,%ebp 4022b4: 83 ec 28 sub $0x28,%esp 4022b7: c7 45 fc 00 00 00 00 movl $0x0,0xfffffffc(%ebp) 4022be: 8b 4d 08 mov 0x8(%ebp),%ecx 4022c1: e8 d4 ff ff ff call 40229a <@SmpGetConnectData@4> 4022c6: 89 45 f8 mov %eax,0xfffffff8(%ebp) 4022c9: c7 45 ec 78 00 00 00 movl $0x78,0xffffffec(%ebp) 4022d0: c7 45 e4 04 00 00 00 movl $0x4,0xffffffe4(%ebp) 4022d7: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 4022da: 66 83 38 01 cmpw $0x1,(%eax) 4022de: 75 09 jne 4022e9 <_SmpCallbackServer+0x38> 4022e0: c7 45 e0 00 00 00 00 movl $0x0,0xffffffe0(%ebp) 4022e7: eb 62 jmp 40234b <_SmpCallbackServer+0x9a> 4022e9: 83 ec 04 sub $0x4,%esp 4022ec: ff 75 ec pushl 0xffffffec(%ebp) 4022ef: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 4022f2: 83 c0 04 add $0x4,%eax 4022f5: 50 push %eax 4022f6: 8b 45 0c mov 0xc(%ebp),%eax 4022f9: 83 c0 18 add $0x18,%eax 4022fc: 50 push %eax 4022fd: e8 9e 17 00 00 call 403aa0 <_memcpy> 402302: 83 c4 10 add $0x10,%esp 402305: 83 ec 08 sub $0x8,%esp 402308: 8b 45 0c mov 0xc(%ebp),%eax 40230b: 83 c0 18 add $0x18,%eax 40230e: 50 push %eax 40230f: 8d 45 f0 lea 0xfffffff0(%ebp),%eax 402312: 50 push %eax 402313: e8 78 16 00 00 call 403990 _RtlInitUnicodeString@8 402318: 83 c4 08 add $0x8,%esp 40231b: c7 45 e8 06 00 00 00 movl $0x6,0xffffffe8(%ebp) 402322: 8d 45 e4 lea 0xffffffe4(%ebp),%eax 402325: 50 push %eax 402326: 8d 45 e8 lea 0xffffffe8(%ebp),%eax 402329: 50 push %eax 40232a: 6a 00 push $0x0 40232c: 6a 00 push $0x0 40232e: 6a 00 push $0x0 402330: 6a 00 push $0x0 402332: 8d 45 f0 lea 0xfffffff0(%ebp),%eax 402335: 50 push %eax 402336: 8b 45 0c mov 0xc(%ebp),%eax 402339: 83 c0 14 add $0x14,%eax 40233c: 50 push %eax 40233d: e8 4e 18 00 00 call 403b90 _NtConnectPort@32 402342: 89 45 fc mov %eax,0xfffffffc(%ebp) 402345: 8b 45 fc mov 0xfffffffc(%ebp),%eax 402348: 89 45 e0 mov %eax,0xffffffe0(%ebp) 40234b: 8b 45 e0 mov 0xffffffe0(%ebp),%eax 40234e: c9 leave 40234f: c3 ret

00402350 _SmpApiConnectedThread@4: 402350: 55 push %ebp 402351: 89 e5 mov %esp,%ebp 402353: 57 push %edi 402354: 81 ec 94 00 00 00 sub $0x94,%esp 40235a: c7 45 f4 00 00 00 00 movl $0x0,0xfffffff4(%ebp) 402361: c7 45 f0 00 00 00 00 movl $0x0,0xfffffff0(%ebp) 402368: c7 45 ec 00 00 00 00 movl $0x0,0xffffffec(%ebp) 40236f: 8d bd 78 ff ff ff lea 0xffffff78(%ebp),%edi 402375: fc cld 402376: ba 00 00 00 00 mov $0x0,%edx 40237b: b8 1b 00 00 00 mov $0x1b,%eax 402380: 89 c1 mov %eax,%ecx 402382: 89 d0 mov %edx,%eax 402384: f3 ab repz stos %eax,%es:(%edi) 402386: 8b 45 08 mov 0x8(%ebp),%eax 402389: 8b 00 mov (%eax),%eax 40238b: 89 85 74 ff ff ff mov %eax,0xffffff74(%ebp) 402391: 8d 85 78 ff ff ff lea 0xffffff78(%ebp),%eax 402397: 50 push %eax 402398: ff 75 ec pushl 0xffffffec(%ebp) 40239b: 8d 45 f0 lea 0xfffffff0(%ebp),%eax 40239e: 50 push %eax 40239f: ff b5 74 ff ff ff pushl 0xffffff74(%ebp) 4023a5: e8 f6 17 00 00 call 403ba0 _NtReplyWaitReceivePort@16 4023aa: 89 45 f4 mov %eax,0xfffffff4(%ebp) 4023ad: 83 7d f4 00 cmpl $0x0,0xfffffff4(%ebp) 4023b1: 0f 88 b3 00 00 00 js 40246a <_SmpApiConnectedThread@4+0x11a> 4023b7: 8b 85 7c ff ff ff mov 0xffffff7c(%ebp),%eax 4023bd: 89 c2 mov %eax,%edx 4023bf: 81 e2 ff ff 00 00 and $0xffff,%edx 4023c5: 89 95 70 ff ff ff mov %edx,0xffffff70(%ebp) 4023cb: 83 bd 70 ff ff ff 08 cmpl $0x8,0xffffff70(%ebp) 4023d2: 74 3a je 40240e <_SmpApiConnectedThread@4+0xbe> 4023d4: 83 bd 70 ff ff ff 08 cmpl $0x8,0xffffff70(%ebp) 4023db: 7f 0b jg 4023e8 <_SmpApiConnectedThread@4+0x98> 4023dd: 83 bd 70 ff ff ff 05 cmpl $0x5,0xffffff70(%ebp) 4023e4: 74 34 je 40241a <_SmpApiConnectedThread@4+0xca> 4023e6: eb 3e jmp 402426 <_SmpApiConnectedThread@4+0xd6> 4023e8: 83 bd 70 ff ff ff 0a cmpl $0xa,0xffffff70(%ebp) 4023ef: 74 02 je 4023f3 <_SmpApiConnectedThread@4+0xa3> 4023f1: eb 33 jmp 402426 <_SmpApiConnectedThread@4+0xd6> 4023f3: 83 ec 0c sub $0xc,%esp 4023f6: 8d 85 78 ff ff ff lea 0xffffff78(%ebp),%eax 4023fc: 50 push %eax 4023fd: e8 90 00 00 00 call 402492 _SmpHandleConnectionRequest@4 402402: 83 c4 0c add $0xc,%esp 402405: c7 45 ec 00 00 00 00 movl $0x0,0xffffffec(%ebp) 40240c: eb 83 jmp 402391 <_SmpApiConnectedThread@4+0x41> 40240e: c7 45 ec 00 00 00 00 movl $0x0,0xffffffec(%ebp) 402415: e9 77 ff ff ff jmp 402391 <_SmpApiConnectedThread@4+0x41> 40241a: c7 45 ec 00 00 00 00 movl $0x0,0xffffffec(%ebp) 402421: e9 6b ff ff ff jmp 402391 <_SmpApiConnectedThread@4+0x41> 402426: 83 7d 90 00 cmpl $0x0,0xffffff90(%ebp) 40242a: 74 29 je 402455 <_SmpApiConnectedThread@4+0x105> 40242c: 83 7d 90 05 cmpl $0x5,0xffffff90(%ebp) 402430: 77 23 ja 402455 <_SmpApiConnectedThread@4+0x105> 402432: 8b 45 90 mov 0xffffff90(%ebp),%eax 402435: 8d 8d 78 ff ff ff lea 0xffffff78(%ebp),%ecx 40243b: 8b 04 85 c4 40 40 00 mov 0x4040c4(,%eax,4),%eax 402442: ff d0 call *%eax 402444: 89 45 f4 mov %eax,0xfffffff4(%ebp) 402447: 8d 85 78 ff ff ff lea 0xffffff78(%ebp),%eax 40244d: 89 45 ec mov %eax,0xffffffec(%ebp) 402450: e9 3c ff ff ff jmp 402391 <_SmpApiConnectedThread@4+0x41> 402455: c7 45 94 02 00 00 c0 movl $0xc0000002,0xffffff94(%ebp) 40245c: 8d 85 78 ff ff ff lea 0xffffff78(%ebp),%eax 402462: 89 45 ec mov %eax,0xffffffec(%ebp) 402465: e9 27 ff ff ff jmp 402391 <_SmpApiConnectedThread@4+0x41> 40246a: 83 ec 0c sub $0xc,%esp 40246d: ff b5 74 ff ff ff pushl 0xffffff74(%ebp) 402473: e8 58 15 00 00 call 4039d0 _NtClose@4 402478: 83 c4 0c add $0xc,%esp 40247b: 83 ec 08 sub $0x8,%esp 40247e: ff 75 f4 pushl 0xfffffff4(%ebp) 402481: 6a fe push $0xfffffffe 402483: e8 f8 14 00 00 call 403980 _NtTerminateThread@8 402488: 83 c4 08 add $0x8,%esp 40248b: 8b 7d fc mov 0xfffffffc(%ebp),%edi 40248e: c9 leave 40248f: c2 04 00 ret $0x4

00402492 _SmpHandleConnectionRequest@4: 402492: 55 push %ebp 402493: 89 e5 mov %esp,%ebp 402495: 83 ec 28 sub $0x28,%esp 402498: 8b 4d 08 mov 0x8(%ebp),%ecx 40249b: e8 fa fd ff ff call 40229a <@SmpGetConnectData@4> 4024a0: 89 45 fc mov %eax,0xfffffffc(%ebp) 4024a3: c7 45 f8 00 00 00 00 movl $0x0,0xfffffff8(%ebp) 4024aa: c7 45 f4 00 00 00 00 movl $0x0,0xfffffff4(%ebp) 4024b1: c7 45 f0 00 00 00 00 movl $0x0,0xfffffff0(%ebp) 4024b8: c7 45 ec 00 00 00 00 movl $0x0,0xffffffec(%ebp) 4024bf: 8d 45 ec lea 0xffffffec(%ebp),%eax 4024c2: 89 45 e8 mov %eax,0xffffffe8(%ebp) 4024c5: c7 45 e4 00 00 00 00 movl $0x0,0xffffffe4(%ebp) 4024cc: 8d 45 e4 lea 0xffffffe4(%ebp),%eax 4024cf: 89 45 e0 mov %eax,0xffffffe0(%ebp) 4024d2: c7 45 dc 00 00 00 00 movl $0x0,0xffffffdc(%ebp) 4024d9: 8b 45 08 mov 0x8(%ebp),%eax 4024dc: 66 81 38 f4 00 cmpw $0xf4,(%eax) 4024e1: 0f 85 97 00 00 00 jne 40257e <_SmpHandleConnectionRequest@4+0xec> 4024e7: 8b 45 fc mov 0xfffffffc(%ebp),%eax 4024ea: 66 83 38 00 cmpw $0x0,(%eax) 4024ee: 75 15 jne 402505 <_SmpHandleConnectionRequest@4+0x73> 4024f0: 8d 45 ec lea 0xffffffec(%ebp),%eax 4024f3: 89 45 e8 mov %eax,0xffffffe8(%ebp)

4024f6: 8d 45 e4 lea 0xffffffe4(%ebp),%eax 4024f9: 89 45 e0 mov %eax,0xffffffe0(%ebp) /* EOF */ 4024fc: c7 45 f4 01 00 00 00 movl $0x1,0xfffffff4(%ebp) 402503: eb 79 jmp 40257e <_SmpHandleConnectionRequest@4+0xec> 402505: 8b 45 fc mov 0xfffffffc(%ebp),%eax 402508: 66 8b 00 mov (%eax),%ax 40250b: 83 e0 01 and $0x1,%eax 40250e: 66 83 f8 01 cmp $0x1,%ax 402512: 75 6a jne 40257e <_SmpHandleConnectionRequest@4+0xec> 402514: 83 ec 08 sub $0x8,%esp 402517: 8d 45 f0 lea 0xfffffff0(%ebp),%eax 40251a: 50 push %eax 40251b: ff 75 08 pushl 0x8(%ebp) 40251e: e8 33 0c 00 00 call 403156 _SmCreateClient@8 402523: 83 c4 08 add $0x8,%esp 402526: 89 45 f8 mov %eax,0xfffffff8(%ebp) 402529: 83 7d f8 00 cmpl $0x0,0xfffffff8(%ebp) 40252d: 75 4f jne 40257e <_SmpHandleConnectionRequest@4+0xec> 40252f: 8b 45 f0 mov 0xfffffff0(%ebp),%eax 402532: 83 c0 0c add $0xc,%eax 402535: 89 45 e8 mov %eax,0xffffffe8(%ebp) 402538: 8b 45 f0 mov 0xfffffff0(%ebp),%eax 40253b: 83 c0 10 add $0x10,%eax 40253e: 89 45 e0 mov %eax,0xffffffe0(%ebp) 402541: 83 ec 08 sub $0x8,%esp 402544: ff 75 f0 pushl 0xfffffff0(%ebp) 402547: ff 75 08 pushl 0x8(%ebp) 40254a: e8 62 fd ff ff call 4022b1 <_SmpCallbackServer> 40254f: 83 c4 10 add $0x10,%esp 402552: 89 45 f8 mov %eax,0xfffffff8(%ebp) 402555: 83 7d f8 00 cmpl $0x0,0xfffffff8(%ebp) 402559: 78 09 js 402564 <_SmpHandleConnectionRequest@4+0xd2> 40255b: c7 45 f4 01 00 00 00 movl $0x1,0xfffffff4(%ebp) 402562: eb 1a jmp 40257e <_SmpHandleConnectionRequest@4+0xec> 402564: 83 ec 0c sub $0xc,%esp 402567: 8b 45 fc mov 0xfffffffc(%ebp),%eax 40256a: 66 8b 00 mov (%eax),%ax 40256d: 25 ff ff 00 00 and $0xffff,%eax 402572: 50 push %eax 402573: e8 27 0d 00 00 call 40329f _SmDestroyClient@4 402578: 83 c4 0c add $0xc,%esp 40257b: 89 45 f8 mov %eax,0xfffffff8(%ebp) 40257e: 83 ec 08 sub $0x8,%esp 402581: 6a 00 push $0x0 402583: 6a 00 push $0x0 402585: b8 00 00 00 00 mov $0x0,%eax 40258a: 8a 45 f4 mov 0xfffffff4(%ebp),%al 40258d: 50 push %eax 40258e: ff 75 dc pushl 0xffffffdc(%ebp) 402591: ff 35 c0 40 40 00 pushl 0x4040c0 402597: ff 75 e8 pushl 0xffffffe8(%ebp) 40259a: e8 11 16 00 00 call 403bb0 _NtAcceptConnectPort@24 40259f: 83 c4 08 add $0x8,%esp 4025a2: 89 45 f8 mov %eax,0xfffffff8(%ebp) 4025a5: 83 7d f4 00 cmpl $0x0,0xfffffff4(%ebp) 4025a9: 0f 84 04 01 00 00 je 4026b3 <_SmpHandleConnectionRequest@4+0x221> 4025af: 83 7d f8 00 cmpl $0x0,0xfffffff8(%ebp) 4025b3: 79 3d jns 4025f2 <_SmpHandleConnectionRequest@4+0x160> 4025b5: 83 ec 04 sub $0x4,%esp 4025b8: 68 0d 01 00 00 push $0x10d 4025bd: 68 00 59 40 00 push $0x405900 4025c2: 68 08 59 40 00 push $0x405908 4025c7: e8 14 14 00 00 call 4039e0 <_DbgPrint> 4025cc: 83 c4 10 add $0x10,%esp 4025cf: 83 ec 04 sub $0x4,%esp 4025d2: ff 75 f8 pushl 0xfffffff8(%ebp) 4025d5: 68 11 59 40 00 push $0x405911 4025da: 68 40 59 40 00 push $0x405940 4025df: e8 fc 13 00 00 call 4039e0 <_DbgPrint> 4025e4: 83 c4 10 add $0x10,%esp 4025e7: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 4025ea: 89 45 d8 mov %eax,0xffffffd8(%ebp) 4025ed: e9 c7 00 00 00 jmp 4026b9 <_SmpHandleConnectionRequest@4+0x227> 4025f2: 83 ec 0c sub $0xc,%esp 4025f5: 8b 45 e8 mov 0xffffffe8(%ebp),%eax 4025f8: ff 30 pushl (%eax) 4025fa: e8 c1 15 00 00 call 403bc0 _NtCompleteConnectPort@4 4025ff: 83 c4 0c add $0xc,%esp 402602: 89 45 f8 mov %eax,0xfffffff8(%ebp) 402605: 83 7d f8 00 cmpl $0x0,0xfffffff8(%ebp) 402609: 79 3a jns 402645 <_SmpHandleConnectionRequest@4+0x1b3> 40260b: 83 ec 04 sub $0x4,%esp 40260e: 68 15 01 00 00 push $0x115 402613: 68 00 59 40 00 push $0x405900 402618: 68 08 59 40 00 push $0x405908 40261d: e8 be 13 00 00 call 4039e0 <_DbgPrint> 402622: 83 c4 10 add $0x10,%esp 402625: 83 ec 04 sub $0x4,%esp 402628: ff 75 f8 pushl 0xfffffff8(%ebp) 40262b: 68 11 59 40 00 push $0x405911 402630: 68 80 59 40 00 push $0x405980 402635: e8 a6 13 00 00 call 4039e0 <_DbgPrint> 40263a: 83 c4 10 add $0x10,%esp 40263d: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 402640: 89 45 d8 mov %eax,0xffffffd8(%ebp) 402643: eb 74 jmp 4026b9 <_SmpHandleConnectionRequest@4+0x227> 402645: 83 ec 08 sub $0x8,%esp 402648: 6a 00 push $0x0 40264a: ff 75 e0 pushl 0xffffffe0(%ebp) 40264d: ff 75 e8 pushl 0xffffffe8(%ebp) 402650: 68 50 23 40 00 push $0x402350 402655: 6a 00 push $0x0 402657: 6a 00 push $0x0 402659: 6a 00 push $0x0 40265b: 6a 00 push $0x0 40265d: 6a 00 push $0x0 40265f: 6a ff push $0xffffffff 402661: e8 6a 15 00 00 call 403bd0 _RtlCreateUserThread@40 402666: 83 c4 08 add $0x8,%esp 402669: 89 45 f8 mov %eax,0xfffffff8(%ebp) 40266c: 83 7d f8 00 cmpl $0x0,0xfffffff8(%ebp) 402670: 79 3a jns 4026ac <_SmpHandleConnectionRequest@4+0x21a> 402672: 83 ec 04 sub $0x4,%esp 402675: 68 27 01 00 00 push $0x127 40267a: 68 00 59 40 00 push $0x405900 40267f: 68 08 59 40 00 push $0x405908 402684: e8 57 13 00 00 call 4039e0 <_DbgPrint> 402689: 83 c4 10 add $0x10,%esp 40268c: 83 ec 04 sub $0x4,%esp 40268f: ff 75 f8 pushl 0xfffffff8(%ebp) 402692: 68 11 59 40 00 push $0x405911 402697: 68 c0 59 40 00 push $0x4059c0 40269c: e8 3f 13 00 00 call 4039e0 <_DbgPrint> 4026a1: 83 c4 10 add $0x10,%esp 4026a4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 4026a7: 89 45 d8 mov %eax,0xffffffd8(%ebp) 4026aa: eb 0d jmp 4026b9 <_SmpHandleConnectionRequest@4+0x227> 4026ac: c7 45 f8 00 00 00 00 movl $0x0,0xfffffff8(%ebp) 4026b3: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 4026b6: 89 45 d8 mov %eax,0xffffffd8(%ebp) 4026b9: 8b 45 d8 mov 0xffffffd8(%ebp),%eax 4026bc: c9 leave 4026bd: c2 04 00 ret $0x4

004026c0 _SmpApiThread@4: 4026c0: 55 push %ebp 4026c1: 89 e5 mov %esp,%ebp 4026c3: 57 push %edi 4026c4: 81 ec 64 01 00 00 sub $0x164,%esp 4026ca: c7 45 f4 00 00 00 00 movl $0x0,0xfffffff4(%ebp) 4026d1: 8d bd 98 fe ff ff lea 0xfffffe98(%ebp),%edi 4026d7: fc cld 4026d8: ba 00 00 00 00 mov $0x0,%edx 4026dd: b8 52 00 00 00 mov $0x52,%eax 4026e2: 89 c1 mov %eax,%ecx 4026e4: 89 d0 mov %edx,%eax 4026e6: f3 ab repz stos %eax,%es:(%edi) 4026e8: 83 ec 08 sub $0x8,%esp 4026eb: 8d 85 98 fe ff ff lea 0xfffffe98(%ebp),%eax 4026f1: 50 push %eax 4026f2: ff 75 08 pushl 0x8(%ebp) 4026f5: e8 e6 14 00 00 call 403be0 _NtListenPort@8 4026fa: 83 c4 08 add $0x8,%esp 4026fd: 89 45 f4 mov %eax,0xfffffff4(%ebp) 402700: 83 7d f4 00 cmpl $0x0,0xfffffff4(%ebp) 402704: 79 34 jns 40273a <_SmpApiThread@4+0x7a> 402706: 83 ec 04 sub $0x4,%esp 402709: 68 4b 01 00 00 push $0x14b 40270e: 68 00 59 40 00 push $0x405900 402713: 68 08 59 40 00 push $0x405908 402718: e8 c3 12 00 00 call 4039e0 <_DbgPrint> 40271d: 83 c4 10 add $0x10,%esp 402720: 83 ec 04 sub $0x4,%esp 402723: ff 75 f4 pushl 0xfffffff4(%ebp) 402726: 68 f9 59 40 00 push $0x4059f9 40272b: 68 20 5a 40 00 push $0x405a20 402730: e8 ab 12 00 00 call 4039e0 <_DbgPrint> 402735: 83 c4 10 add $0x10,%esp 402738: eb 4d jmp 402787 <_SmpApiThread@4+0xc7> 40273a: 83 ec 0c sub $0xc,%esp 40273d: 8d 85 98 fe ff ff lea 0xfffffe98(%ebp),%eax 402743: 50 push %eax 402744: e8 49 fd ff ff call 402492 _SmpHandleConnectionRequest@4 402749: 83 c4 0c add $0xc,%esp 40274c: 89 45 f4 mov %eax,0xfffffff4(%ebp) 40274f: 83 7d f4 00 cmpl $0x0,0xfffffff4(%ebp) 402753: 79 93 jns 4026e8 <_SmpApiThread@4+0x28> 402755: 83 ec 04 sub $0x4,%esp 402758: 68 51 01 00 00 push $0x151 40275d: 68 00 59 40 00 push $0x405900 402762: 68 08 59 40 00 push $0x405908 402767: e8 74 12 00 00 call 4039e0 <_DbgPrint> 40276c: 83 c4 10 add $0x10,%esp 40276f: 83 ec 04 sub $0x4,%esp 402772: ff 75 f4 pushl 0xfffffff4(%ebp) 402775: 68 f9 59 40 00 push $0x4059f9 40277a: 68 60 5a 40 00 push $0x405a60 40277f: e8 5c 12 00 00 call 4039e0 <_DbgPrint> 402784: 83 c4 10 add $0x10,%esp 402787: 83 ec 0c sub $0xc,%esp 40278a: ff 75 08 pushl 0x8(%ebp) 40278d: e8 3e 12 00 00 call 4039d0 _NtClose@4 402792: 83 c4 0c add $0xc,%esp 402795: 83 ec 08 sub $0x8,%esp 402798: ff 75 f4 pushl 0xfffffff4(%ebp) 40279b: 6a fe push $0xfffffffe 40279d: e8 de 11 00 00 call 403980 _NtTerminateThread@8 4027a2: 83 c4 08 add $0x8,%esp 4027a5: 8b 7d fc mov 0xfffffffc(%ebp),%edi 4027a8: c9 leave 4027a9: c2 04 00 ret $0x4

004027ac <_SmCreateApiPort>: 4027ac: 55 push %ebp 4027ad: 89 e5 mov %esp,%ebp 4027af: 57 push %edi 4027b0: 83 ec 34 sub $0x34,%esp 4027b3: 8d 7d d8 lea 0xffffffd8(%ebp),%edi 4027b6: fc cld 4027b7: ba 00 00 00 00 mov $0x0,%edx 4027bc: b8 06 00 00 00 mov $0x6,%eax 4027c1: 89 c1 mov %eax,%ecx 4027c3: 89 d0 mov %edx,%eax 4027c5: f3 ab repz stos %eax,%es:(%edi) 4027c7: c7 45 d0 00 00 00 00 movl $0x0,0xffffffd0(%ebp) 4027ce: c7 45 d4 00 00 00 00 movl $0x0,0xffffffd4(%ebp) 4027d5: c7 45 cc 00 00 00 00 movl $0x0,0xffffffcc(%ebp) 4027dc: 66 c7 45 d0 14 00 movw $0x14,0xffffffd0(%ebp) 4027e2: 66 c7 45 d2 16 00 movw $0x16,0xffffffd2(%ebp) 4027e8: c7 45 d4 9c 5a 40 00 movl $0x405a9c,0xffffffd4(%ebp) 4027ef: c7 45 d8 18 00 00 00 movl $0x18,0xffffffd8(%ebp) 4027f6: 8d 45 d0 lea 0xffffffd0(%ebp),%eax 4027f9: 89 45 e0 mov %eax,0xffffffe0(%ebp) 4027fc: c7 45 e4 01 00 00 00 movl $0x1,0xffffffe4(%ebp) 402803: c7 45 dc 00 00 00 00 movl $0x0,0xffffffdc(%ebp) 40280a: c7 45 e8 00 00 00 00 movl $0x0,0xffffffe8(%ebp) 402811: c7 45 ec 00 00 00 00 movl $0x0,0xffffffec(%ebp) 402818: 83 ec 0c sub $0xc,%esp 40281b: 6a 00 push $0x0 40281d: 6a 00 push $0x0 40281f: 6a 00 push $0x0 402821: 8d 45 d8 lea 0xffffffd8(%ebp),%eax 402824: 50 push %eax 402825: 68 c0 40 40 00 push $0x4040c0 40282a: e8 c1 13 00 00 call 403bf0 _NtCreatePort@20 40282f: 83 c4 0c add $0xc,%esp 402832: 89 45 cc mov %eax,0xffffffcc(%ebp) 402835: 83 7d cc 00 cmpl $0x0,0xffffffcc(%ebp) 402839: 79 08 jns 402843 <_SmCreateApiPort+0x97> 40283b: 8b 45 cc mov 0xffffffcc(%ebp),%eax 40283e: 89 45 c8 mov %eax,0xffffffc8(%ebp) 402841: eb 2c jmp 40286f <_SmCreateApiPort+0xc3> 402843: 83 ec 08 sub $0x8,%esp 402846: 6a 00 push $0x0 402848: 6a 00 push $0x0 40284a: ff 35 c0 40 40 00 pushl 0x4040c0 402850: 68 c0 26 40 00 push $0x4026c0 402855: 6a 00 push $0x0 402857: 6a 00 push $0x0 402859: 6a 00 push $0x0 40285b: 6a 00 push $0x0 40285d: 6a 00 push $0x0 40285f: 6a ff push $0xffffffff 402861: e8 6a 13 00 00 call 403bd0 _RtlCreateUserThread@40 402866: 83 c4 08 add $0x8,%esp 402869: 8b 45 cc mov 0xffffffcc(%ebp),%eax 40286c: 89 45 c8 mov %eax,0xffffffc8(%ebp) 40286f: 8b 45 c8 mov 0xffffffc8(%ebp),%eax 402872: 8b 7d fc mov 0xfffffffc(%ebp),%edi 402875: c9 leave 402876: c3 ret 402877: 90 nop 402878: 90 nop 402879: 90 nop 40287a: 90 nop 40287b: 90 nop 40287c: 90 nop 40287d: 90 nop 40287e: 90 nop 40287f: 90 nop

00402880 <@SmCompSes@4>: 402880: 55 push %ebp 402881: 89 e5 mov %esp,%ebp 402883: 83 ec 08 sub $0x8,%esp 402886: 89 4d fc mov %ecx,0xfffffffc(%ebp) 402889: c7 45 f8 00 00 00 00 movl $0x0,0xfffffff8(%ebp) 402890: 83 ec 0c sub $0xc,%esp 402893: 8b 45 fc mov 0xfffffffc(%ebp),%eax 402896: ff 70 08 pushl 0x8(%eax) 402899: e8 73 07 00 00 call 403011 _SmCompleteClientInitialization@4 40289e: 83 c4 0c add $0xc,%esp 4028a1: 89 45 f8 mov %eax,0xfffffff8(%ebp) 4028a4: 83 7d f8 00 cmpl $0x0,0xfffffff8(%ebp) 4028a8: 79 0a jns 4028b4 <@SmCompSes@4+0x34> 4028aa: 8b 45 fc mov 0xfffffffc(%ebp),%eax 4028ad: c7 40 1c 01 00 00 c0 movl $0xc0000001,0x1c(%eax) 4028b4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 4028b7: c9 leave 4028b8: c3 ret 4028b9: 90 nop 4028ba: 90 nop 4028bb: 90 nop 4028bc: 90 nop 4028bd: 90 nop 4028be: 90 nop 4028bf: 90 nop

004028c0 _SmCreateUserProcess@24: 4028c0: 55 push %ebp 4028c1: 89 e5 mov %esp,%ebp 4028c3: 57 push %edi 4028c4: 81 ec 84 00 00 00 sub $0x84,%esp 4028ca: 8b 45 10 mov 0x10(%ebp),%eax 4028cd: 8b 55 18 mov 0x18(%ebp),%edx 4028d0: 88 45 f7 mov %al,0xfffffff7(%ebp) 4028d3: 88 55 f6 mov %dl,0xfffffff6(%ebp) 4028d6: c7 45 e8 00 00 00 00 movl $0x0,0xffffffe8(%ebp) 4028dd: c7 45 ec 00 00 00 00 movl $0x0,0xffffffec(%ebp) 4028e4: c7 45 e0 00 00 00 00 movl $0x0,0xffffffe0(%ebp) 4028eb: c7 45 e4 00 00 00 00 movl $0x0,0xffffffe4(%ebp) 4028f2: c7 45 dc 00 00 00 00 movl $0x0,0xffffffdc(%ebp) 4028f9: 8d 7d 88 lea 0xffffff88(%ebp),%edi 4028fc: fc cld 4028fd: ba 00 00 00 00 mov $0x0,%edx 402902: b8 11 00 00 00 mov $0x11,%eax 402907: 89 c1 mov %eax,%ecx 402909: 89 d0 mov %edx,%eax 40290b: f3 ab repz stos %eax,%es:(%edi) 40290d: 8d 45 88 lea 0xffffff88(%ebp),%eax 402910: 89 45 84 mov %eax,0xffffff84(%ebp) 402913: c7 45 80 00 00 00 00 movl $0x0,0xffffff80(%ebp) 40291a: 83 ec 08 sub $0x8,%esp 40291d: ff 75 08 pushl 0x8(%ebp) 402920: 8d 45 e8 lea 0xffffffe8(%ebp),%eax 402923: 50 push %eax 402924: e8 67 10 00 00 call 403990 _RtlInitUnicodeString@8 402929: 83 c4 08 add $0x8,%esp 40292c: 83 ec 08 sub $0x8,%esp 40292f: ff 75 0c pushl 0xc(%ebp) 402932: 8d 45 e0 lea 0xffffffe0(%ebp),%eax 402935: 50 push %eax 402936: e8 55 10 00 00 call 403990 _RtlInitUnicodeString@8 40293b: 83 c4 08 add $0x8,%esp 40293e: 83 ec 08 sub $0x8,%esp 402941: 6a 00 push $0x0 402943: 6a 00 push $0x0 402945: 6a 00 push $0x0 402947: 6a 00 push $0x0 402949: ff 35 20 60 40 00 pushl 0x406020 40294f: 8d 45 e0 lea 0xffffffe0(%ebp),%eax 402952: 50 push %eax 402953: 6a 00 push $0x0 402955: 6a 00 push $0x0 402957: 8d 45 e8 lea 0xffffffe8(%ebp),%eax 40295a: 50 push %eax 40295b: 8d 45 dc lea 0xffffffdc(%ebp),%eax 40295e: 50 push %eax 40295f: e8 9c 12 00 00 call 403c00 _RtlCreateProcessParameters@40 402964: 83 c4 08 add $0x8,%esp 402967: 83 7d 1c 00 cmpl $0x0,0x1c(%ebp) 40296b: 74 06 je 402973 <_SmCreateUserProcess@24+0xb3> 40296d: 8b 45 1c mov 0x1c(%ebp),%eax 402970: 89 45 84 mov %eax,0xffffff84(%ebp) 402973: 83 ec 08 sub $0x8,%esp 402976: ff 75 84 pushl 0xffffff84(%ebp) 402979: 6a 00 push $0x0 40297b: 6a 00 push $0x0 40297d: 6a 00 push $0x0 40297f: 6a 00 push $0x0 402981: 6a 00 push $0x0 402983: 6a 00 push $0x0 402985: ff 75 dc pushl 0xffffffdc(%ebp) 402988: 6a 40 push $0x40 40298a: 8d 45 e8 lea 0xffffffe8(%ebp),%eax 40298d: 50 push %eax 40298e: e8 7d 12 00 00 call 403c10 _RtlCreateUserProcess@40 402993: 83 c4 08 add $0x8,%esp 402996: 89 45 80 mov %eax,0xffffff80(%ebp) 402999: 83 ec 0c sub $0xc,%esp 40299c: ff 75 dc pushl 0xffffffdc(%ebp) 40299f: e8 7c 12 00 00 call 403c20 _RtlDestroyProcessParameters@4 4029a4: 83 c4 0c add $0xc,%esp 4029a7: 83 7d 80 00 cmpl $0x0,0xffffff80(%ebp) 4029ab: 79 3a jns 4029e7 <_SmCreateUserProcess@24+0x127> 4029ad: 83 ec 04 sub $0x4,%esp 4029b0: 6a 59 push $0x59 4029b2: 68 c0 5a 40 00 push $0x405ac0 4029b7: 68 cc 5a 40 00 push $0x405acc 4029bc: e8 1f 10 00 00 call 4039e0 <_DbgPrint> 4029c1: 83 c4 10 add $0x10,%esp 4029c4: ff 75 80 pushl 0xffffff80(%ebp) 4029c7: ff 75 ec pushl 0xffffffec(%ebp) 4029ca: 68 d5 5a 40 00 push $0x405ad5 4029cf: 68 00 5b 40 00 push $0x405b00 4029d4: e8 07 10 00 00 call 4039e0 <_DbgPrint> 4029d9: 83 c4 10 add $0x10,%esp 4029dc: 8b 45 80 mov 0xffffff80(%ebp),%eax 4029df: 89 85 7c ff ff ff mov %eax,0xffffff7c(%ebp) 4029e5: eb 61 jmp 402a48 <_SmCreateUserProcess@24+0x188> 4029e7: 83 ec 08 sub $0x8,%esp 4029ea: 6a 00 push $0x0 4029ec: 8b 45 84 mov 0xffffff84(%ebp),%eax 4029ef: ff 70 08 pushl 0x8(%eax) 4029f2: e8 39 12 00 00 call 403c30 _ZwResumeThread@8 4029f7: 83 c4 08 add $0x8,%esp 4029fa: 80 7d f7 00 cmpb $0x0,0xfffffff7(%ebp) 4029fe: 74 16 je 402a16 <_SmCreateUserProcess@24+0x156> 402a00: 83 ec 04 sub $0x4,%esp 402a03: ff 75 14 pushl 0x14(%ebp) 402a06: 6a 00 push $0x0 402a08: 8b 45 84 mov 0xffffff84(%ebp),%eax 402a0b: ff 70 04 pushl 0x4(%eax) 402a0e: e8 ad 0f 00 00 call 4039c0 _NtWaitForSingleObject@12 402a13: 83 c4 04 add $0x4,%esp 402a16: 80 7d f6 00 cmpb $0x0,0xfffffff6(%ebp) 402a1a: 74 22 je 402a3e <_SmCreateUserProcess@24+0x17e> 402a1c: 83 ec 0c sub $0xc,%esp 402a1f: 8b 45 84 mov 0xffffff84(%ebp),%eax 402a22: ff 70 08 pushl 0x8(%eax) 402a25: e8 a6 0f 00 00 call 4039d0 _NtClose@4 402a2a: 83 c4 0c add $0xc,%esp 402a2d: 83 ec 0c sub $0xc,%esp 402a30: 8b 45 84 mov 0xffffff84(%ebp),%eax 402a33: ff 70 04 pushl 0x4(%eax) 402a36: e8 95 0f 00 00 call 4039d0 _NtClose@4 402a3b: 83 c4 0c add $0xc,%esp 402a3e: c7 85 7c ff ff ff 00 movl $0x0,0xffffff7c(%ebp) 402a45: 00 00 00 402a48: 8b 85 7c ff ff ff mov 0xffffff7c(%ebp),%eax 402a4e: 8b 7d fc mov 0xfffffffc(%ebp),%edi 402a51: c9 leave 402a52: c2 18 00 ret $0x18

00402a55 _SmLookupSubsystem@20: 402a55: 55 push %ebp 402a56: 89 e5 mov %esp,%ebp 402a58: 57 push %edi 402a59: b8 84 18 00 00 mov $0x1884,%eax 402a5e: e8 bd 12 00 00 call 403d20 <___chkstk> 402a63: 8b 45 18 mov 0x18(%ebp),%eax 402a66: 88 45 f7 mov %al,0xfffffff7(%ebp) 402a69: c7 45 f0 00 00 00 00 movl $0x0,0xfffffff0(%ebp) 402a70: c7 45 e8 00 00 00 00 movl $0x0,0xffffffe8(%ebp) 402a77: c7 45 ec 00 00 00 00 movl $0x0,0xffffffec(%ebp) 402a7e: 8d 7d c8 lea 0xffffffc8(%ebp),%edi 402a81: fc cld 402a82: ba 00 00 00 00 mov $0x0,%edx 402a87: b8 06 00 00 00 mov $0x6,%eax 402a8c: 89 c1 mov %eax,%ecx 402a8e: 89 d0 mov %edx,%eax 402a90: f3 ab repz stos %eax,%es:(%edi) 402a92: c7 45 c4 00 00 00 00 movl $0x0,0xffffffc4(%ebp) 402a99: 83 ec 08 sub $0x8,%esp 402a9c: 68 40 5b 40 00 push $0x405b40 402aa1: 8d 45 e8 lea 0xffffffe8(%ebp),%eax 402aa4: 50 push %eax 402aa5: e8 e6 0e 00 00 call 403990 _RtlInitUnicodeString@8 402aaa: 83 c4 08 add $0x8,%esp 402aad: c7 45 c8 18 00 00 00 movl $0x18,0xffffffc8(%ebp) 402ab4: 8d 45 e8 lea 0xffffffe8(%ebp),%eax 402ab7: 89 45 d0 mov %eax,0xffffffd0(%ebp) 402aba: c7 45 d4 40 00 00 00 movl $0x40,0xffffffd4(%ebp) 402ac1: c7 45 cc 00 00 00 00 movl $0x0,0xffffffcc(%ebp) 402ac8: c7 45 d8 00 00 00 00 movl $0x0,0xffffffd8(%ebp) 402acf: c7 45 dc 00 00 00 00 movl $0x0,0xffffffdc(%ebp) 402ad6: 83 ec 04 sub $0x4,%esp 402ad9: 8d 45 c8 lea 0xffffffc8(%ebp),%eax 402adc: 50 push %eax 402add: 68 00 00 00 02 push $0x2000000 402ae2: 8d 45 c4 lea 0xffffffc4(%ebp),%eax 402ae5: 50 push %eax 402ae6: e8 55 11 00 00 call 403c40 _NtOpenKey@12 402aeb: 83 c4 04 add $0x4,%esp 402aee: 89 45 f0 mov %eax,0xfffffff0(%ebp) 402af1: 83 7d f0 00 cmpl $0x0,0xfffffff0(%ebp) 402af5: 0f 88 c1 02 00 00 js 402dbc <_SmLookupSubsystem@20+0x367> 402afb: c7 45 b8 00 00 00 00 movl $0x0,0xffffffb8(%ebp) 402b02: c7 45 bc 00 00 00 00 movl $0x0,0xffffffbc(%ebp) 402b09: 8d bd b8 f7 ff ff lea 0xfffff7b8(%ebp),%edi 402b0f: fc cld 402b10: ba 00 00 00 00 mov $0x0,%edx 402b15: b8 00 02 00 00 mov $0x200,%eax 402b1a: 89 c1 mov %eax,%ecx 402b1c: 89 d0 mov %edx,%eax 402b1e: f3 ab repz stos %eax,%es:(%edi) 402b20: c7 85 b4 f7 ff ff 00 movl $0x0,0xfffff7b4(%ebp) 402b27: 00 00 00 402b2a: 8d 85 b8 f7 ff ff lea 0xfffff7b8(%ebp),%eax 402b30: 89 85 b0 f7 ff ff mov %eax,0xfffff7b0(%ebp) 402b36: 83 ec 08 sub $0x8,%esp 402b39: ff 75 08 pushl 0x8(%ebp) 402b3c: 8d 45 b8 lea 0xffffffb8(%ebp),%eax 402b3f: 50 push %eax 402b40: e8 4b 0e 00 00 call 403990 _RtlInitUnicodeString@8 402b45: 83 c4 08 add $0x8,%esp 402b48: 83 ec 08 sub $0x8,%esp 402b4b: 8d 85 b4 f7 ff ff lea 0xfffff7b4(%ebp),%eax 402b51: 50 push %eax 402b52: 68 00 08 00 00 push $0x800 402b57: 8d 85 b8 f7 ff ff lea 0xfffff7b8(%ebp),%eax 402b5d: 50 push %eax 402b5e: 6a 02 push $0x2 402b60: 8d 45 b8 lea 0xffffffb8(%ebp),%eax 402b63: 50 push %eax 402b64: ff 75 c4 pushl 0xffffffc4(%ebp) 402b67: e8 e4 10 00 00 call 403c50 _NtQueryValueKey@24 402b6c: 83 c4 08 add $0x8,%esp 402b6f: 89 45 f0 mov %eax,0xfffffff0(%ebp) 402b72: 83 7d f0 00 cmpl $0x0,0xfffffff0(%ebp) 402b76: 0f 88 fe 01 00 00 js 402d7a <_SmLookupSubsystem@20+0x325> 402b7c: 83 7d 0c 00 cmpl $0x0,0xc(%ebp) 402b80: 0f 84 bc 01 00 00 je 402d42 <_SmLookupSubsystem@20+0x2ed> 402b86: 83 7d 10 00 cmpl $0x0,0x10(%ebp) 402b8a: 0f 84 b2 01 00 00 je 402d42 <_SmLookupSubsystem@20+0x2ed> 402b90: 83 7d 14 00 cmpl $0x0,0x14(%ebp) 402b94: 0f 84 a8 01 00 00 je 402d42 <_SmLookupSubsystem@20+0x2ed> 402b9a: 8b 45 14 mov 0x14(%ebp),%eax 402b9d: 8b 95 b0 f7 ff ff mov 0xfffff7b0(%ebp),%edx 402ba3: 8b 52 04 mov 0x4(%edx),%edx 402ba6: 89 10 mov %edx,(%eax) 402ba8: 80 7d f7 00 cmpb $0x0,0xfffffff7(%ebp) 402bac: 0f 84 16 01 00 00 je 402cc8 <_SmLookupSubsystem@20+0x273> 402bb2: 8b 45 14 mov 0x14(%ebp),%eax 402bb5: 83 38 02 cmpl $0x2,(%eax) 402bb8: 0f 85 0a 01 00 00 jne 402cc8 <_SmLookupSubsystem@20+0x273> 402bbe: 8d bd a8 e7 ff ff lea 0xffffe7a8(%ebp),%edi 402bc4: fc cld 402bc5: ba 00 00 00 00 mov $0x0,%edx 402bca: b8 00 04 00 00 mov $0x400,%eax 402bcf: 89 c1 mov %eax,%ecx 402bd1: 89 d0 mov %edx,%eax 402bd3: f3 ab repz stos %eax,%es:(%edi) 402bd5: c7 85 9c e7 ff ff 00 movl $0x0,0xffffe79c(%ebp) 402bdc: 00 00 00 402bdf: 8b 85 b0 f7 ff ff mov 0xfffff7b0(%ebp),%eax 402be5: 66 8b 40 08 mov 0x8(%eax),%ax 402be9: 66 89 85 a8 f7 ff ff mov %ax,0xfffff7a8(%ebp) 402bf0: 8b 85 b0 f7 ff ff mov 0xfffff7b0(%ebp),%eax 402bf6: 66 8b 40 08 mov 0x8(%eax),%ax 402bfa: 66 89 85 aa f7 ff ff mov %ax,0xfffff7aa(%ebp) 402c01: 8b 85 b0 f7 ff ff mov 0xfffff7b0(%ebp),%eax 402c07: 83 c0 0c add $0xc,%eax 402c0a: 89 85 ac f7 ff ff mov %eax,0xfffff7ac(%ebp) 402c10: 66 c7 85 a0 e7 ff ff movw $0x0,0xffffe7a0(%ebp) 402c17: 00 00 402c19: 66 c7 85 a2 e7 ff ff movw $0x1000,0xffffe7a2(%ebp) 402c20: 00 10 402c22: 8d 85 a8 e7 ff ff lea 0xffffe7a8(%ebp),%eax 402c28: 89 85 a4 e7 ff ff mov %eax,0xffffe7a4(%ebp) 402c2e: 8d 85 9c e7 ff ff lea 0xffffe79c(%ebp),%eax 402c34: 50 push %eax 402c35: 8d 85 a0 e7 ff ff lea 0xffffe7a0(%ebp),%eax 402c3b: 50 push %eax 402c3c: 8d 85 a8 f7 ff ff lea 0xfffff7a8(%ebp),%eax 402c42: 50 push %eax 402c43: ff 35 20 60 40 00 pushl 0x406020 402c49: e8 12 10 00 00 call 403c60 _RtlExpandEnvironmentStrings_U@16 402c4e: 89 45 f0 mov %eax,0xfffffff0(%ebp) 402c51: 83 7d f0 00 cmpl $0x0,0xfffffff0(%ebp) 402c55: 0f 88 d7 00 00 00 js 402d32 <_SmLookupSubsystem@20+0x2dd> 402c5b: 8b 55 10 mov 0x10(%ebp),%edx 402c5e: 89 95 98 e7 ff ff mov %edx,0xffffe798(%ebp) 402c64: 8b 45 10 mov 0x10(%ebp),%eax 402c67: 89 85 90 e7 ff ff mov %eax,0xffffe790(%ebp) 402c6d: 8b 85 a0 e7 ff ff mov 0xffffe7a0(%ebp),%eax 402c73: 89 c2 mov %eax,%edx 402c75: 81 e2 ff ff 00 00 and $0xffff,%edx 402c7b: 89 95 94 e7 ff ff mov %edx,0xffffe794(%ebp) 402c81: 8b 95 94 e7 ff ff mov 0xffffe794(%ebp),%edx 402c87: 8b 85 90 e7 ff ff mov 0xffffe790(%ebp),%eax 402c8d: 3b 10 cmp (%eax),%edx 402c8f: 76 0e jbe 402c9f <_SmLookupSubsystem@20+0x24a> 402c91: 8b 85 90 e7 ff ff mov 0xffffe790(%ebp),%eax 402c97: 8b 00 mov (%eax),%eax 402c99: 89 85 94 e7 ff ff mov %eax,0xffffe794(%ebp) 402c9f: 8b 85 94 e7 ff ff mov 0xffffe794(%ebp),%eax 402ca5: 8b 95 98 e7 ff ff mov 0xffffe798(%ebp),%edx 402cab: 89 02 mov %eax,(%edx) 402cad: 83 ec 04 sub $0x4,%esp 402cb0: 8b 45 10 mov 0x10(%ebp),%eax 402cb3: ff 30 pushl (%eax) 402cb5: ff b5 a4 e7 ff ff pushl 0xffffe7a4(%ebp) 402cbb: ff 75 0c pushl 0xc(%ebp) 402cbe: e8 dd 0d 00 00 call 403aa0 <_memcpy> 402cc3: 83 c4 10 add $0x10,%esp 402cc6: eb 6a jmp 402d32 <_SmLookupSubsystem@20+0x2dd> 402cc8: 8b 55 10 mov 0x10(%ebp),%edx 402ccb: 89 95 8c e7 ff ff mov %edx,0xffffe78c(%ebp) 402cd1: 8b 45 10 mov 0x10(%ebp),%eax 402cd4: 89 85 84 e7 ff ff mov %eax,0xffffe784(%ebp) 402cda: 8b 85 b0 f7 ff ff mov 0xfffff7b0(%ebp),%eax 402ce0: 8b 40 08 mov 0x8(%eax),%eax 402ce3: 89 85 88 e7 ff ff mov %eax,0xffffe788(%ebp) 402ce9: 8b 85 88 e7 ff ff mov 0xffffe788(%ebp),%eax 402cef: 8b 95 84 e7 ff ff mov 0xffffe784(%ebp),%edx 402cf5: 3b 02 cmp (%edx),%eax 402cf7: 76 0e jbe 402d07 <_SmLookupSubsystem@20+0x2b2> 402cf9: 8b 95 84 e7 ff ff mov 0xffffe784(%ebp),%edx 402cff: 8b 12 mov (%edx),%edx 402d01: 89 95 88 e7 ff ff mov %edx,0xffffe788(%ebp) 402d07: 8b 95 88 e7 ff ff mov 0xffffe788(%ebp),%edx 402d0d: 8b 85 8c e7 ff ff mov 0xffffe78c(%ebp),%eax 402d13: 89 10 mov %edx,(%eax) 402d15: 83 ec 04 sub $0x4,%esp 402d18: 8b 45 10 mov 0x10(%ebp),%eax 402d1b: ff 30 pushl (%eax) 402d1d: 8b 85 b0 f7 ff ff mov 0xfffff7b0(%ebp),%eax 402d23: 83 c0 0c add $0xc,%eax 402d26: 50 push %eax 402d27: ff 75 0c pushl 0xc(%ebp) 402d2a: e8 71 0d 00 00 call 403aa0 <_memcpy> 402d2f: 83 c4 10 add $0x10,%esp 402d32: 8b 45 14 mov 0x14(%ebp),%eax 402d35: 8b 95 b0 f7 ff ff mov 0xfffff7b0(%ebp),%edx 402d3b: 8b 52 04 mov 0x4(%edx),%edx 402d3e: 89 10 mov %edx,(%eax) 402d40: eb 6a jmp 402dac <_SmLookupSubsystem@20+0x357> 402d42: 83 ec 04 sub $0x4,%esp 402d45: 68 df 00 00 00 push $0xdf 402d4a: 68 c0 5a 40 00 push $0x405ac0 402d4f: 68 cc 5a 40 00 push $0x405acc 402d54: e8 87 0c 00 00 call 4039e0 <_DbgPrint> 402d59: 83 c4 10 add $0x10,%esp 402d5c: 83 ec 08 sub $0x8,%esp 402d5f: 68 dc 5b 40 00 push $0x405bdc 402d64: 68 00 5c 40 00 push $0x405c00 402d69: e8 72 0c 00 00 call 4039e0 <_DbgPrint> 402d6e: 83 c4 10 add $0x10,%esp 402d71: c7 45 f0 0d 00 00 c0 movl $0xc000000d,0xfffffff0(%ebp) 402d78: eb 32 jmp 402dac <_SmLookupSubsystem@20+0x357> 402d7a: 83 ec 04 sub $0x4,%esp 402d7d: 68 e3 00 00 00 push $0xe3 402d82: 68 c0 5a 40 00 push $0x405ac0 402d87: 68 cc 5a 40 00 push $0x405acc 402d8c: e8 4f 0c 00 00 call 4039e0 <_DbgPrint> 402d91: 83 c4 10 add $0x10,%esp 402d94: 83 ec 04 sub $0x4,%esp 402d97: ff 75 f0 pushl 0xfffffff0(%ebp) 402d9a: 68 dc 5b 40 00 push $0x405bdc 402d9f: 68 40 5c 40 00 push $0x405c40 402da4: e8 37 0c 00 00 call 4039e0 <_DbgPrint> 402da9: 83 c4 10 add $0x10,%esp 402dac: 83 ec 0c sub $0xc,%esp 402daf: ff 75 c4 pushl 0xffffffc4(%ebp) 402db2: e8 19 0c 00 00 call 4039d0 _NtClose@4 402db7: 83 c4 0c add $0xc,%esp 402dba: eb 32 jmp 402dee <_SmLookupSubsystem@20+0x399> 402dbc: 83 ec 04 sub $0x4,%esp 402dbf: 68 e7 00 00 00 push $0xe7 402dc4: 68 c0 5a 40 00 push $0x405ac0 402dc9: 68 cc 5a 40 00 push $0x405acc 402dce: e8 0d 0c 00 00 call 4039e0 <_DbgPrint> 402dd3: 83 c4 10 add $0x10,%esp 402dd6: 83 ec 04 sub $0x4,%esp 402dd9: ff 75 f0 pushl 0xfffffff0(%ebp) 402ddc: 68 dc 5b 40 00 push $0x405bdc 402de1: 68 80 5c 40 00 push $0x405c80 402de6: e8 f5 0b 00 00 call 4039e0 <_DbgPrint> 402deb: 83 c4 10 add $0x10,%esp 402dee: 8b 45 f0 mov 0xfffffff0(%ebp),%eax 402df1: 8b 7d fc mov 0xfffffffc(%ebp),%edi 402df4: c9 leave 402df5: c2 14 00 ret $0x14

00402df8 <@SmExecPgm@4>: 402df8: 55 push %ebp 402df9: 89 e5 mov %esp,%ebp 402dfb: 57 push %edi 402dfc: 53 push %ebx 402dfd: 81 ec b0 04 00 00 sub $0x4b0,%esp 402e03: 89 4d f4 mov %ecx,0xfffffff4(%ebp) 402e06: c7 45 f0 00 00 00 00 movl $0x0,0xfffffff0(%ebp) 402e0d: c7 45 94 00 00 00 00 movl $0x0,0xffffff94(%ebp) 402e14: 83 7d f4 00 cmpl $0x0,0xfffffff4(%ebp) 402e18: 75 3e jne 402e58 <@SmExecPgm@4+0x60> 402e1a: 83 ec 04 sub $0x4,%esp 402e1d: 68 fa 00 00 00 push $0xfa 402e22: 68 c0 5a 40 00 push $0x405ac0 402e27: 68 cc 5a 40 00 push $0x405acc 402e2c: e8 af 0b 00 00 call 4039e0 <_DbgPrint> 402e31: 83 c4 10 add $0x10,%esp 402e34: 83 ec 08 sub $0x8,%esp 402e37: 68 a7 5c 40 00 push $0x405ca7 402e3c: 68 b1 5c 40 00 push $0x405cb1 402e41: e8 9a 0b 00 00 call 4039e0 <_DbgPrint> 402e46: 83 c4 10 add $0x10,%esp 402e49: c7 85 54 fb ff ff 0d movl $0xc000000d,0xfffffb54(%ebp) 402e50: 00 00 c0 402e53: e9 57 01 00 00 jmp 402faf <@SmExecPgm@4+0x1b7> 402e58: 8b 45 f4 mov 0xfffffff4(%ebp),%eax 402e5b: 83 c0 20 add $0x20,%eax 402e5e: 89 45 f0 mov %eax,0xfffffff0(%ebp) 402e61: 8b 45 f0 mov 0xfffffff0(%ebp),%eax 402e64: 83 38 00 cmpl $0x0,(%eax) 402e67: 0f 84 28 01 00 00 je 402f95 <@SmExecPgm@4+0x19d> 402e6d: 8b 45 f0 mov 0xfffffff0(%ebp),%eax 402e70: 83 38 20 cmpl $0x20,(%eax) 402e73: 0f 87 1c 01 00 00 ja 402f95 <@SmExecPgm@4+0x19d> 402e79: 83 ec 08 sub $0x8,%esp 402e7c: 6a 42 push $0x42 402e7e: 8d 45 98 lea 0xffffff98(%ebp),%eax 402e81: 50 push %eax 402e82: e8 99 0b 00 00 call 403a20 _RtlZeroMemory@8 402e87: 83 c4 08 add $0x8,%esp 402e8a: 83 ec 04 sub $0x4,%esp 402e8d: 8b 45 f0 mov 0xfffffff0(%ebp),%eax 402e90: 8b 00 mov (%eax),%eax 402e92: 01 c0 add %eax,%eax 402e94: 50 push %eax 402e95: 8b 45 f0 mov 0xfffffff0(%ebp),%eax 402e98: 83 c0 04 add $0x4,%eax 402e9b: 50 push %eax 402e9c: 8d 45 98 lea 0xffffff98(%ebp),%eax 402e9f: 50 push %eax 402ea0: e8 fb 0b 00 00 call 403aa0 <_memcpy> 402ea5: 83 c4 10 add $0x10,%esp 402ea8: 83 ec 08 sub $0x8,%esp 402eab: 8d 45 98 lea 0xffffff98(%ebp),%eax 402eae: 50 push %eax 402eaf: 68 cc 5c 40 00 push $0x405ccc 402eb4: e8 67 0c 00 00 call 403b20 <__wcsicmp> 402eb9: 83 c4 10 add $0x10,%esp 402ebc: 85 c0 test %eax,%eax 402ebe: 75 10 jne 402ed0 <@SmExecPgm@4+0xd8> 402ec0: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx 402ec3: e8 0a 07 00 00 call 4035d2 <_SmInitializeDbgSs> 402ec8: 89 43 1c mov %eax,0x1c(%ebx) 402ecb: e9 d6 00 00 00 jmp 402fa6 <@SmExecPgm@4+0x1ae> 402ed0: 8d bd 78 fd ff ff lea 0xfffffd78(%ebp),%edi 402ed6: fc cld 402ed7: b9 0a 02 00 00 mov $0x20a,%ecx 402edc: b0 00 mov $0x0,%al 402ede: f3 aa repz stos %al,%es:(%edi) 402ee0: c7 85 74 fd ff ff 0a movl $0x20a,0xfffffd74(%ebp) 402ee7: 02 00 00 402eea: c7 85 70 fd ff ff 02 movl $0x2,0xfffffd70(%ebp) 402ef1: 00 00 00 402ef4: 83 ec 0c sub $0xc,%esp 402ef7: 6a 01 push $0x1 402ef9: 8d 85 70 fd ff ff lea 0xfffffd70(%ebp),%eax 402eff: 50 push %eax 402f00: 8d 85 74 fd ff ff lea 0xfffffd74(%ebp),%eax 402f06: 50 push %eax 402f07: 8d 85 78 fd ff ff lea 0xfffffd78(%ebp),%eax 402f0d: 50 push %eax 402f0e: 8d 45 98 lea 0xffffff98(%ebp),%eax 402f11: 50 push %eax 402f12: e8 3e fb ff ff call 402a55 _SmLookupSubsystem@20 402f17: 83 c4 0c add $0xc,%esp 402f1a: 89 45 94 mov %eax,0xffffff94(%ebp) 402f1d: 83 7d 94 00 cmpl $0x0,0xffffff94(%ebp) 402f21: 78 67 js 402f8a <@SmExecPgm@4+0x192> 402f23: 8d bd 58 fb ff ff lea 0xfffffb58(%ebp),%edi 402f29: fc cld 402f2a: b9 0a 02 00 00 mov $0x20a,%ecx 402f2f: b0 00 mov $0x0,%al 402f31: f3 aa repz stos %al,%es:(%edi) 402f33: 83 ec 08 sub $0x8,%esp 402f36: 68 d8 5c 40 00 push $0x405cd8 402f3b: 8d 85 58 fb ff ff lea 0xfffffb58(%ebp),%eax 402f41: 50 push %eax 402f42: e8 f9 0a 00 00 call 403a40 <_wcscpy> 402f47: 83 c4 10 add $0x10,%esp 402f4a: 83 ec 08 sub $0x8,%esp 402f4d: 8d 85 78 fd ff ff lea 0xfffffd78(%ebp),%eax 402f53: 50 push %eax 402f54: 8d 85 58 fb ff ff lea 0xfffffb58(%ebp),%eax 402f5a: 50 push %eax 402f5b: e8 20 0b 00 00 call 403a80 <_wcscat> 402f60: 83 c4 10 add $0x10,%esp 402f63: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx 402f66: 83 ec 08 sub $0x8,%esp 402f69: 6a 00 push $0x0 402f6b: 6a 00 push $0x0 402f6d: 6a 00 push $0x0 402f6f: 6a 00 push $0x0 402f71: 68 e2 5c 40 00 push $0x405ce2 402f76: 8d 85 58 fb ff ff lea 0xfffffb58(%ebp),%eax 402f7c: 50 push %eax 402f7d: e8 3e f9 ff ff call 4028c0 _SmCreateUserProcess@24 402f82: 83 c4 08 add $0x8,%esp 402f85: 89 43 1c mov %eax,0x1c(%ebx) 402f88: eb 1c jmp 402fa6 <@SmExecPgm@4+0x1ae> 402f8a: 8b 55 f4 mov 0xfffffff4(%ebp),%edx 402f8d: 8b 45 94 mov 0xffffff94(%ebp),%eax 402f90: 89 42 1c mov %eax,0x1c(%edx) 402f93: eb 11 jmp 402fa6 <@SmExecPgm@4+0x1ae> 402f95: 8b 45 f4 mov 0xfffffff4(%ebp),%eax 402f98: c7 45 94 0d 00 00 c0 movl $0xc000000d,0xffffff94(%ebp) 402f9f: c7 40 1c 0d 00 00 c0 movl $0xc000000d,0x1c(%eax) 402fa6: 8b 45 94 mov 0xffffff94(%ebp),%eax 402fa9: 89 85 54 fb ff ff mov %eax,0xfffffb54(%ebp) 402faf: 8b 85 54 fb ff ff mov 0xfffffb54(%ebp),%eax 402fb5: 8d 65 f8 lea 0xfffffff8(%ebp),%esp 402fb8: 5b pop %ebx 402fb9: 5f pop %edi 402fba: 5d pop %ebp 402fbb: c3 ret 402fbc: 90 nop 402fbd: 90 nop 402fbe: 90 nop 402fbf: 90 nop

00402fc0 <@SmQryInfo@4>: 402fc0: 55 push %ebp 402fc1: 89 e5 mov %esp,%ebp 402fc3: 83 ec 08 sub $0x8,%esp 402fc6: 89 4d fc mov %ecx,0xfffffffc(%ebp) 402fc9: c7 45 f8 00 00 00 00 movl $0x0,0xfffffff8(%ebp) 402fd0: 8b 45 fc mov 0xfffffffc(%ebp),%eax 402fd3: c7 40 1c 02 00 00 c0 movl $0xc0000002,0x1c(%eax) 402fda: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 402fdd: c9 leave 402fde: c3 ret 402fdf: 90 nop

00402fe0 <_SmInitializeClientManagement>: 402fe0: 55 push %ebp 402fe1: 89 e5 mov %esp,%ebp 402fe3: 83 ec 08 sub $0x8,%esp 402fe6: 83 ec 0c sub $0xc,%esp 402fe9: 68 60 60 40 00 push $0x406060 402fee: e8 7d 0c 00 00 call 403c70 _RtlInitializeCriticalSection@4 402ff3: 83 c4 0c add $0xc,%esp 402ff6: c7 05 78 60 40 00 00 movl $0x0,0x406078 402ffd: 00 00 00 403000: c7 05 7c 60 40 00 00 movl $0x0,0x40607c 403007: 00 00 00 40300a: b8 00 00 00 00 mov $0x0,%eax 40300f: c9 leave 403010: c3 ret

00403011 _SmCompleteClientInitialization@4: 403011: 55 push %ebp 403012: 89 e5 mov %esp,%ebp 403014: 83 ec 08 sub $0x8,%esp 403017: c7 45 fc 00 00 00 00 movl $0x0,0xfffffffc(%ebp) 40301e: c7 45 f8 00 00 00 00 movl $0x0,0xfffffff8(%ebp) 403025: 83 ec 0c sub $0xc,%esp 403028: 68 60 60 40 00 push $0x406060 40302d: e8 4e 0c 00 00 call 403c80 _RtlEnterCriticalSection@4 403032: 83 c4 0c add $0xc,%esp 403035: 83 3d 78 60 40 00 00 cmpl $0x0,0x406078 40303c: 74 3c je 40307a <_SmCompleteClientInitialization@4+0x69> 40303e: a1 7c 60 40 00 mov 0x40607c,%eax 403043: 89 45 f8 mov %eax,0xfffffff8(%ebp) 403046: 83 7d f8 00 cmpl $0x0,0xfffffff8(%ebp) 40304a: 75 02 jne 40304e <_SmCompleteClientInitialization@4+0x3d> 40304c: eb 25 jmp 403073 <_SmCompleteClientInitialization@4+0x62> 40304e: 8b 55 f8 mov 0xfffffff8(%ebp),%edx 403051: 8b 45 08 mov 0x8(%ebp),%eax 403054: 3b 42 08 cmp 0x8(%edx),%eax 403057: 75 0c jne 403065 <_SmCompleteClientInitialization@4+0x54> 403059: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 40305c: c7 40 04 01 00 00 00 movl $0x1,0x4(%eax) 403063: eb 0e jmp 403073 <_SmCompleteClientInitialization@4+0x62> 403065: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 403068: 8b 80 08 01 00 00 mov 0x108(%eax),%eax 40306e: 89 45 f8 mov %eax,0xfffffff8(%ebp) 403071: eb d3 jmp 403046 <_SmCompleteClientInitialization@4+0x35> 403073: c7 45 fc 25 02 00 c0 movl $0xc0000225,0xfffffffc(%ebp) 40307a: 83 ec 0c sub $0xc,%esp 40307d: 68 60 60 40 00 push $0x406060 403082: e8 09 0c 00 00 call 403c90 _RtlLeaveCriticalSection@4 403087: 83 c4 0c add $0xc,%esp 40308a: 8b 45 fc mov 0xfffffffc(%ebp),%eax 40308d: c9 leave 40308e: c2 04 00 ret $0x4

00403091 <@SmpLookupClientUnsafe@8>: 403091: 55 push %ebp 403092: 89 e5 mov %esp,%ebp 403094: 83 ec 0c sub $0xc,%esp 403097: 89 55 f8 mov %edx,0xfffffff8(%ebp) 40309a: 66 89 4d fe mov %cx,0xfffffffe(%ebp) 40309e: c7 45 f4 00 00 00 00 movl $0x0,0xfffffff4(%ebp) 4030a5: 83 7d f8 00 cmpl $0x0,0xfffffff8(%ebp) 4030a9: 74 09 je 4030b4 <@SmpLookupClientUnsafe@8+0x23> 4030ab: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 4030ae: c7 00 00 00 00 00 movl $0x0,(%eax) 4030b4: 83 3d 78 60 40 00 00 cmpl $0x0,0x406078 4030bb: 74 3a je 4030f7 <@SmpLookupClientUnsafe@8+0x66> 4030bd: a1 7c 60 40 00 mov 0x40607c,%eax 4030c2: 89 45 f4 mov %eax,0xfffffff4(%ebp) 4030c5: 83 7d f4 00 cmpl $0x0,0xfffffff4(%ebp) 4030c9: 75 02 jne 4030cd <@SmpLookupClientUnsafe@8+0x3c> 4030cb: eb 2a jmp 4030f7 <@SmpLookupClientUnsafe@8+0x66> 4030cd: 8b 55 f4 mov 0xfffffff4(%ebp),%edx 4030d0: 66 8b 45 fe mov 0xfffffffe(%ebp),%ax 4030d4: 66 3b 02 cmp (%edx),%ax 4030d7: 75 02 jne 4030db <@SmpLookupClientUnsafe@8+0x4a> 4030d9: eb 1c jmp 4030f7 <@SmpLookupClientUnsafe@8+0x66> 4030db: 83 7d f8 00 cmpl $0x0,0xfffffff8(%ebp) 4030df: 74 08 je 4030e9 <@SmpLookupClientUnsafe@8+0x58> 4030e1: 8b 55 f8 mov 0xfffffff8(%ebp),%edx 4030e4: 8b 45 f4 mov 0xfffffff4(%ebp),%eax 4030e7: 89 02 mov %eax,(%edx) 4030e9: 8b 45 f4 mov 0xfffffff4(%ebp),%eax 4030ec: 8b 80 08 01 00 00 mov 0x108(%eax),%eax 4030f2: 89 45 f4 mov %eax,0xfffffff4(%ebp) 4030f5: eb ce jmp 4030c5 <@SmpLookupClientUnsafe@8+0x34> 4030f7: 8b 45 f4 mov 0xfffffff4(%ebp),%eax 4030fa: c9 leave 4030fb: c3 ret

004030fc _SmpLookupClient@4: 4030fc: 55 push %ebp 4030fd: 89 e5 mov %esp,%ebp 4030ff: 83 ec 08 sub $0x8,%esp 403102: 8b 45 08 mov 0x8(%ebp),%eax 403105: 66 89 45 fe mov %ax,0xfffffffe(%ebp) 403109: c7 45 f8 00 00 00 00 movl $0x0,0xfffffff8(%ebp) 403110: 83 ec 0c sub $0xc,%esp 403113: 68 60 60 40 00 push $0x406060 403118: e8 63 0b 00 00 call 403c80 _RtlEnterCriticalSection@4 40311d: 83 c4 0c add $0xc,%esp 403120: 66 8b 45 fe mov 0xfffffffe(%ebp),%ax 403124: 89 c1 mov %eax,%ecx 403126: 81 e1 ff ff 00 00 and $0xffff,%ecx 40312c: ba 00 00 00 00 mov $0x0,%edx 403131: e8 5b ff ff ff call 403091 <@SmpLookupClientUnsafe@8> 403136: 89 45 f8 mov %eax,0xfffffff8(%ebp) 403139: 83 7d f8 00 cmpl $0x0,0xfffffff8(%ebp) 40313d: 74 10 je 40314f <_SmpLookupClient@4+0x53> 40313f: 83 ec 0c sub $0xc,%esp 403142: 68 60 60 40 00 push $0x406060 403147: e8 44 0b 00 00 call 403c90 _RtlLeaveCriticalSection@4 40314c: 83 c4 0c add $0xc,%esp 40314f: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 403152: c9 leave 403153: c2 04 00 ret $0x4

00403156 _SmCreateClient@8: 403156: 55 push %ebp 403157: 89 e5 mov %esp,%ebp 403159: 83 ec 18 sub $0x18,%esp 40315c: c7 45 fc 00 00 00 00 movl $0x0,0xfffffffc(%ebp) 403163: 8b 4d 08 mov 0x8(%ebp),%ecx 403166: e8 2f f1 ff ff call 40229a <@SmpGetConnectData@4> 40316b: 89 45 f8 mov %eax,0xfffffff8(%ebp) 40316e: 8b 45 08 mov 0x8(%ebp),%eax 403171: 66 8b 00 mov (%eax),%ax 403174: 25 ff ff 00 00 and $0xffff,%eax 403179: 83 e8 04 sub $0x4,%eax 40317c: 89 45 f4 mov %eax,0xfffffff4(%ebp) 40317f: 83 ec 0c sub $0xc,%esp 403182: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 403185: 66 8b 00 mov (%eax),%ax 403188: 25 ff ff 00 00 and $0xffff,%eax 40318d: 50 push %eax 40318e: e8 69 ff ff ff call 4030fc _SmpLookupClient@4 403193: 83 c4 0c add $0xc,%esp 403196: 85 c0 test %eax,%eax 403198: 74 0c je 4031a6 <_SmCreateClient@8+0x50> 40319a: c7 45 ec 01 00 00 c0 movl $0xc0000001,0xffffffec(%ebp) 4031a1: e9 f2 00 00 00 jmp 403298 <_SmCreateClient@8+0x142> 4031a6: 83 ec 04 sub $0x4,%esp 4031a9: 68 0c 01 00 00 push $0x10c 4031ae: 6a 08 push $0x8 4031b0: ff 35 10 60 40 00 pushl 0x406010 4031b6: e8 e5 0a 00 00 call 403ca0 _RtlAllocateHeap@12 4031bb: 83 c4 04 add $0x4,%esp 4031be: 89 45 fc mov %eax,0xfffffffc(%ebp) 4031c1: 83 7d fc 00 cmpl $0x0,0xfffffffc(%ebp) 4031c5: 75 0c jne 4031d3 <_SmCreateClient@8+0x7d> 4031c7: c7 45 ec 17 00 00 c0 movl $0xc0000017,0xffffffec(%ebp) 4031ce: e9 c5 00 00 00 jmp 403298 <_SmCreateClient@8+0x142> 4031d3: 8b 55 fc mov 0xfffffffc(%ebp),%edx 4031d6: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 4031d9: 66 8b 00 mov (%eax),%ax 4031dc: 66 89 02 mov %ax,(%edx) 4031df: 8b 55 fc mov 0xfffffffc(%ebp),%edx 4031e2: 8b 45 fc mov 0xfffffffc(%ebp),%eax 4031e5: 66 83 38 01 cmpw $0x1,(%eax) 4031e9: 0f 94 c0 sete %al 4031ec: 25 ff 00 00 00 and $0xff,%eax 4031f1: 89 42 04 mov %eax,0x4(%edx) 4031f4: 83 7d f4 00 cmpl $0x0,0xfffffff4(%ebp) 4031f8: 74 1c je 403216 <_SmCreateClient@8+0xc0> 4031fa: 83 ec 04 sub $0x4,%esp 4031fd: ff 75 f4 pushl 0xfffffff4(%ebp) 403200: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 403203: 83 c0 04 add $0x4,%eax 403206: 50 push %eax 403207: 8b 45 fc mov 0xfffffffc(%ebp),%eax 40320a: 83 c0 18 add $0x18,%eax 40320d: 50 push %eax 40320e: e8 8d 08 00 00 call 403aa0 <_memcpy> 403213: 83 c4 10 add $0x10,%esp * client directory. */ if (NULL == SmpClientDirectory.Client) 403216: 83 3d 7c 60 40 00 00 cmpl $0x0,0x40607c 40321d: 75 0a jne 403229 <_SmCreateClient@8+0xd3> { SmpClientDirectory.Client = pClient; 40321f: 8b 45 fc mov 0xfffffffc(%ebp),%eax 403222: a3 7c 60 40 00 mov %eax,0x40607c 403227: eb 37 jmp 403260 <_SmCreateClient@8+0x10a> } else { PSM_CLIENT_DATA pCD = NULL; 403229: c7 45 f0 00 00 00 00 movl $0x0,0xfffffff0(%ebp)

for (pCD=SmpClientDirectory.Client; 403230: a1 7c 60 40 00 mov 0x40607c,%eax 403235: 89 45 f0 mov %eax,0xfffffff0(%ebp) 403238: 8b 45 f0 mov 0xfffffff0(%ebp),%eax 40323b: 83 b8 08 01 00 00 00 cmpl $0x0,0x108(%eax) 403242: 75 02 jne 403246 <_SmCreateClient@8+0xf0> 403244: eb 0e jmp 403254 <_SmCreateClient@8+0xfe> 403246: 8b 45 f0 mov 0xfffffff0(%ebp),%eax 403249: 8b 80 08 01 00 00 mov 0x108(%eax),%eax 40324f: 89 45 f0 mov %eax,0xfffffff0(%ebp) 403252: eb e4 jmp 403238 <_SmCreateClient@8+0xe2> (NULL != pCD->Next); pCD = pCD->Next); pCD->Next = pClient; 403254: 8b 55 f0 mov 0xfffffff0(%ebp),%edx 403257: 8b 45 fc mov 0xfffffffc(%ebp),%eax 40325a: 89 82 08 01 00 00 mov %eax,0x108(%edx) } pClient->Next = NULL; 403260: 8b 45 fc mov 0xfffffffc(%ebp),%eax 403263: c7 80 08 01 00 00 00 movl $0x0,0x108(%eax) 40326a: 00 00 00 ++ SmpClientDirectory.Count; 40326d: ff 05 78 60 40 00 incl 0x406078 /* * Note we unlock the client directory here, because * it was locked by SmpLookupClient on failure. */ RtlLeaveCriticalSection (& SmpClientDirectory.Lock); 403273: 83 ec 0c sub $0xc,%esp 403276: 68 60 60 40 00 push $0x406060 40327b: e8 10 0a 00 00 call 403c90 _RtlLeaveCriticalSection@4 403280: 83 c4 0c add $0xc,%esp if (ClientData) 403283: 83 7d 0c 00 cmpl $0x0,0xc(%ebp) 403287: 74 08 je 403291 <_SmCreateClient@8+0x13b> { *ClientData = pClient; 403289: 8b 55 0c mov 0xc(%ebp),%edx 40328c: 8b 45 fc mov 0xfffffffc(%ebp),%eax 40328f: 89 02 mov %eax,(%edx) } return STATUS_SUCCESS; 403291: c7 45 ec 00 00 00 00 movl $0x0,0xffffffec(%ebp) } 403298: 8b 45 ec mov 0xffffffec(%ebp),%eax 40329b: c9 leave 40329c: c2 08 00 ret $0x8

0040329f _SmDestroyClient@4:

/********************************************************************** * SmpDestroyClient/1 * * 1. close any handle * 2. kill client process * 3. release resources */ NTSTATUS STDCALL SmDestroyClient (ULONG SubsystemId) { 40329f: 55 push %ebp 4032a0: 89 e5 mov %esp,%ebp 4032a2: 83 ec 18 sub $0x18,%esp NTSTATUS Status = STATUS_SUCCESS; 4032a5: c7 45 fc 00 00 00 00 movl $0x0,0xfffffffc(%ebp) PSM_CLIENT_DATA Parent = NULL; 4032ac: c7 45 f8 00 00 00 00 movl $0x0,0xfffffff8(%ebp) PSM_CLIENT_DATA Client = NULL; 4032b3: c7 45 f4 00 00 00 00 movl $0x0,0xfffffff4(%ebp)

DPRINT("SM: %s called\n", __FUNCTION__);

RtlEnterCriticalSection (& SmpClientDirectory.Lock); 4032ba: 83 ec 0c sub $0xc,%esp 4032bd: 68 60 60 40 00 push $0x406060 4032c2: e8 b9 09 00 00 call 403c80 _RtlEnterCriticalSection@4 4032c7: 83 c4 0c add $0xc,%esp Client = SmpLookupClientUnsafe (SubsystemId, & Parent); 4032ca: 8d 55 f8 lea 0xfffffff8(%ebp),%edx 4032cd: 8b 45 08 mov 0x8(%ebp),%eax 4032d0: 89 c1 mov %eax,%ecx 4032d2: 81 e1 ff ff 00 00 and $0xffff,%ecx 4032d8: e8 b4 fd ff ff call 403091 <@SmpLookupClientUnsafe@8> 4032dd: 89 45 f4 mov %eax,0xfffffff4(%ebp) if(NULL == Client) 4032e0: 83 7d f4 00 cmpl $0x0,0xfffffff4(%ebp) 4032e4: 75 3e jne 403324 <_SmDestroyClient@4+0x85> { DPRINT1("SM: %s: del req for non existent subsystem (id=%d)\n", 4032e6: 83 ec 04 sub $0x4,%esp 4032e9: 68 fa 00 00 00 push $0xfa 4032ee: 68 00 5d 40 00 push $0x405d00 4032f3: 68 09 5d 40 00 push $0x405d09 4032f8: e8 e3 06 00 00 call 4039e0 <_DbgPrint> 4032fd: 83 c4 10 add $0x10,%esp 403300: 83 ec 04 sub $0x4,%esp 403303: ff 75 08 pushl 0x8(%ebp) 403306: 68 12 5d 40 00 push $0x405d12 40330b: 68 40 5d 40 00 push $0x405d40 403310: e8 cb 06 00 00 call 4039e0 <_DbgPrint> 403315: 83 c4 10 add $0x10,%esp __FUNCTION__, SubsystemId); Status = STATUS_NOT_FOUND; 403318: c7 45 fc 25 02 00 c0 movl $0xc0000225,0xfffffffc(%ebp) 40331f: e9 82 00 00 00 jmp 4033a6 <_SmDestroyClient@4+0x107> } else { /* 1st in the list? */ if(NULL == Parent) 403324: 83 7d f8 00 cmpl $0x0,0xfffffff8(%ebp) 403328: 75 10 jne 40333a <_SmDestroyClient@4+0x9b> { SmpClientDirectory.Client = Client->Next; 40332a: 8b 45 f4 mov 0xfffffff4(%ebp),%eax 40332d: 8b 80 08 01 00 00 mov 0x108(%eax),%eax 403333: a3 7c 60 40 00 mov %eax,0x40607c 403338: eb 50 jmp 40338a <_SmDestroyClient@4+0xeb> } else { if(NULL != Parent) 40333a: 83 7d f8 00 cmpl $0x0,0xfffffff8(%ebp) 40333e: 74 14 je 403354 <_SmDestroyClient@4+0xb5> { Parent->Next = Client->Next; 403340: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 403343: 8b 55 f4 mov 0xfffffff4(%ebp),%edx 403346: 8b 92 08 01 00 00 mov 0x108(%edx),%edx 40334c: 89 90 08 01 00 00 mov %edx,0x108(%eax) 403352: eb 36 jmp 40338a <_SmDestroyClient@4+0xeb> } else { DPRINT1("SM: %s: n-th has no parent!\n", __FUNCTION__); 403354: 83 ec 04 sub $0x4,%esp 403357: 68 0b 01 00 00 push $0x10b 40335c: 68 00 5d 40 00 push $0x405d00 403361: 68 09 5d 40 00 push $0x405d09 403366: e8 75 06 00 00 call 4039e0 <_DbgPrint> 40336b: 83 c4 10 add $0x10,%esp 40336e: 83 ec 08 sub $0x8,%esp 403371: 68 12 5d 40 00 push $0x405d12 403376: 68 74 5d 40 00 push $0x405d74 40337b: e8 60 06 00 00 call 4039e0 <_DbgPrint> 403380: 83 c4 10 add $0x10,%esp Status = STATUS_UNSUCCESSFUL; /* FIXME */ 403383: c7 45 fc 01 00 00 c0 movl $0xc0000001,0xfffffffc(%ebp) } } /* TODO: send shutdown or kill */ RtlFreeHeap (SmpHeap, 0, Client); 40338a: 83 ec 04 sub $0x4,%esp 40338d: ff 75 f4 pushl 0xfffffff4(%ebp) 403390: 6a 00 push $0x0 403392: ff 35 10 60 40 00 pushl 0x406010 403398: e8 13 09 00 00 call 403cb0 _RtlFreeHeap@12 40339d: 83 c4 04 add $0x4,%esp -- SmpClientDirectory.Count; 4033a0: ff 0d 78 60 40 00 decl 0x406078 } RtlLeaveCriticalSection (& SmpClientDirectory.Lock); 4033a6: 83 ec 0c sub $0xc,%esp 4033a9: 68 60 60 40 00 push $0x406060 4033ae: e8 dd 08 00 00 call 403c90 _RtlLeaveCriticalSection@4 4033b3: 83 c4 0c add $0xc,%esp return Status; 4033b6: 8b 45 fc mov 0xfffffffc(%ebp),%eax } 4033b9: c9 leave 4033ba: c2 04 00 ret $0x4 4033bd: 90 nop 4033be: 90 nop 4033bf: 90 nop

004033c0 _DbgSsApiPortThread@4: 4033c0: 55 push %ebp 4033c1: 89 e5 mov %esp,%ebp 4033c3: 57 push %edi 4033c4: 81 ec 64 01 00 00 sub $0x164,%esp 4033ca: c7 45 f4 00 00 00 00 movl $0x0,0xfffffff4(%ebp) 4033d1: 8d bd 98 fe ff ff lea 0xfffffe98(%ebp),%edi 4033d7: fc cld 4033d8: ba 00 00 00 00 mov $0x0,%edx 4033dd: b8 52 00 00 00 mov $0x52,%eax 4033e2: 89 c1 mov %eax,%ecx 4033e4: 89 d0 mov %edx,%eax 4033e6: f3 ab repz stos %eax,%es:(%edi) 4033e8: 83 ec 08 sub $0x8,%esp 4033eb: 8d 85 98 fe ff ff lea 0xfffffe98(%ebp),%eax 4033f1: 50 push %eax 4033f2: ff 35 50 60 40 00 pushl 0x406050 4033f8: e8 e3 07 00 00 call 403be0 _NtListenPort@8 4033fd: 83 c4 08 add $0x8,%esp 403400: 89 45 f4 mov %eax,0xfffffff4(%ebp) 403403: 83 7d f4 00 cmpl $0x0,0xfffffff4(%ebp) 403407: 79 df jns 4033e8 <_DbgSsApiPortThread@4+0x28> 403409: 83 ec 04 sub $0x4,%esp 40340c: 6a 35 push $0x35 40340e: 68 a0 5d 40 00 push $0x405da0 403413: 68 a8 5d 40 00 push $0x405da8 403418: e8 c3 05 00 00 call 4039e0 <_DbgPrint> 40341d: 83 c4 10 add $0x10,%esp 403420: 83 ec 04 sub $0x4,%esp 403423: ff 75 f4 pushl 0xfffffff4(%ebp) 403426: 68 b1 5d 40 00 push $0x405db1 40342b: 68 e0 5d 40 00 push $0x405de0 403430: e8 ab 05 00 00 call 4039e0 <_DbgPrint> 403435: 83 c4 10 add $0x10,%esp 403438: 83 ec 08 sub $0x8,%esp 40343b: ff 75 f4 pushl 0xfffffff4(%ebp) 40343e: 6a fe push $0xfffffffe 403440: e8 3b 05 00 00 call 403980 _NtTerminateThread@8 403445: 83 c4 08 add $0x8,%esp 403448: 8b 7d fc mov 0xfffffffc(%ebp),%edi 40344b: c9 leave 40344c: c2 04 00 ret $0x4

0040344f _DbgUiApiPortThread@4: 40344f: 55 push %ebp 403450: 89 e5 mov %esp,%ebp 403452: 57 push %edi 403453: 81 ec 64 01 00 00 sub $0x164,%esp 403459: c7 45 f4 00 00 00 00 movl $0x0,0xfffffff4(%ebp) 403460: 8d bd 98 fe ff ff lea 0xfffffe98(%ebp),%edi 403466: fc cld 403467: ba 00 00 00 00 mov $0x0,%edx 40346c: b8 52 00 00 00 mov $0x52,%eax 403471: 89 c1 mov %eax,%ecx 403473: 89 d0 mov %edx,%eax 403475: f3 ab repz stos %eax,%es:(%edi) 403477: 83 ec 08 sub $0x8,%esp 40347a: 8d 85 98 fe ff ff lea 0xfffffe98(%ebp),%eax 403480: 50 push %eax 403481: ff 35 54 60 40 00 pushl 0x406054 403487: e8 54 07 00 00 call 403be0 _NtListenPort@8 40348c: 83 c4 08 add $0x8,%esp 40348f: 89 45 f4 mov %eax,0xfffffff4(%ebp) 403492: 83 7d f4 00 cmpl $0x0,0xfffffff4(%ebp) 403496: 79 df jns 403477 <_DbgUiApiPortThread@4+0x28> 403498: 83 ec 04 sub $0x4,%esp 40349b: 6a 48 push $0x48 40349d: 68 a0 5d 40 00 push $0x405da0 4034a2: 68 a8 5d 40 00 push $0x405da8 4034a7: e8 34 05 00 00 call 4039e0 <_DbgPrint> 4034ac: 83 c4 10 add $0x10,%esp 4034af: 83 ec 04 sub $0x4,%esp 4034b2: ff 75 f4 pushl 0xfffffff4(%ebp) 4034b5: 68 11 5e 40 00 push $0x405e11 4034ba: 68 e0 5d 40 00 push $0x405de0 4034bf: e8 1c 05 00 00 call 4039e0 <_DbgPrint> 4034c4: 83 c4 10 add $0x10,%esp 4034c7: 83 ec 08 sub $0x8,%esp 4034ca: ff 75 f4 pushl 0xfffffff4(%ebp) 4034cd: 6a fe push $0xfffffffe 4034cf: e8 ac 04 00 00 call 403980 _NtTerminateThread@8 4034d4: 83 c4 08 add $0x8,%esp 4034d7: 8b 7d fc mov 0xfffffffc(%ebp),%edi 4034da: c9 leave 4034db: c2 04 00 ret $0x4

004034de _SmpCreatePT@28: 4034de: 55 push %ebp 4034df: 89 e5 mov %esp,%ebp 4034e1: 83 ec 58 sub $0x58,%esp 4034e4: c7 45 f4 00 00 00 00 movl $0x0,0xfffffff4(%ebp) 4034eb: c7 45 e8 00 00 00 00 movl $0x0,0xffffffe8(%ebp) 4034f2: c7 45 ec 00 00 00 00 movl $0x0,0xffffffec(%ebp) 4034f9: c7 45 c4 00 00 00 00 movl $0x0,0xffffffc4(%ebp) 403500: c7 45 b8 00 00 00 00 movl $0x0,0xffffffb8(%ebp) 403507: c7 45 bc 00 00 00 00 movl $0x0,0xffffffbc(%ebp) 40350e: 83 ec 08 sub $0x8,%esp 403511: ff 75 0c pushl 0xc(%ebp) 403514: 8d 45 e8 lea 0xffffffe8(%ebp),%eax 403517: 50 push %eax 403518: e8 73 04 00 00 call 403990 _RtlInitUnicodeString@8 40351d: 83 c4 08 add $0x8,%esp 403520: c7 45 c8 18 00 00 00 movl $0x18,0xffffffc8(%ebp) 403527: 8d 45 e8 lea 0xffffffe8(%ebp),%eax 40352a: 89 45 d0 mov %eax,0xffffffd0(%ebp) 40352d: c7 45 d4 01 00 00 00 movl $0x1,0xffffffd4(%ebp) 403534: c7 45 cc 00 00 00 00 movl $0x0,0xffffffcc(%ebp) 40353b: c7 45 d8 00 00 00 00 movl $0x0,0xffffffd8(%ebp) 403542: c7 45 dc 00 00 00 00 movl $0x0,0xffffffdc(%ebp) 403549: 83 ec 0c sub $0xc,%esp 40354c: ff 75 18 pushl 0x18(%ebp) 40354f: ff 75 14 pushl 0x14(%ebp) 403552: ff 75 10 pushl 0x10(%ebp) 403555: 8d 45 c8 lea 0xffffffc8(%ebp),%eax 403558: 50 push %eax 403559: ff 75 08 pushl 0x8(%ebp) 40355c: e8 8f 06 00 00 call 403bf0 _NtCreatePort@20 403561: 83 c4 0c add $0xc,%esp 403564: 89 45 f4 mov %eax,0xfffffff4(%ebp) 403567: 83 7d f4 00 cmpl $0x0,0xfffffff4(%ebp) 40356b: 74 08 je 403575 <_SmpCreatePT@28+0x97> 40356d: 8b 45 f4 mov 0xfffffff4(%ebp),%eax 403570: 89 45 b4 mov %eax,0xffffffb4(%ebp) 403573: eb 56 jmp 4035cb <_SmpCreatePT@28+0xed> 403575: 83 ec 08 sub $0x8,%esp 403578: 8d 45 b8 lea 0xffffffb8(%ebp),%eax 40357b: 50 push %eax 40357c: 8d 45 c4 lea 0xffffffc4(%ebp),%eax 40357f: 50 push %eax 403580: ff 75 08 pushl 0x8(%ebp) 403583: ff 75 1c pushl 0x1c(%ebp) 403586: 6a 00 push $0x0 403588: 6a 00 push $0x0 40358a: 6a 00 push $0x0 40358c: 6a 00 push $0x0 40358e: 6a 00 push $0x0 403590: 6a ff push $0xffffffff 403592: e8 39 06 00 00 call 403bd0 _RtlCreateUserThread@40 403597: 83 c4 08 add $0x8,%esp 40359a: 83 7d c4 00 cmpl $0x0,0xffffffc4(%ebp) 40359e: 75 17 jne 4035b7 <_SmpCreatePT@28+0xd9> 4035a0: 83 ec 0c sub $0xc,%esp 4035a3: 8b 45 08 mov 0x8(%ebp),%eax 4035a6: ff 30 pushl (%eax) 4035a8: e8 23 04 00 00 call 4039d0 _NtClose@4 4035ad: 83 c4 0c add $0xc,%esp 4035b0: c7 45 f4 01 00 00 c0 movl $0xc0000001,0xfffffff4(%ebp) 4035b7: 83 7d 20 00 cmpl $0x0,0x20(%ebp) 4035bb: 74 08 je 4035c5 <_SmpCreatePT@28+0xe7> 4035bd: 8b 55 20 mov 0x20(%ebp),%edx 4035c0: 8b 45 c4 mov 0xffffffc4(%ebp),%eax 4035c3: 89 02 mov %eax,(%edx) 4035c5: 8b 45 f4 mov 0xfffffff4(%ebp),%eax 4035c8: 89 45 b4 mov %eax,0xffffffb4(%ebp) 4035cb: 8b 45 b4 mov 0xffffffb4(%ebp),%eax 4035ce: c9 leave 4035cf: c2 1c 00 ret $0x1c

004035d2 <_SmInitializeDbgSs>: 4035d2: 55 push %ebp 4035d3: 89 e5 mov %esp,%ebp 4035d5: 83 ec 18 sub $0x18,%esp 4035d8: c7 45 fc 00 00 00 00 movl $0x0,0xfffffffc(%ebp) 4035df: c7 45 f8 00 00 00 00 movl $0x0,0xfffffff8(%ebp) 4035e6: 83 ec 04 sub $0x4,%esp 4035e9: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 4035ec: 50 push %eax 4035ed: 68 c0 33 40 00 push $0x4033c0 4035f2: 6a 00 push $0x0 4035f4: 6a 00 push $0x0 4035f6: 6a 00 push $0x0 4035f8: 68 24 5e 40 00 push $0x405e24 4035fd: 68 50 60 40 00 push $0x406050 403602: e8 d7 fe ff ff call 4034de _SmpCreatePT@28 403607: 83 c4 04 add $0x4,%esp 40360a: 89 45 fc mov %eax,0xfffffffc(%ebp) 40360d: 83 7d fc 00 cmpl $0x0,0xfffffffc(%ebp) 403611: 79 08 jns 40361b <_SmInitializeDbgSs+0x49> 403613: 8b 45 fc mov 0xfffffffc(%ebp),%eax 403616: 89 45 f4 mov %eax,0xfffffff4(%ebp) 403619: eb 59 jmp 403674 <_SmInitializeDbgSs+0xa2> 40361b: 83 ec 04 sub $0x4,%esp 40361e: 6a 00 push $0x0 403620: 68 4f 34 40 00 push $0x40344f 403625: 6a 00 push $0x0 403627: 6a 00 push $0x0 403629: 6a 00 push $0x0 40362b: 68 40 5e 40 00 push $0x405e40 403630: 68 54 60 40 00 push $0x406054 403635: e8 a4 fe ff ff call 4034de _SmpCreatePT@28 40363a: 83 c4 04 add $0x4,%esp 40363d: 89 45 fc mov %eax,0xfffffffc(%ebp) 403640: 83 7d fc 00 cmpl $0x0,0xfffffffc(%ebp) 403644: 79 27 jns 40366d <_SmInitializeDbgSs+0x9b> 403646: 83 ec 0c sub $0xc,%esp 403649: ff 75 f8 pushl 0xfffffff8(%ebp) 40364c: e8 7f 03 00 00 call 4039d0 _NtClose@4 403651: 83 c4 0c add $0xc,%esp 403654: 83 ec 0c sub $0xc,%esp 403657: ff 35 50 60 40 00 pushl 0x406050 40365d: e8 6e 03 00 00 call 4039d0 _NtClose@4 403662: 83 c4 0c add $0xc,%esp 403665: 8b 45 fc mov 0xfffffffc(%ebp),%eax 403668: 89 45 f4 mov %eax,0xfffffff4(%ebp) 40366b: eb 07 jmp 403674 <_SmInitializeDbgSs+0xa2> 40366d: c7 45 f4 00 00 00 00 movl $0x0,0xfffffff4(%ebp) 403674: 8b 45 f4 mov 0xfffffff4(%ebp),%eax 403677: c9 leave 403678: c3 ret 403679: 90 nop 40367a: 90 nop 40367b: 90 nop 40367c: 90 nop 40367d: 90 nop 40367e: 90 nop 40367f: 90 nop

00403680 _DisplayString@4: 403680: 55 push %ebp 403681: 89 e5 mov %esp,%ebp 403683: 83 ec 08 sub $0x8,%esp 403686: 83 ec 08 sub $0x8,%esp 403689: ff 75 08 pushl 0x8(%ebp) 40368c: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 40368f: 50 push %eax 403690: e8 fb 02 00 00 call 403990 _RtlInitUnicodeString@8 403695: 83 c4 08 add $0x8,%esp 403698: 83 ec 0c sub $0xc,%esp 40369b: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 40369e: 50 push %eax 40369f: e8 1c 06 00 00 call 403cc0 _ZwDisplayString@4 4036a4: 83 c4 0c add $0xc,%esp 4036a7: c9 leave 4036a8: c2 04 00 ret $0x4

004036ab _PrintString@0: 4036ab: 55 push %ebp 4036ac: 89 e5 mov %esp,%ebp 4036ae: 81 ec 28 02 00 00 sub $0x228,%esp 4036b4: 8d 45 0c lea 0xc(%ebp),%eax 4036b7: 89 85 f4 fd ff ff mov %eax,0xfffffdf4(%ebp) 4036bd: 83 ec 04 sub $0x4,%esp 4036c0: ff b5 f4 fd ff ff pushl 0xfffffdf4(%ebp) 4036c6: ff 75 08 pushl 0x8(%ebp) 4036c9: 8d 85 f8 fd ff ff lea 0xfffffdf8(%ebp),%eax 4036cf: 50 push %eax 4036d0: e8 2b 06 00 00 call 403d00 <_vsprintf> 4036d5: 83 c4 10 add $0x10,%esp 4036d8: 83 ec 08 sub $0x8,%esp 4036db: 8d 85 f8 fd ff ff lea 0xfffffdf8(%ebp),%eax 4036e1: 50 push %eax 4036e2: 8d 85 e0 fd ff ff lea 0xfffffde0(%ebp),%eax 4036e8: 50 push %eax 4036e9: e8 e2 05 00 00 call 403cd0 _RtlInitAnsiString@8 4036ee: 83 c4 08 add $0x8,%esp 4036f1: 83 ec 04 sub $0x4,%esp 4036f4: 6a 01 push $0x1 4036f6: 8d 85 e0 fd ff ff lea 0xfffffde0(%ebp),%eax 4036fc: 50 push %eax 4036fd: 8d 85 e8 fd ff ff lea 0xfffffde8(%ebp),%eax 403703: 50 push %eax 403704: e8 d7 05 00 00 call 403ce0 _RtlAnsiStringToUnicodeString@12 403709: 83 c4 04 add $0x4,%esp 40370c: 83 ec 0c sub $0xc,%esp 40370f: 8d 85 e8 fd ff ff lea 0xfffffde8(%ebp),%eax 403715: 50 push %eax 403716: e8 d5 05 00 00 call 403cf0 _NtDisplayString@4 40371b: 83 c4 0c add $0xc,%esp 40371e: 83 ec 0c sub $0xc,%esp 403721: 8d 85 e8 fd ff ff lea 0xfffffde8(%ebp),%eax 403727: 50 push %eax 403728: e8 13 04 00 00 call 403b40 _RtlFreeUnicodeString@4 40372d: 83 c4 0c add $0xc,%esp 403730: c9 leave 403731: c3 ret 403732: 90 nop 403733: 90 nop 403734: 90 nop 403735: 90 nop 403736: 90 nop 403737: 90 nop 403738: 90 nop 403739: 90 nop 40373a: 90 nop 40373b: 90 nop 40373c: 90 nop 40373d: 90 nop 40373e: 90 nop 40373f: 90 nop

00403740 _SmConnectApiPort@16: 403740: 55 push %ebp 403741: 89 e5 mov %esp,%ebp 403743: 57 push %edi 403744: 81 ec 44 01 00 00 sub $0x144,%esp 40374a: 8b 45 10 mov 0x10(%ebp),%eax 40374d: 66 89 45 f6 mov %ax,0xfffffff6(%ebp) 403751: c7 45 d4 00 00 00 00 movl $0x0,0xffffffd4(%ebp) 403758: 8d bd c8 fe ff ff lea 0xfffffec8(%ebp),%edi 40375e: fc cld 40375f: ba 00 00 00 00 mov $0x0,%edx 403764: b8 3d 00 00 00 mov $0x3d,%eax 403769: 89 c1 mov %eax,%ecx 40376b: 89 d0 mov %edx,%eax 40376d: f3 ab repz stos %eax,%es:(%edi) 40376f: c7 85 c4 fe ff ff 00 movl $0x0,0xfffffec4(%ebp) 403776: 00 00 00 403779: 83 7d 08 00 cmpl $0x0,0x8(%ebp) 40377d: 0f 84 90 00 00 00 je 403813 <_SmConnectApiPort@16+0xd3> 403783: 8b 45 08 mov 0x8(%ebp),%eax 403786: 66 81 38 f0 00 cmpw $0xf0,(%eax) 40378b: 76 0f jbe 40379c <_SmConnectApiPort@16+0x5c> 40378d: c7 85 c0 fe ff ff ef movl $0xc00000ef,0xfffffec0(%ebp) 403794: 00 00 c0 403797: e9 ed 00 00 00 jmp 403889 <_SmConnectApiPort@16+0x149> 40379c: 83 7d 0c 00 cmpl $0x0,0xc(%ebp) 4037a0: 74 07 je 4037a9 <_SmConnectApiPort@16+0x69> 4037a2: 66 83 7d f6 00 cmpw $0x0,0xfffffff6(%ebp) 4037a7: 75 0f jne 4037b8 <_SmConnectApiPort@16+0x78> 4037a9: c7 85 c0 fe ff ff 30 movl $0xc0000030,0xfffffec0(%ebp) 4037b0: 00 00 c0 4037b3: e9 d1 00 00 00 jmp 403889 <_SmConnectApiPort@16+0x149> 4037b8: 83 ec 08 sub $0x8,%esp 4037bb: 68 f4 00 00 00 push $0xf4 4037c0: 8d 85 c8 fe ff ff lea 0xfffffec8(%ebp),%eax 4037c6: 50 push %eax 4037c7: e8 54 02 00 00 call 403a20 _RtlZeroMemory@8 4037cc: 83 c4 08 add $0x8,%esp 4037cf: 66 c7 85 ca fe ff ff movw $0x0,0xfffffeca(%ebp) 4037d6: 00 00 4037d8: 66 8b 45 f6 mov 0xfffffff6(%ebp),%ax 4037dc: 66 89 85 c8 fe ff ff mov %ax,0xfffffec8(%ebp) 4037e3: 8b 45 08 mov 0x8(%ebp),%eax 4037e6: 66 83 38 00 cmpw $0x0,(%eax) 4037ea: 74 27 je 403813 <_SmConnectApiPort@16+0xd3> 4037ec: 83 ec 04 sub $0x4,%esp 4037ef: 8b 45 08 mov 0x8(%ebp),%eax 4037f2: 66 8b 00 mov (%eax),%ax 4037f5: 25 ff ff 00 00 and $0xffff,%eax 4037fa: 50 push %eax 4037fb: 8b 45 08 mov 0x8(%ebp),%eax 4037fe: ff 70 04 pushl 0x4(%eax) 403801: 8d 85 c8 fe ff ff lea 0xfffffec8(%ebp),%eax 403807: 83 c0 04 add $0x4,%eax 40380a: 50 push %eax 40380b: e8 90 02 00 00 call 403aa0 <_memcpy> 403810: 83 c4 10 add $0x10,%esp 403813: c7 85 c4 fe ff ff f4 movl $0xf4,0xfffffec4(%ebp) 40381a: 00 00 00 40381d: c7 45 d8 0c 00 00 00 movl $0xc,0xffffffd8(%ebp) 403824: c7 45 dc 01 00 00 00 movl $0x1,0xffffffdc(%ebp) 40382b: c6 45 e0 01 movb $0x1,0xffffffe0(%ebp) 40382f: c6 45 e1 01 movb $0x1,0xffffffe1(%ebp) 403833: 83 ec 08 sub $0x8,%esp 403836: 68 60 5e 40 00 push $0x405e60 40383b: 8d 45 e8 lea 0xffffffe8(%ebp),%eax 40383e: 50 push %eax 40383f: e8 4c 01 00 00 call 403990 _RtlInitUnicodeString@8 403844: 83 c4 08 add $0x8,%esp 403847: 8d 85 c4 fe ff ff lea 0xfffffec4(%ebp),%eax 40384d: 50 push %eax 40384e: 8d 85 c8 fe ff ff lea 0xfffffec8(%ebp),%eax 403854: 50 push %eax 403855: 6a 00 push $0x0 403857: 6a 00 push $0x0 403859: 6a 00 push $0x0 40385b: 8d 45 d8 lea 0xffffffd8(%ebp),%eax 40385e: 50 push %eax 40385f: 8d 45 e8 lea 0xffffffe8(%ebp),%eax 403862: 50 push %eax 403863: ff 75 14 pushl 0x14(%ebp) 403866: e8 25 03 00 00 call 403b90 _NtConnectPort@32 40386b: 89 45 d4 mov %eax,0xffffffd4(%ebp) 40386e: 83 7d d4 00 cmpl $0x0,0xffffffd4(%ebp) 403872: 78 0c js 403880 <_SmConnectApiPort@16+0x140> 403874: c7 85 c0 fe ff ff 00 movl $0x0,0xfffffec0(%ebp) 40387b: 00 00 00 40387e: eb 09 jmp 403889 <_SmConnectApiPort@16+0x149> 403880: 8b 45 d4 mov 0xffffffd4(%ebp),%eax 403883: 89 85 c0 fe ff ff mov %eax,0xfffffec0(%ebp) 403889: 8b 85 c0 fe ff ff mov 0xfffffec0(%ebp),%eax 40388f: 8b 7d fc mov 0xfffffffc(%ebp),%edi 403892: c9 leave 403893: c2 10 00 ret $0x10 403896: 90 nop 403897: 90 nop 403898: 90 nop 403899: 90 nop 40389a: 90 nop 40389b: 90 nop 40389c: 90 nop 40389d: 90 nop 40389e: 90 nop 40389f: 90 nop

004038a0 _SmExecuteProgram@8: 4038a0: 55 push %ebp 4038a1: 89 e5 mov %esp,%ebp 4038a3: 81 ec 98 00 00 00 sub $0x98,%esp 4038a9: 8b 45 0c mov 0xc(%ebp),%eax 4038ac: 66 83 38 40 cmpw $0x40,(%eax) 4038b0: 76 0f jbe 4038c1 <_SmExecuteProgram@8+0x21> 4038b2: c7 85 74 ff ff ff 0d movl $0xc000000d,0xffffff74(%ebp) 4038b9: 00 00 c0 4038bc: e9 a4 00 00 00 jmp 403965 <_SmExecuteProgram@8+0xc5> 4038c1: 83 ec 08 sub $0x8,%esp 4038c4: 6a 6c push $0x6c 4038c6: 8d 85 78 ff ff ff lea 0xffffff78(%ebp),%eax 4038cc: 50 push %eax 4038cd: e8 4e 01 00 00 call 403a20 _RtlZeroMemory@8 4038d2: 83 c4 08 add $0x8,%esp 4038d5: 8b 45 0c mov 0xc(%ebp),%eax 4038d8: 66 8b 00 mov (%eax),%ax 4038db: 25 ff ff 00 00 and $0xffff,%eax 4038e0: 89 45 98 mov %eax,0xffffff98(%ebp) 4038e3: 83 ec 04 sub $0x4,%esp 4038e6: 8b 45 0c mov 0xc(%ebp),%eax 4038e9: 66 8b 00 mov (%eax),%ax 4038ec: 25 ff ff 00 00 and $0xffff,%eax 4038f1: 50 push %eax 4038f2: 8b 45 0c mov 0xc(%ebp),%eax 4038f5: ff 70 04 pushl 0x4(%eax) 4038f8: 8d 85 78 ff ff ff lea 0xffffff78(%ebp),%eax 4038fe: 83 c0 24 add $0x24,%eax 403901: 50 push %eax 403902: e8 99 01 00 00 call 403aa0 <_memcpy> 403907: 83 c4 10 add $0x10,%esp 40390a: c7 45 90 04 00 00 00 movl $0x4,0xffffff90(%ebp) 403911: 66 c7 85 7c ff ff ff movw $0x0,0xffffff7c(%ebp) 403918: 00 00 40391a: 66 c7 85 78 ff ff ff movw $0x54,0xffffff78(%ebp) 403921: 54 00 403923: 66 c7 85 7a ff ff ff movw $0x6c,0xffffff7a(%ebp) 40392a: 6c 00 40392c: 83 ec 04 sub $0x4,%esp 40392f: 8d 85 78 ff ff ff lea 0xffffff78(%ebp),%eax 403935: 50 push %eax 403936: 8d 85 78 ff ff ff lea 0xffffff78(%ebp),%eax 40393c: 50 push %eax 40393d: ff 75 08 pushl 0x8(%ebp) 403940: e8 cb 03 00 00 call 403d10 _NtRequestWaitReplyPort@12 403945: 83 c4 04 add $0x4,%esp 403948: 89 45 f4 mov %eax,0xfffffff4(%ebp) 40394b: 83 7d f4 00 cmpl $0x0,0xfffffff4(%ebp) 40394f: 78 0b js 40395c <_SmExecuteProgram@8+0xbc> 403951: 8b 45 94 mov 0xffffff94(%ebp),%eax 403954: 89 85 74 ff ff ff mov %eax,0xffffff74(%ebp) 40395a: eb 09 jmp 403965 <_SmExecuteProgram@8+0xc5> 40395c: 8b 45 f4 mov 0xfffffff4(%ebp),%eax 40395f: 89 85 74 ff ff ff mov %eax,0xffffff74(%ebp) 403965: 8b 85 74 ff ff ff mov 0xffffff74(%ebp),%eax 40396b: c9 leave 40396c: c2 08 00 ret $0x8 40396f: 90 nop

00403970 _NtQueryInformationProcess@20: 403970: ff 25 68 71 40 00 jmp *0x407168 403976: 90 nop 403977: 90 nop ...

00403980 _NtTerminateThread@8: 403980: ff 25 80 71 40 00 jmp *0x407180 403986: 90 nop 403987: 90 nop ...

00403990 _RtlInitUnicodeString@8: 403990: ff 25 c4 71 40 00 jmp *0x4071c4 403996: 90 nop 403997: 90 nop ...

004039a0 _NtOpenEvent@12: 4039a0: ff 25 58 71 40 00 jmp *0x407158 4039a6: 90 nop 4039a7: 90 nop ...

004039b0 _NtPulseEvent@8: 4039b0: ff 25 64 71 40 00 jmp *0x407164 4039b6: 90 nop 4039b7: 90 nop ...

004039c0 _NtWaitForSingleObject@12: 4039c0: ff 25 84 71 40 00 jmp *0x407184 4039c6: 90 nop 4039c7: 90 nop ...

004039d0 _NtClose@4: 4039d0: ff 25 2c 71 40 00 jmp *0x40712c 4039d6: 90 nop 4039d7: 90 nop ...

004039e0 <_DbgPrint>: 4039e0: ff 25 20 71 40 00 jmp *0x407120 4039e6: 90 nop 4039e7: 90 nop ...

004039f0 _RtlCreateHeap@24: 4039f0: ff 25 98 71 40 00 jmp *0x407198 4039f6: 90 nop 4039f7: 90 nop ...

00403a00 _RtlCreateEnvironment@8: 403a00: ff 25 94 71 40 00 jmp *0x407194 403a06: 90 nop 403a07: 90 nop ...

00403a10 _RtlSetEnvironmentVariable@12: 403a10: ff 25 d4 71 40 00 jmp *0x4071d4 403a16: 90 nop 403a17: 90 nop ...

00403a20 _RtlZeroMemory@8: 403a20: ff 25 d8 71 40 00 jmp *0x4071d8 403a26: 90 nop 403a27: 90 nop ...

00403a30 _RtlQueryRegistryValues@20: 403a30: ff 25 d0 71 40 00 jmp *0x4071d0 403a36: 90 nop 403a37: 90 nop ...

00403a40 <_wcscpy>: 403a40: ff 25 00 72 40 00 jmp *0x407200 403a46: 90 nop 403a47: 90 nop ...

00403a50 _ZwCreateDirectoryObject@12: 403a50: ff 25 dc 71 40 00 jmp *0x4071dc 403a56: 90 nop 403a57: 90 nop ...

00403a60 _NtCreateSymbolicLinkObject@16: 403a60: ff 25 48 71 40 00 jmp *0x407148 403a66: 90 nop 403a67: 90 nop ...

00403a70 <_swprintf>: 403a70: ff 25 f0 71 40 00 jmp *0x4071f0 403a76: 90 nop 403a77: 90 nop ...

00403a80 <_wcscat>: 403a80: ff 25 f8 71 40 00 jmp *0x4071f8 403a86: 90 nop 403a87: 90 nop ...

00403a90 <_wcslen>: 403a90: ff 25 04 72 40 00 jmp *0x407204 403a96: 90 nop 403a97: 90 nop ...

00403aa0 <_memcpy>: 403aa0: ff 25 ec 71 40 00 jmp *0x4071ec 403aa6: 90 nop 403aa7: 90 nop ...

00403ab0 <_wcschr>: 403ab0: ff 25 fc 71 40 00 jmp *0x4071fc 403ab6: 90 nop 403ab7: 90 nop ...

00403ac0 _NtOpenFile@24: 403ac0: ff 25 5c 71 40 00 jmp *0x40715c 403ac6: 90 nop 403ac7: 90 nop ...

00403ad0 _LdrVerifyImageMatchesChecksum@16: 403ad0: ff 25 24 71 40 00 jmp *0x407124 403ad6: 90 nop 403ad7: 90 nop ...

00403ae0 _NtRaiseHardError@24: 403ae0: ff 25 70 71 40 00 jmp *0x407170 403ae6: 90 nop 403ae7: 90 nop ...

00403af0 _NtCreateSection@28: 403af0: ff 25 44 71 40 00 jmp *0x407144 403af6: 90 nop 403af7: 90 nop ...

00403b00 _NtCreateDirectoryObject@12: 403b00: ff 25 38 71 40 00 jmp *0x407138 403b06: 90 nop 403b07: 90 nop ...

00403b10 _RtlDosPathNameToNtPathName_U@16: 403b10: ff 25 ac 71 40 00 jmp *0x4071ac 403b16: 90 nop 403b17: 90 nop ...

00403b20 <__wcsicmp>: 403b20: ff 25 e8 71 40 00 jmp *0x4071e8 403b26: 90 nop 403b27: 90 nop ...

00403b30 _NtCreatePagingFile@16: 403b30: ff 25 3c 71 40 00 jmp *0x40713c 403b36: 90 nop 403b37: 90 nop ...

00403b40 _RtlFreeUnicodeString@4: 403b40: ff 25 bc 71 40 00 jmp *0x4071bc 403b46: 90 nop 403b47: 90 nop ...

00403b50 _RtlCheckRegistryKey@8: 403b50: ff 25 90 71 40 00 jmp *0x407190 403b56: 90 nop 403b57: 90 nop ...

00403b60 <_wcstoul>: 403b60: ff 25 08 72 40 00 jmp *0x407208 403b66: 90 nop 403b67: 90 nop ...

00403b70 _NtSetSystemInformation@12: 403b70: ff 25 7c 71 40 00 jmp *0x40717c 403b76: 90 nop 403b77: 90 nop ...

00403b80 _NtInitializeRegistry@4: 403b80: ff 25 50 71 40 00 jmp *0x407150 403b86: 90 nop 403b87: 90 nop ...

00403b90 _NtConnectPort@32: 403b90: ff 25 34 71 40 00 jmp *0x407134 403b96: 90 nop 403b97: 90 nop ...

00403ba0 _NtReplyWaitReceivePort@16: 403ba0: ff 25 74 71 40 00 jmp *0x407174 403ba6: 90 nop 403ba7: 90 nop ...

00403bb0 _NtAcceptConnectPort@24: 403bb0: ff 25 28 71 40 00 jmp *0x407128 403bb6: 90 nop 403bb7: 90 nop ...

00403bc0 _NtCompleteConnectPort@4: 403bc0: ff 25 30 71 40 00 jmp *0x407130 403bc6: 90 nop 403bc7: 90 nop ...

00403bd0 _RtlCreateUserThread@40: 403bd0: ff 25 a4 71 40 00 jmp *0x4071a4 403bd6: 90 nop 403bd7: 90 nop ...

00403be0 _NtListenPort@8: 403be0: ff 25 54 71 40 00 jmp *0x407154 403be6: 90 nop 403be7: 90 nop ...

00403bf0 _NtCreatePort@20: 403bf0: ff 25 40 71 40 00 jmp *0x407140 403bf6: 90 nop 403bf7: 90 nop ...

00403c00 _RtlCreateProcessParameters@40: 403c00: ff 25 9c 71 40 00 jmp *0x40719c 403c06: 90 nop 403c07: 90 nop ...

00403c10 _RtlCreateUserProcess@40: 403c10: ff 25 a0 71 40 00 jmp *0x4071a0 403c16: 90 nop 403c17: 90 nop ...

00403c20 _RtlDestroyProcessParameters@4: 403c20: ff 25 a8 71 40 00 jmp *0x4071a8 403c26: 90 nop 403c27: 90 nop ...

00403c30 _ZwResumeThread@8: 403c30: ff 25 e4 71 40 00 jmp *0x4071e4 403c36: 90 nop 403c37: 90 nop ...

00403c40 _NtOpenKey@12: 403c40: ff 25 60 71 40 00 jmp *0x407160 403c46: 90 nop 403c47: 90 nop ...

00403c50 _NtQueryValueKey@24: 403c50: ff 25 6c 71 40 00 jmp *0x40716c 403c56: 90 nop 403c57: 90 nop ...

00403c60 _RtlExpandEnvironmentStrings_U@16: 403c60: ff 25 b4 71 40 00 jmp *0x4071b4 403c66: 90 nop 403c67: 90 nop ...

00403c70 _RtlInitializeCriticalSection@4: 403c70: ff 25 c8 71 40 00 jmp *0x4071c8 403c76: 90 nop 403c77: 90 nop ...

00403c80 _RtlEnterCriticalSection@4: 403c80: ff 25 b0 71 40 00 jmp *0x4071b0 403c86: 90 nop 403c87: 90 nop ...

00403c90 _RtlLeaveCriticalSection@4: 403c90: ff 25 cc 71 40 00 jmp *0x4071cc 403c96: 90 nop 403c97: 90 nop ...

00403ca0 _RtlAllocateHeap@12: 403ca0: ff 25 88 71 40 00 jmp *0x407188 403ca6: 90 nop 403ca7: 90 nop ...

00403cb0 _RtlFreeHeap@12: 403cb0: ff 25 b8 71 40 00 jmp *0x4071b8 403cb6: 90 nop 403cb7: 90 nop ...

00403cc0 _ZwDisplayString@4: 403cc0: ff 25 e0 71 40 00 jmp *0x4071e0 403cc6: 90 nop 403cc7: 90 nop ...

00403cd0 _RtlInitAnsiString@8: 403cd0: ff 25 c0 71 40 00 jmp *0x4071c0 403cd6: 90 nop 403cd7: 90 nop ...

00403ce0 _RtlAnsiStringToUnicodeString@12: 403ce0: ff 25 8c 71 40 00 jmp *0x40718c 403ce6: 90 nop 403ce7: 90 nop ...

00403cf0 _NtDisplayString@4: 403cf0: ff 25 4c 71 40 00 jmp *0x40714c 403cf6: 90 nop 403cf7: 90 nop ...

00403d00 <_vsprintf>: 403d00: ff 25 f4 71 40 00 jmp *0x4071f4 403d06: 90 nop 403d07: 90 nop ...

00403d10 _NtRequestWaitReplyPort@12: 403d10: ff 25 78 71 40 00 jmp *0x407178 403d16: 90 nop 403d17: 90 nop ...

00403d20 <___chkstk>: 403d20: 51 push %ecx 403d21: 89 e1 mov %esp,%ecx 403d23: 83 c1 08 add $0x8,%ecx

00403d26 <probe>: 403d26: 3d 00 10 00 00 cmp $0x1000,%eax 403d2b: 72 10 jb 403d3d <done> 403d2d: 81 e9 00 10 00 00 sub $0x1000,%ecx 403d33: 83 09 00 orl $0x0,(%ecx) 403d36: 2d 00 10 00 00 sub $0x1000,%eax 403d3b: eb e9 jmp 403d26 <probe>

00403d3d <done>: 403d3d: 29 c1 sub %eax,%ecx 403d3f: 83 09 00 orl $0x0,(%ecx) 403d42: 89 e0 mov %esp,%eax 403d44: 89 cc mov %ecx,%esp 403d46: 8b 08 mov (%eax),%ecx 403d48: 8b 40 04 mov 0x4(%eax),%eax 403d4b: ff e0 jmp *%eax 403d4d: 90 nop 403d4e: 90 nop 403d4f: 90 nop

00403d50 <__CTOR_LIST__>: 403d50: ff (bad) 403d51: ff (bad) 403d52: ff (bad) 403d53: ff 00 incl (%eax) 403d55: 00 00 add %al,(%eax) ...

00403d58 <__DTOR_LIST__>: 403d58: ff (bad) 403d59: ff (bad) 403d5a: ff (bad) 403d5b: ff 00 incl (%eax) 403d5d: 00 00 add %al,(%eax) ...